prod/actions-	values_changed root['revision'] new_value 20250310 old_value 20250307
prod/actions-v2	values_changed root['revision'] new_value 20250310 old_value 20250307
prod/actions-v2alpha	values_changed root['revision'] new_value 20250310 old_value 20250307
prod/actions-v3	values_changed root['revision'] new_value 20250310 old_value 20250307
prod/adsmarketingfrontend-pa-	dictionary_item_added root['schemas']['CountrySpend'] root['schemas']['GetSpendDataResponse']['properties']['countrySpends'] values_changed root['revision'] new_value 20250309 old_value 20250305
prod/adsmarketingfrontend-pa-v1	dictionary_item_added root['schemas']['CountrySpend'] root['schemas']['GetSpendDataResponse']['properties']['countrySpends'] values_changed root['revision'] new_value 20250309 old_value 20250305
prod/aerialview-	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/aerialview-v1	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/aerialview-v1beta	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/aida-	values_changed root['revision'] new_value 20250308 old_value 20250306 iterable_item_added root['schemas']['GoogleXPitchforkAidaV1DoConversationRequest']['properties']['clientFeature']['enumDescriptions'][7] Chrome Performance Insights Agent.
prod/aida-v1	values_changed root['revision'] new_value 20250308 old_value 20250306 iterable_item_added root['schemas']['GoogleXPitchforkAidaV1DoConversationRequest']['properties']['clientFeature']['enumDescriptions'][7] Chrome Performance Insights Agent.
prod/aiplugin-pa-	values_changed root['revision'] new_value 20250311 old_value 20250302
prod/aiplugin-pa-v1	values_changed root['revision'] new_value 20250311 old_value 20250302
prod/aiplugin-pa-v1internal	values_changed root['revision'] new_value 20250311 old_value 20250302
prod/aiui-	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/aiui-v1	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/alkalidatastore-pa-	values_changed root['revision'] new_value 20250309 old_value 20250304
prod/alkalidatastore-pa-v1	values_changed root['revision'] new_value 20250309 old_value 20250304
prod/alkalilearn-pa-	values_changed root['revision'] new_value 20250308 old_value 20250303
prod/alkalilearn-pa-v1	dictionary_item_added root['schemas']['Card']['properties']['imageAltText'] root['schemas']['Feature']['properties']['altText'] root['schemas']['GuideHeader']['properties']['headerArtAltText'] root['schemas']['GuideHeader']['properties']['recommendationArtAltText'] root['schemas']['LessonHeader']['properties']['headerArtAltText'] root['schemas']['ProductHeader']['properties']['headerArtAltText'] root['schemas']['ProductHeader']['properties']['logoArtAltText'] root['schemas']['QuickTip']['properties']['artUriAltText'] root['schemas']['StepContent']['properties']['artUriAltText'] values_changed root['revision'] new_value 20250308 old_value 20250303
prod/alkalilearn-pa-v2	values_changed root['revision'] new_value 20250308 old_value 20250303
prod/alkalilogexporter-pa-	values_changed root['revision'] new_value 20250309 old_value 20250306
prod/alkalilogexporter-pa-v1	values_changed root['revision'] new_value 20250309 old_value 20250306
prod/alkaliproducer-pa-	values_changed root['revision'] new_value 20250307 old_value 20250304
prod/alkaliproducer-pa-v1	values_changed root['revision'] new_value 20250307 old_value 20250304
prod/analyticssuitefrontend-pa-	values_changed root['revision'] new_value 20250310 old_value 20250306 iterable_item_added root['schemas']['NodeAccess']['properties']['callerAccessActions']['items']['enum'][58] RECEIVE_PERFORMANCE_EMAIL root['schemas']['NodeAccess']['properties']['callerAccessActions']['items']['enumDescriptions'][58] Allows a user to receive performance emails. See go/gacs-performance-emails for details. root['schemas']['Permission']['properties']['entityAction']['enum'][58] RECEIVE_PERFORMANCE_EMAIL root['schemas']['Permission']['properties']['entityAction']['enumDescriptions'][58] Allows a user to receive performance emails. See go/gacs-performance-emails for details.
prod/analyticssuitefrontend-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250306 iterable_item_added root['schemas']['NodeAccess']['properties']['callerAccessActions']['items']['enum'][58] RECEIVE_PERFORMANCE_EMAIL root['schemas']['NodeAccess']['properties']['callerAccessActions']['items']['enumDescriptions'][58] Allows a user to receive performance emails. See go/gacs-performance-emails for details. root['schemas']['Permission']['properties']['entityAction']['enum'][58] RECEIVE_PERFORMANCE_EMAIL root['schemas']['Permission']['properties']['entityAction']['enumDescriptions'][58] Allows a user to receive performance emails. See go/gacs-performance-emails for details.
prod/ap-rbmopenmaap-	values_changed root['revision'] new_value 20250310 old_value 20250306
prod/ap-rbmopenmaap-v1	values_changed root['revision'] new_value 20250310 old_value 20250306
prod/appsbackup-pa-	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/appsbackup-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/appsgenaiserver-pa-	dictionary_item_added root['schemas']['AppsExtensionsSheetsActionsNavigationInfo'] root['schemas']['AppsExtensionsDuetAiActionLinkAccount']['properties']['connectorUrl'] root['schemas']['AppsExtensionsSheetsActionsOpenSidebarAction']['properties']['navigationInfo'] root['schemas']['AppsProtoMediaAudioContent']['properties']['blobName'] dictionary_item_removed root['schemas']['AppsIntelligenceGenAiCitationMetadata']['properties']['pageNumber'] values_changed root['revision'] new_value 20250306 old_value 20250303 root['schemas']['AppsProtoMediaAudioContent']['description'] new_value Information for identifying and playing back audio. Next ID: 17 old_value Information for identifying and playing back audio. Next ID: 16 iterable_item_added root['schemas']['AppsExtensionsDuetAiActionStaticPlanData']['properties']['generateUseCase']['enum'][92] GENERATE_NUDGE_PROMPTS root['schemas']['AppsExtensionsDuetAiActionStaticPlanData']['properties']['generateUseCase']['enumDescriptions'][92] Use case for generating prompts for nudges. Currently used in the PDF Viewer in Drive. root['schemas']['AppsExtensionsUiKitGemkickExtensionDetails']['properties']['operationType']['enum'][25] GEMKICK_EXTENSION_OPERATION_TYPE_CREATE_A_NOTE_FOR_CONTACT_IN_TOOL_IMPRESSION root['schemas']['AppsExtensionsUiKitGemkickExtensionDetails']['properties']['operationType']['enum'][26] GEMKICK_EXTENSION_OPERATION_TYPE_CREATE_A_NOTE_FOR_CONTACT_IN_TOOL_CLICKED root['schemas']['AppsIntelligenceGenAiClientContext']['properties']['clientId']['enum'][9] SHEETS_ANDROID_CLIENT_ID root['schemas']['AppsIntelligenceGenAiClientContext']['properties']['clientId']['enum'][10] SHEETS_IOS_CLIENT_ID root['schemas']['AppsIntelligenceGenAiClientDebugInfo']['properties']['useCase']['enum'][92] GENERATE_NUDGE_PROMPTS root['schemas']['AppsIntelligenceGenAiClientDebugInfo']['properties']['useCase']['enumDescriptions'][92] Use case for generating prompts for nudges. Currently used in the PDF Viewer in Drive. root['schemas']['AppsIntelligenceGenAiDataCollectionRequest']['properties']['clientId']['enum'][9] SHEETS_ANDROID_CLIENT_ID root['schemas']['AppsIntelligenceGenAiDataCollectionRequest']['properties']['clientId']['enum'][10] SHEETS_IOS_CLIENT_ID root['schemas']['AppsIntelligenceGenAiDataCollectionRequest']['properties']['entryPoint']['enum'][46] ENTRY_POINT_VIEWER_FILE_LEVEL_NUDGE root['schemas']['AppsIntelligenceGenAiGenerateRequest']['properties']['generateUseCase']['enum'][92] GENERATE_NUDGE_PROMPTS root['schemas']['AppsIntelligenceGenAiGenerateRequest']['properties']['generateUseCase']['enumDescriptions'][92] Use case for generating prompts for nudges. Currently used in the PDF Viewer in Drive. root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['generateUseCase']['enum'][92] GENERATE_NUDGE_PROMPTS root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['generateUseCase']['enumDescriptions'][92] Use case for generating prompts for nudges. Currently used in the PDF Viewer in Drive. root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['generateUseCase']['enum'][92] GENERATE_NUDGE_PROMPTS root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['generateUseCase']['enumDescriptions'][92] Use case for generating prompts for nudges. Currently used in the PDF Viewer in Drive. root['schemas']['AppsIntelligenceGenAiListGemsRequest']['properties']['clientId']['enum'][9] SHEETS_ANDROID_CLIENT_ID root['schemas']['AppsIntelligenceGenAiListGemsRequest']['properties']['clientId']['enum'][10] SHEETS_IOS_CLIENT_ID root['schemas']['AppsIntelligenceGenAiQuestionAnswerListActionParamsQuestionAnswer']['properties']['useCaseForSuggestionFollowup']['enum'][92] GENERATE_NUDGE_PROMPTS root['schemas']['AppsIntelligenceGenAiQuestionAnswerListActionParamsQuestionAnswer']['properties']['useCaseForSuggestionFollowup']['enumDescriptions'][92] Use case for generating prompts for nudges. Currently used in the PDF Viewer in Drive. root['schemas']['AppsIntelligenceGenAiQuotaClientContext']['properties']['clientId']['enum'][9] SHEETS_ANDROID_CLIENT_ID root['schemas']['AppsIntelligenceGenAiQuotaClientContext']['properties']['clientId']['enum'][10] SHEETS_IOS_CLIENT_ID root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['generateUseCase']['enum'][92] GENERATE_NUDGE_PROMPTS root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['generateUseCase']['enumDescriptions'][92] Use case for generating prompts for nudges. Currently used in the PDF Viewer in Drive. root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['generateUseCase']['enum'][92] GENERATE_NUDGE_PROMPTS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['generateUseCase']['enumDescriptions'][92] Use case for generating prompts for nudges. Currently used in the PDF Viewer in Drive. root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][179] SHEETS_GEMS_CAREER_GUIDE_ADVOCATE_FOR_PROMOTION root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][180] SHEETS_GEMS_CAREER_GUIDE_FIND_MENTOR root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][181] SHEETS_GEMS_CAREER_GUIDE_INTERVIEW_PREP root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][182] SHEETS_GEMS_COPY_CREATOR_EMAIL_MARKETING_CAMPAIGN root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][183] SHEETS_GEMS_COPY_CREATOR_KEY_SELLING_POINTS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][184] SHEETS_GEMS_COPY_CREATOR_PRODUCT_LAUNCH_ANNOUNCEMENT root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][185] SHEETS_GEMS_COPY_CREATOR_WEBSITE_LANDING_PAGE root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][186] SHEETS_GEMS_HIRING_CONSULTANT_INTERVIEW_QUESTIONS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][187] SHEETS_GEMS_HIRING_CONSULTANT_JOB_APPLICANTS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][188] SHEETS_GEMS_HIRING_CONSULTANT_LIST_RESPONSIBILITIES root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][189] SHEETS_GEMS_HIRING_CONSULTANT_ONBOARDING_PLAN root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][190] SHEETS_GEMS_OUTREACH_SPECIALIST_COMPELLING_MESSAGES root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][191] SHEETS_GEMS_OUTREACH_SPECIALIST_CUSTOMER_FEEDBACKS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][192] SHEETS_GEMS_OUTREACH_SPECIALIST_CUSTOMER_SEGMENTS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][193] SHEETS_GEMS_OUTREACH_SPECIALIST_WELCOME_MESSAGES root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][194] SHEETS_GEMS_SALES_PITCH_IDEATOR_COMPELLING_MESSAGES root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][195] SHEETS_GEMS_SALES_PITCH_IDEATOR_OUTLINING_ADVANTAGES root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][196] SHEETS_GEMS_SALES_PITCH_IDEATOR_PRICING_MODELS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][197] SHEETS_GEMS_SALES_PITCH_IDEATOR_SALES_OBJECTIVES root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][198] SHEETS_GEMS_SENTIMENT_ANALYZER_CUSTOMER_REVIEWS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][199] SHEETS_GEMS_SENTIMENT_ANALYZER_NEW_PRODUCT root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][200] SHEETS_GEMS_SENTIMENT_ANALYZER_SUPPORT_TICKETS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][201] SHEETS_GEMS_SENTIMENT_ANALYZER_SURVEY_RESPONSES root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][202] SHEETS_GEMS_TRIP_PLANNER_COMPARE_DESTINATIONS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][203] SHEETS_GEMS_TRIP_PLANNER_DAILY_ITINERARY root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][204] SHEETS_GEMS_TRIP_PLANNER_TRACK_TRAVEL_EXPENSES root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][205] SHEETS_GEMS_TRIP_PLANNER_WEEKEND_IN_CITY root['schemas']['AppsIntelligenceGenAiTurn']['properties']['generateUseCase']['enum'][92] GENERATE_NUDGE_PROMPTS root['schemas']['AppsIntelligenceGenAiTurn']['properties']['generateUseCase']['enumDescriptions'][92] Use case for generating prompts for nudges. Currently used in the PDF Viewer in Drive. root['schemas']['AppsIntelligenceGenAiTurnContext']['properties']['clientId']['enum'][9] SHEETS_ANDROID_CLIENT_ID root['schemas']['AppsIntelligenceGenAiTurnContext']['properties']['clientId']['enum'][10] SHEETS_IOS_CLIENT_ID root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['clientId']['enum'][9] SHEETS_ANDROID_CLIENT_ID root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['clientId']['enum'][10] SHEETS_IOS_CLIENT_ID root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['generateUseCase']['enum'][92] GENERATE_NUDGE_PROMPTS root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['generateUseCase']['enumDescriptions'][92] Use case for generating prompts for nudges. Currently used in the PDF Viewer in Drive. root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enum'][276] IGMM_MANAGE_STORAGE root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][276] iGMM manage storage OG onramp. https://screenshot.googleplex.com/7QGYxDWkCHuQZf8 root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enum'][276] IGMM_MANAGE_STORAGE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][276] iGMM manage storage OG onramp. https://screenshot.googleplex.com/7QGYxDWkCHuQZf8 root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][418] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_NO_DISCOUNT_EDITORS_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][419] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_DISCOUNT_EDITORS_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][420] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_NO_DISCOUNT_EDITORS_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][421] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_DISCOUNT_EDITORS_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][422] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_NO_DISCOUNT_EDITORS_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][423] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_DISCOUNT_EDITORS_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][314] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_NO_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][315] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][316] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_NO_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][317] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][318] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_NO_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][319] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][448] GEMRISE_V2_NOTEBOOKLM_DISCOVER_CARD root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enumDescriptions'][448] Discover Card - NotebookLM root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enum'][276] IGMM_MANAGE_STORAGE root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][276] iGMM manage storage OG onramp. https://screenshot.googleplex.com/7QGYxDWkCHuQZf8 root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][314] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_NO_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][315] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][316] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_NO_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][317] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][318] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_NO_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][319] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][448] GEMRISE_V2_NOTEBOOKLM_DISCOVER_CARD root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enumDescriptions'][448] Discover Card - NotebookLM root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enum'][276] IGMM_MANAGE_STORAGE root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][276] iGMM manage storage OG onramp. https://screenshot.googleplex.com/7QGYxDWkCHuQZf8 iterable_item_removed root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enumDescriptions'][140] Gems Starter Tiles go/keep-sorted start
prod/appsgenaiserver-pa-v1	dictionary_item_added root['schemas']['AppsExtensionsSheetsActionsNavigationInfo'] root['schemas']['AppsExtensionsDuetAiActionLinkAccount']['properties']['connectorUrl'] root['schemas']['AppsExtensionsSheetsActionsOpenSidebarAction']['properties']['navigationInfo'] root['schemas']['AppsProtoMediaAudioContent']['properties']['blobName'] dictionary_item_removed root['schemas']['AppsIntelligenceGenAiCitationMetadata']['properties']['pageNumber'] values_changed root['revision'] new_value 20250306 old_value 20250303 root['schemas']['AppsProtoMediaAudioContent']['description'] new_value Information for identifying and playing back audio. Next ID: 17 old_value Information for identifying and playing back audio. Next ID: 16 iterable_item_added root['schemas']['AppsExtensionsDuetAiActionStaticPlanData']['properties']['generateUseCase']['enum'][92] GENERATE_NUDGE_PROMPTS root['schemas']['AppsExtensionsDuetAiActionStaticPlanData']['properties']['generateUseCase']['enumDescriptions'][92] Use case for generating prompts for nudges. Currently used in the PDF Viewer in Drive. root['schemas']['AppsExtensionsUiKitGemkickExtensionDetails']['properties']['operationType']['enum'][25] GEMKICK_EXTENSION_OPERATION_TYPE_CREATE_A_NOTE_FOR_CONTACT_IN_TOOL_IMPRESSION root['schemas']['AppsExtensionsUiKitGemkickExtensionDetails']['properties']['operationType']['enum'][26] GEMKICK_EXTENSION_OPERATION_TYPE_CREATE_A_NOTE_FOR_CONTACT_IN_TOOL_CLICKED root['schemas']['AppsIntelligenceGenAiClientContext']['properties']['clientId']['enum'][9] SHEETS_ANDROID_CLIENT_ID root['schemas']['AppsIntelligenceGenAiClientContext']['properties']['clientId']['enum'][10] SHEETS_IOS_CLIENT_ID root['schemas']['AppsIntelligenceGenAiClientDebugInfo']['properties']['useCase']['enum'][92] GENERATE_NUDGE_PROMPTS root['schemas']['AppsIntelligenceGenAiClientDebugInfo']['properties']['useCase']['enumDescriptions'][92] Use case for generating prompts for nudges. Currently used in the PDF Viewer in Drive. root['schemas']['AppsIntelligenceGenAiDataCollectionRequest']['properties']['clientId']['enum'][9] SHEETS_ANDROID_CLIENT_ID root['schemas']['AppsIntelligenceGenAiDataCollectionRequest']['properties']['clientId']['enum'][10] SHEETS_IOS_CLIENT_ID root['schemas']['AppsIntelligenceGenAiDataCollectionRequest']['properties']['entryPoint']['enum'][46] ENTRY_POINT_VIEWER_FILE_LEVEL_NUDGE root['schemas']['AppsIntelligenceGenAiGenerateRequest']['properties']['generateUseCase']['enum'][92] GENERATE_NUDGE_PROMPTS root['schemas']['AppsIntelligenceGenAiGenerateRequest']['properties']['generateUseCase']['enumDescriptions'][92] Use case for generating prompts for nudges. Currently used in the PDF Viewer in Drive. root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['generateUseCase']['enum'][92] GENERATE_NUDGE_PROMPTS root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['generateUseCase']['enumDescriptions'][92] Use case for generating prompts for nudges. Currently used in the PDF Viewer in Drive. root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['generateUseCase']['enum'][92] GENERATE_NUDGE_PROMPTS root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['generateUseCase']['enumDescriptions'][92] Use case for generating prompts for nudges. Currently used in the PDF Viewer in Drive. root['schemas']['AppsIntelligenceGenAiListGemsRequest']['properties']['clientId']['enum'][9] SHEETS_ANDROID_CLIENT_ID root['schemas']['AppsIntelligenceGenAiListGemsRequest']['properties']['clientId']['enum'][10] SHEETS_IOS_CLIENT_ID root['schemas']['AppsIntelligenceGenAiQuestionAnswerListActionParamsQuestionAnswer']['properties']['useCaseForSuggestionFollowup']['enum'][92] GENERATE_NUDGE_PROMPTS root['schemas']['AppsIntelligenceGenAiQuestionAnswerListActionParamsQuestionAnswer']['properties']['useCaseForSuggestionFollowup']['enumDescriptions'][92] Use case for generating prompts for nudges. Currently used in the PDF Viewer in Drive. root['schemas']['AppsIntelligenceGenAiQuotaClientContext']['properties']['clientId']['enum'][9] SHEETS_ANDROID_CLIENT_ID root['schemas']['AppsIntelligenceGenAiQuotaClientContext']['properties']['clientId']['enum'][10] SHEETS_IOS_CLIENT_ID root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['generateUseCase']['enum'][92] GENERATE_NUDGE_PROMPTS root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['generateUseCase']['enumDescriptions'][92] Use case for generating prompts for nudges. Currently used in the PDF Viewer in Drive. root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['generateUseCase']['enum'][92] GENERATE_NUDGE_PROMPTS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['generateUseCase']['enumDescriptions'][92] Use case for generating prompts for nudges. Currently used in the PDF Viewer in Drive. root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][179] SHEETS_GEMS_CAREER_GUIDE_ADVOCATE_FOR_PROMOTION root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][180] SHEETS_GEMS_CAREER_GUIDE_FIND_MENTOR root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][181] SHEETS_GEMS_CAREER_GUIDE_INTERVIEW_PREP root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][182] SHEETS_GEMS_COPY_CREATOR_EMAIL_MARKETING_CAMPAIGN root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][183] SHEETS_GEMS_COPY_CREATOR_KEY_SELLING_POINTS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][184] SHEETS_GEMS_COPY_CREATOR_PRODUCT_LAUNCH_ANNOUNCEMENT root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][185] SHEETS_GEMS_COPY_CREATOR_WEBSITE_LANDING_PAGE root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][186] SHEETS_GEMS_HIRING_CONSULTANT_INTERVIEW_QUESTIONS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][187] SHEETS_GEMS_HIRING_CONSULTANT_JOB_APPLICANTS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][188] SHEETS_GEMS_HIRING_CONSULTANT_LIST_RESPONSIBILITIES root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][189] SHEETS_GEMS_HIRING_CONSULTANT_ONBOARDING_PLAN root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][190] SHEETS_GEMS_OUTREACH_SPECIALIST_COMPELLING_MESSAGES root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][191] SHEETS_GEMS_OUTREACH_SPECIALIST_CUSTOMER_FEEDBACKS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][192] SHEETS_GEMS_OUTREACH_SPECIALIST_CUSTOMER_SEGMENTS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][193] SHEETS_GEMS_OUTREACH_SPECIALIST_WELCOME_MESSAGES root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][194] SHEETS_GEMS_SALES_PITCH_IDEATOR_COMPELLING_MESSAGES root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][195] SHEETS_GEMS_SALES_PITCH_IDEATOR_OUTLINING_ADVANTAGES root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][196] SHEETS_GEMS_SALES_PITCH_IDEATOR_PRICING_MODELS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][197] SHEETS_GEMS_SALES_PITCH_IDEATOR_SALES_OBJECTIVES root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][198] SHEETS_GEMS_SENTIMENT_ANALYZER_CUSTOMER_REVIEWS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][199] SHEETS_GEMS_SENTIMENT_ANALYZER_NEW_PRODUCT root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][200] SHEETS_GEMS_SENTIMENT_ANALYZER_SUPPORT_TICKETS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][201] SHEETS_GEMS_SENTIMENT_ANALYZER_SURVEY_RESPONSES root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][202] SHEETS_GEMS_TRIP_PLANNER_COMPARE_DESTINATIONS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][203] SHEETS_GEMS_TRIP_PLANNER_DAILY_ITINERARY root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][204] SHEETS_GEMS_TRIP_PLANNER_TRACK_TRAVEL_EXPENSES root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][205] SHEETS_GEMS_TRIP_PLANNER_WEEKEND_IN_CITY root['schemas']['AppsIntelligenceGenAiTurn']['properties']['generateUseCase']['enum'][92] GENERATE_NUDGE_PROMPTS root['schemas']['AppsIntelligenceGenAiTurn']['properties']['generateUseCase']['enumDescriptions'][92] Use case for generating prompts for nudges. Currently used in the PDF Viewer in Drive. root['schemas']['AppsIntelligenceGenAiTurnContext']['properties']['clientId']['enum'][9] SHEETS_ANDROID_CLIENT_ID root['schemas']['AppsIntelligenceGenAiTurnContext']['properties']['clientId']['enum'][10] SHEETS_IOS_CLIENT_ID root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['clientId']['enum'][9] SHEETS_ANDROID_CLIENT_ID root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['clientId']['enum'][10] SHEETS_IOS_CLIENT_ID root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['generateUseCase']['enum'][92] GENERATE_NUDGE_PROMPTS root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['generateUseCase']['enumDescriptions'][92] Use case for generating prompts for nudges. Currently used in the PDF Viewer in Drive. root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enum'][276] IGMM_MANAGE_STORAGE root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][276] iGMM manage storage OG onramp. https://screenshot.googleplex.com/7QGYxDWkCHuQZf8 root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enum'][276] IGMM_MANAGE_STORAGE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][276] iGMM manage storage OG onramp. https://screenshot.googleplex.com/7QGYxDWkCHuQZf8 root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][418] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_NO_DISCOUNT_EDITORS_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][419] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_DISCOUNT_EDITORS_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][420] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_NO_DISCOUNT_EDITORS_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][421] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_DISCOUNT_EDITORS_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][422] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_NO_DISCOUNT_EDITORS_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][423] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_DISCOUNT_EDITORS_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][314] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_NO_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][315] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][316] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_NO_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][317] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][318] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_NO_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][319] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][448] GEMRISE_V2_NOTEBOOKLM_DISCOVER_CARD root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enumDescriptions'][448] Discover Card - NotebookLM root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enum'][276] IGMM_MANAGE_STORAGE root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][276] iGMM manage storage OG onramp. https://screenshot.googleplex.com/7QGYxDWkCHuQZf8 root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][314] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_NO_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][315] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][316] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_NO_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][317] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][318] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_NO_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][319] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_DISCOUNT_EDITORS_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][448] GEMRISE_V2_NOTEBOOKLM_DISCOVER_CARD root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enumDescriptions'][448] Discover Card - NotebookLM root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enum'][276] IGMM_MANAGE_STORAGE root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][276] iGMM manage storage OG onramp. https://screenshot.googleplex.com/7QGYxDWkCHuQZf8 iterable_item_removed root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enumDescriptions'][140] Gems Starter Tiles go/keep-sorted start
prod/arcore-	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/arcore-v1	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/arcore-v1beta2	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/arcorecloudanchor-	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/arcorecloudanchor-v1beta2	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/asia-south1-chronicle-	values_changed root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['get']['parameters']['name']['description'] new_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{region}/instances/{instance} root['revision'] new_value 20250310 old_value 20250227 root['schemas'] new_value AIOverview description AI generated overview for the search results. id AIOverview properties aiSummary description AI summary for the search results. Markdown formatted. type string complete description Whether AI overview generation is complete. type boolean suggestions description Suggested actions to continue the investigation in chat. items $ref Action type array type object Action description Action represents an action that can be performed in the host UI. id Action properties actionType description Output only. Type of action. enum ACTION_TYPE_UNSPECIFIED FOLLOW_UP NAVIGATION EXECUTION enumDescriptions The action type is unspecified. The action is a follow up action. The action is a navigation action. The action is an execution action. readOnly True type string displayText description Output only. The text that'll be displayed to the user if this is rendered in the UI as a suggested action. readOnly True type string execution $ref Execution description Metadata for execution action. followUp $ref FollowUp description Metadata for follow up action. navigation $ref Navigation description Metadata for navigation action. useCaseId description Output only. The use case ID of the action. It's used internally to identify in which context the action is used. readOnly True type string type object AlertFieldAggregation id AlertFieldAggregation properties alertCount format int32 type integer allValues items $ref AlertFieldValueCount type array baselineAlertCount format int32 type integer bottomValues items $ref AlertFieldValueCount type array fieldName type string tooManyValues type boolean topValues items $ref AlertFieldValueCount type array valueCount format int32 type integer type object AlertFieldAggregations id AlertFieldAggregations properties fields items $ref AlertFieldAggregation type array type object AlertFieldValue id AlertFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string stringValue type string uint32Value format uint32 type integer uint64Value format uint64 type string type object AlertFieldValueCount id AlertFieldValueCount properties alertCount format int32 type integer baselineAlertCount format int32 type integer value $ref AlertFieldValue type object AnalystVerdict description Verdict provided by the human analyst. These fields are used to model Mandiant sources. id AnalystVerdict properties confidenceScore description Confidence score of the verdict. format int32 type integer verdictResponse description Details of the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp at which the verdict was generated. format google-datetime type string type object AnalyticsMetadata description Stores information about an analytics metric used in a rule. id AnalyticsMetadata properties analytic description Name of the analytic. type string type object Annotation description Extra parameters that don't fit anywhere else, captured as key/value. For example "VendorID/42" in BlackBerry user agents. The following keys are modified with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference): * "Chrome" (see `browser_version`) * "ChromiumBrowser" (unavailable) * "ChromeWebview" (unavailable) * "OS_VERSION" (see `os`) * "Rest" (unavailable) * "misc" (see `device`) id Annotation properties key type string value type string type object Artifact description Information about an artifact. The artifact can only be an IP. id Artifact properties anonymous description Whether the VPN tunnels are configured for anonymous browsing or not. type boolean artifactClient $ref ArtifactClient description Entity or software accessing or utilizing network resources. asOwner description Owner of the Autonomous System to which the IP address belongs. type string asn description Autonomous System Number to which the IP address belongs. format int64 type string firstSeenTime description First seen timestamp of the IP in the customer's environment. format google-datetime type string ip description IP address of the artifact. This field can be used as an entity indicator for an external destination IP entity. type string jarm description The JARM hash for the IP address. (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a). type string lastHttpsCertificate $ref SSLCertificate description SSL certificate information about the IP address. lastHttpsCertificateDate description Most recent date for the certificate in VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the IP address in the customer's environment. format google-datetime type string location $ref Location description Location of the Artifact's IP address. network $ref Network description Network information related to the Artifact's IP address. prevalence $ref Prevalence description The prevalence of the artifact within the customer's environment. regionalInternetRegistry description RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC). type string risks description This field lists potential risks associated with the network activity. items type string type array tags description Identification attributes items type string type array tunnels description VPN tunnels. items $ref Tunnels type array whois description WHOIS information as returned from the pertinent WHOIS server. type string whoisDate description Date of the last update of the WHOIS record in VirusTotal. format google-datetime type string type object ArtifactClient description Entity or software accessing or utilizing network resources. id ArtifactClient properties behaviors description The behaviors of the client accessing the network. items type string type array proxies description The type of proxies used by the client. items type string type array type object Asset description Information about a compute asset such as a workstation, laptop, phone, virtual desktop, or VM. id Asset properties assetId description The asset ID. Value must contain the ':' character. For example, cs:abcdd23434. This field can be used as an entity indicator for asset entities. type string attribute $ref Attribute description Generic entity metadata attributes of the asset. category description The category of the asset (e.g. "End User Asset", "Workstation", "Server"). type string creationTime deprecated True description Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. format google-datetime type string deploymentStatus description The deployment status of the asset for device lifecycle purposes. enum DEPLOYMENT_STATUS_UNSPECIFIED ACTIVE PENDING_DECOMISSION DECOMISSIONED enumDescriptions Unspecified deployment status. Asset is active, functional and deployed. Asset is pending decommission and no longer deployed. Asset is decommissioned. type string firstDiscoverTime description Time the asset was first discovered (by asset management/discoverability software). format google-datetime type string firstSeenTime description The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string hardware description The asset hardware specifications. items $ref Hardware type array hostname description Asset hostname or domain name field. This field can be used as an entity indicator for asset entities. type string ip description A list of IP addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array labels deprecated True description Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata. items $ref Label type array lastBootTime description Time the asset was last boot started. format google-datetime type string lastDiscoverTime description Time the asset was last discovered (by asset management/discoverability software). format google-datetime type string location $ref Location description Location of the asset. mac description List of MAC addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array natIp description List of NAT IP addresses associated with an asset. items type string type array networkDomain description The network domain of the asset (e.g. "corp.acme.com") type string platformSoftware $ref PlatformSoftware description The asset operating system platform software. productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID or similar). This field can be used as an entity indicator for asset entities. type string software description The asset software details. items $ref Software type array systemLastUpdateTime description Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a VM), use Attribute.last_update_time. format google-datetime type string type description The type of the asset (e.g. workstation or laptop or server). enum ROLE_UNSPECIFIED WORKSTATION LAPTOP IOT NETWORK_ATTACHED_STORAGE PRINTER SCANNER SERVER TAPE_LIBRARY MOBILE enumDescriptions Unspecified asset role. A workstation or desktop. A laptop computer. An IOT asset. A network attached storage device. A printer. A scanner. A server. A tape library device. A mobile device such as a mobile phone or PDA. type string vulnerabilities description Vulnerabilities discovered on asset. items $ref Vulnerability type array type object Association description Associations represents different metadata about malware and threat actors involved with an IoC. id Association properties alias description Different aliases of the threat actor given by different sources. items $ref AssociationAlias type array associatedActors description List of associated threat actors for a malware. Not applicable for threat actors. items $ref Association type array countryCode description Country from which the threat actor/ malware is originated. items type string type array description description Human readable description about the association. type string firstReferenceTime description First time the threat actor was referenced or seen. format google-datetime type string id description Unique association id generated by mandiant. type string industriesAffected description List of industries the threat actor affects. items type string type array lastReferenceTime description Last time the threat actor was referenced or seen. format google-datetime type string name description Name of the threat actor/malware. type string regionCode $ref Location description Name of the country, the threat is originating from. role description Role of the malware. Not applicable for threat actor. type string sourceCountry deprecated True description Name of the country the threat originated from. type string sponsorRegion $ref Location description Sponsor region of the threat actor. tags description Tags. items type string type array targetedRegions description Targeted regions. items $ref Location type array type description Signifies the type of association. enum ASSOCIATION_TYPE_UNSPECIFIED THREAT_ACTOR MALWARE enumDescriptions The default Association Type. Association type Threat actor. Association type Malware. type string type object AssociationAlias description Association Alias used to represent Mandiant Threat Intelligence. id AssociationAlias properties company description Name of the provider who gave the association's name. type string name description Name of the alias. type string type object AttackDetails description MITRE ATT&CK details. id AttackDetails properties tactics description Tactics employed. items $ref Tactic type array techniques description Techniques employed. items $ref Technique type array version description ATT&CK version (e.g. 12.1). type string type object Attribute description Attribute is a container for generic entity attributes including common attributes across core entities (such as, user or asset). For example, Cloud is a generic entity attribute since it can apply to an asset (for example, a VM) or a user (for example, an identity service account). id Attribute properties cloud $ref Cloud description Cloud metadata attributes such as project ID, account ID, or organizational hierarchy. creationTime description Time the resource or entity was created or provisioned. format google-datetime type string labels description Set of labels for the entity. Should only be used for product labels (for example, Google Cloud resource labels or Azure AD sensitivity labels. Should not be used for arbitrary key-value mappings. items $ref Label type array lastUpdateTime description Time the resource or entity was last updated. format google-datetime type string permissions description System permissions for IAM entity (human principal, service account, group). items $ref Permission type array roles description System IAM roles to be assumed by resources to use the role's permissions for access control. items $ref Role type array type object Authentication description The Authentication extension captures details specific to authentication events. General guidelines for authentication events: * Details about the source of the authentication event (for example, client IP or hostname), should be captured in principal. The principal may be empty if we have no details about the source of the login. * Details about the target of the authentication event (for example, details about the machine that is being logged into or logged out of) should be captured in target. * Some authentication events may involve a third-party. For example, a user logs into a cloud service (for example, Chronicle) via their company's SSO (the event is logged by their SSO solution). In this case, the principal captures information about the user's device, the target captures details about the cloud service they logged into, and the intermediary captures details about the SSO solution. id Authentication properties authDetails description The vendor defined details of the authentication. type string mechanism description The authentication mechanism. items enum MECHANISM_UNSPECIFIED USERNAME_PASSWORD OTP HARDWARE_KEY LOCAL REMOTE REMOTE_INTERACTIVE MECHANISM_OTHER BADGE_READER NETWORK BATCH SERVICE UNLOCK NETWORK_CLEAR_TEXT NEW_CREDENTIALS INTERACTIVE CACHED_INTERACTIVE CACHED_REMOTE_INTERACTIVE CACHED_UNLOCK BIOMETRIC WEARABLE enumDescriptions The default mechanism. Username + password authentication. OTP authentication. Hardware key authentication. Local authentication. Remote authentication. RDP, Terminal Services, or VNC. Some other mechanism that is not defined here. Badge reader authentication Network authentication. Batch authentication. Service authentication Direct human-interactive unlock authentication. Network clear text authentication. Authentication with new credentials. Interactive authentication. Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Biometric device such as a fingerprint reader. Wearable such as an Apple Watch. type string type array type description The type of authentication. enum AUTHTYPE_UNSPECIFIED MACHINE SSO VPN PHYSICAL TACACS enumDescriptions The default type. A machine authentication. An SSO authentication. A VPN authentication. A Physical authentication (e.g. "Badge reader"). A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+). type string type object AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. id AuthorityKeyId properties keyid description Key hexdump. type string serialNumber description Serial number hexdump. type string type object BackstoryEntity description An Entity provides additional context about an item in a UDM event. For example, a PROCESS_LAUNCH event describes that user 'abc@example.corp' launched process 'shady.exe'. The event does not include information that user 'abc@example.com' is a recently terminated employee who administers a server storing finance data. Information stored in one or more Entities can add this additional context. id BackstoryEntity properties additional additionalProperties description Properties of the object. type any description Important entity data that cannot be adequately represented within the formal sections of the Entity. type object entity $ref Noun description Noun in the UDM event that this entity represents. metadata $ref EntityMetadata description Entity metadata such as timestamp, product, etc. metric $ref Metric description Stores statistical metrics about the entity. Used if metadata.entity_type is METRIC. relations description One or more relationships between the entity (a) and other entities, including the relationship type and related entity. items $ref Relation type array riskScore $ref EntityRisk description Stores information related to the entity's risk score. type object BackstoryFile description Information about a file. id BackstoryFile properties ahash deprecated True description Deprecated. Use authentihash instead. type string authentihash description Authentihash of the file. type string capabilitiesTags description Capabilities tags. items type string type array createTime description Timestamp when the file was created. format google-datetime type string embeddedDomains description Embedded domains found in the file. items type string type array embeddedIps description Embedded IP addresses found in the file. items type string type array embeddedUrls description Embedded urls found in the file. items type string type array exifInfo $ref ExifInfo description Exif metadata from different file formats extracted by exiftool. fileMetadata $ref FileMetadata deprecated True description Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File. fileType description FileType field. enum FILE_TYPE_UNSPECIFIED FILE_TYPE_PE_EXE FILE_TYPE_PE_DLL FILE_TYPE_MSI FILE_TYPE_NE_EXE FILE_TYPE_NE_DLL FILE_TYPE_DOS_EXE FILE_TYPE_DOS_COM FILE_TYPE_COFF FILE_TYPE_ELF FILE_TYPE_LINUX_KERNEL FILE_TYPE_RPM FILE_TYPE_LINUX FILE_TYPE_MACH_O FILE_TYPE_JAVA_BYTECODE FILE_TYPE_DMG FILE_TYPE_DEB FILE_TYPE_PKG FILE_TYPE_PYC FILE_TYPE_LNK FILE_TYPE_DESKTOP_ENTRY FILE_TYPE_JPEG FILE_TYPE_TIFF FILE_TYPE_GIF FILE_TYPE_PNG FILE_TYPE_BMP FILE_TYPE_GIMP FILE_TYPE_IN_DESIGN FILE_TYPE_PSD FILE_TYPE_TARGA FILE_TYPE_XWD FILE_TYPE_DIB FILE_TYPE_JNG FILE_TYPE_ICO FILE_TYPE_FPX FILE_TYPE_EPS FILE_TYPE_SVG FILE_TYPE_EMF FILE_TYPE_WEBP FILE_TYPE_DWG FILE_TYPE_DXF FILE_TYPE_THREEDS FILE_TYPE_OGG FILE_TYPE_FLC FILE_TYPE_FLI FILE_TYPE_MP3 FILE_TYPE_FLAC FILE_TYPE_WAV FILE_TYPE_MIDI FILE_TYPE_AVI FILE_TYPE_MPEG FILE_TYPE_QUICKTIME FILE_TYPE_ASF FILE_TYPE_DIVX FILE_TYPE_FLV FILE_TYPE_WMA FILE_TYPE_WMV FILE_TYPE_RM FILE_TYPE_MOV FILE_TYPE_MP4 FILE_TYPE_T3GP FILE_TYPE_WEBM FILE_TYPE_MKV FILE_TYPE_PDF FILE_TYPE_PS FILE_TYPE_DOC FILE_TYPE_DOCX FILE_TYPE_PPT FILE_TYPE_PPTX FILE_TYPE_XLS FILE_TYPE_XLSX FILE_TYPE_RTF FILE_TYPE_PPSX FILE_TYPE_ODP FILE_TYPE_ODS FILE_TYPE_ODT FILE_TYPE_HWP FILE_TYPE_GUL FILE_TYPE_ODF FILE_TYPE_ODG FILE_TYPE_ONE_NOTE FILE_TYPE_OOXML FILE_TYPE_SLK FILE_TYPE_EBOOK FILE_TYPE_LATEX FILE_TYPE_TTF FILE_TYPE_EOT FILE_TYPE_WOFF FILE_TYPE_CHM FILE_TYPE_ZIP FILE_TYPE_GZIP FILE_TYPE_BZIP FILE_TYPE_RZIP FILE_TYPE_DZIP FILE_TYPE_SEVENZIP FILE_TYPE_CAB FILE_TYPE_JAR FILE_TYPE_RAR FILE_TYPE_MSCOMPRESS FILE_TYPE_ACE FILE_TYPE_ARC FILE_TYPE_ARJ FILE_TYPE_ASD FILE_TYPE_BLACKHOLE FILE_TYPE_KGB FILE_TYPE_ZLIB FILE_TYPE_TAR FILE_TYPE_ZST FILE_TYPE_LZFSE FILE_TYPE_PYTHON_WHL FILE_TYPE_PYTHON_PKG FILE_TYPE_MSIX FILE_TYPE_TEXT FILE_TYPE_SCRIPT FILE_TYPE_PHP FILE_TYPE_PYTHON FILE_TYPE_PERL FILE_TYPE_RUBY FILE_TYPE_C FILE_TYPE_CPP FILE_TYPE_JAVA FILE_TYPE_SHELLSCRIPT FILE_TYPE_PASCAL FILE_TYPE_AWK FILE_TYPE_DYALOG FILE_TYPE_FORTRAN FILE_TYPE_JAVASCRIPT FILE_TYPE_POWERSHELL FILE_TYPE_VBA FILE_TYPE_M4 FILE_TYPE_OBJETIVEC FILE_TYPE_JMOD FILE_TYPE_MAKEFILE FILE_TYPE_INI FILE_TYPE_CLJ FILE_TYPE_PDB FILE_TYPE_SQL FILE_TYPE_NEKO FILE_TYPE_WER FILE_TYPE_GOLANG FILE_TYPE_M3U FILE_TYPE_BAT FILE_TYPE_MSC FILE_TYPE_RDP FILE_TYPE_SYMBIAN FILE_TYPE_PALMOS FILE_TYPE_WINCE FILE_TYPE_ANDROID FILE_TYPE_IPHONE FILE_TYPE_HTML FILE_TYPE_XML FILE_TYPE_SWF FILE_TYPE_FLA FILE_TYPE_COOKIE FILE_TYPE_TORRENT FILE_TYPE_EMAIL_TYPE FILE_TYPE_OUTLOOK FILE_TYPE_SGML FILE_TYPE_JSON FILE_TYPE_CSV FILE_TYPE_HTA FILE_TYPE_INTERNET_SHORTCUT FILE_TYPE_CAP FILE_TYPE_ISOIMAGE FILE_TYPE_SQUASHFS FILE_TYPE_VHD FILE_TYPE_APPLE FILE_TYPE_MACINTOSH FILE_TYPE_APPLESINGLE FILE_TYPE_APPLEDOUBLE FILE_TYPE_MACINTOSH_HFS FILE_TYPE_APPLE_PLIST FILE_TYPE_MACINTOSH_LIB FILE_TYPE_APPLESCRIPT FILE_TYPE_APPLESCRIPT_COMPILED FILE_TYPE_CRX FILE_TYPE_XPI FILE_TYPE_ROM FILE_TYPE_IPS FILE_TYPE_PEM FILE_TYPE_PGP FILE_TYPE_CRT enumDescriptions File type is UNSPECIFIED. File type is PE_EXE. Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL. File type is MSI. File type is NE_EXE. File type is NE_DLL. File type is DOS_EXE. File type is DOS_COM. File type is COFF. File type is ELF. File type is LINUX_KERNEL. File type is RPM. File type is LINUX. File type is MACH_O. File type is JAVA_BYTECODE. File type is DMG. File type is DEB. File type is PKG. File type is PYC. File type is LNK. File type is DESKTOP_ENTRY. File type is JPEG. File type is TIFF. File type is GIF. File type is PNG. File type is BMP. File type is GIMP. File type is Adobe InDesign. File type is PSD. Adobe Photoshop. File type is TARGA. File type is XWD. File type is DIB. File type is JNG. File type is ICO. File type is FPX. File type is EPS. File type is SVG. File type is EMF. File type is WEBP. File type is DWG. File type is DXF. File type is 3DS. File type is OGG. File type is FLC. File type is FLI. File type is MP3. File type is FLAC. File type is WAV. File type is MIDI. File type is AVI. File type is MPEG. File type is QUICKTIME. File type is ASF. File type is DIVX. File type is FLV. File type is WMA. File type is WMV. File type is RM. RealMedia type. File type is MOV. File type is MP4. File type is T3GP. File type is WEBM. File type is MKV. File type is PDF. File type is PS. File type is DOC. File type is DOCX. File type is PPT. File type is PPTX. File type is XLS. File type is XLSX. File type is RTF. File type is PPSX. File type is ODP. File type is ODS. File type is ODT. File type is HWP. File type is GUL. File type is ODF. File type is ODG. File type is ONE_NOTE. File type is OOXML. File type is SLK. File type is EBOOK. File type is LATEX. File type is TTF. File type is EOT. File type is WOFF. File type is CHM. File type is ZIP. File type is GZIP. File type is BZIP. File type is RZIP. File type is DZIP. File type is SEVENZIP. File type is CAB. File type is JAR. File type is RAR. File type is MSCOMPRESS. File type is ACE. File type is ARC. File type is ARJ. File type is ASD. File type is BLACKHOLE. File type is KGB. File type is ZLIB. File type is TAR. File type is ZST. File type is LZFSE. File type is PYTHON_WHL. File type is PYTHON_PKG. File type is MSIX, new Windows app package format. File type is TEXT. File type is SCRIPT. File type is PHP. File type is PYTHON. File type is PERL. File type is RUBY. File type is C. File type is CPP. File type is JAVA. File type is SHELLSCRIPT. File type is PASCAL. File type is AWK. File type is DYALOG. File type is FORTRAN. File type is JAVASCRIPT. File type is POWERSHELL. File type is VBA. File type is M4. File type is OBJETIVEC. File type is JMOD. File type is MAKEFILE. File type is INI. File type is CLJ. File type is PDB. File type is SQL. File type is NEKO. File type is WER. File type is GOLANG. File type is M3U. File type is BAT, Windows .bat/.cmd (old files are tagged as SHELLSCRIPT). File type is MSC, Microsoft Management Console (MMC). File type is RDP, Microsoft Remote Desktop Protocol (RDP) file. File type is SYMBIAN. File type is PALMOS. File type is WINCE. File type is ANDROID. File type is IPHONE. File type is HTML. File type is XML. File type is SWF. File type is FLA. File type is COOKIE. File type is TORRENT. File type is EMAIL_TYPE. File type is OUTLOOK. File type is SGML. File type is JSON. File type is CSV. File type is HTA (HTML Application). File type is MSHTML .url. File type is CAP. File type is ISOIMAGE. File type is SQUASHFS. File type is VHD. File type is APPLE. File type is MACINTOSH. File type is APPLESINGLE. File type is APPLEDOUBLE. File type is MACINTOSH_HFS. File type is APPLE_PLIST. File type is MACINTOSH_LIB. File type is APPLESCRIPT. File type is APPLESCRIPT_COMPILED . File type is CRX. File type is XPI. File type is ROM. File type is IPS. File type is PEM. File type is PGP. File type is CRT. type string firstSeenTime description Timestamp the file was first seen in the customer's environment. format google-datetime type string firstSubmissionTime description First submission time of the file. format google-datetime type string fullPath description The full path identifying the location of the file on the system. This field can be used as an entity indicator for file entities. type string lastAccessTime description Timestamp when the file was accessed. format google-datetime type string lastAnalysisTime description Timestamp the file was last analysed. format google-datetime type string lastModificationTime description Timestamp when the file was last updated. format google-datetime type string lastSeenTime description Timestamp the file was last seen in the customer's environment. format google-datetime type string lastSubmissionTime description Last submission time of the file. format google-datetime type string mainIcon $ref Favicon description Icon's relevant hashes. md5 description The MD5 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string mimeType description The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script". type string names description Names fields. items type string type array ntfs $ref NtfsFileMetadata description NTFS metadata. pdfInfo $ref PDFInfo description Information about the PDF file structure. peFile $ref FileMetadataPE description Metadata about the Portable Executable (PE) file. prevalence $ref Prevalence description Prevalence of the file hash in the customer's environment. securityResult $ref SecurityResult description Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata. sha1 description The SHA1 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string sha256 description The SHA256 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string signatureInfo $ref SignatureInfo description File signature information extracted from different tools. size description The size of the file in bytes. format uint64 type string ssdeep description Ssdeep of the file type string statDev description The file system identifier to which the object belongs. format uint64 type string statFlags description User defined flags for file. format uint32 type integer statInode description The file identifier. Unique identifier of object within a file system. format uint64 type string statMode description The mode of the file. A bit string indicating the permissions and privileges of the file. format uint64 type string statNlink description Number of links to file. format uint64 type string symhash description SymHash of the file. Used for Mach-O (e.g. MacOS) binaries, to identify similar files based on their symbol table. type string tags description Tags for the file. items type string type array vhash description Vhash of the file. type string type object BoolSequence description BoolSequence represents a sequence of bools. id BoolSequence properties boolVals description bool sequence. items type boolean type array type object BytesSequence description BytesSequence represents a sequence of bytes. id BytesSequence properties bytesVals description bytes sequence. items format byte type string type array type object CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CertSignature description Certificate's signature and algorithm. id CertSignature properties signature description Signature. type string signatureAlgorithm description Algorithm. type string type object Certificate description Certificate information id Certificate properties issuer description Issuer of the certificate. type string md5 description The MD5 hash of the certificate, as a hex-encoded string. type string notAfter description Indicates when the certificate is no longer valid. format google-datetime type string notBefore description Indicates when the certificate is first valid. format google-datetime type string serial description Certificate serial number. type string sha1 description The SHA1 hash of the certificate, as a hex-encoded string. type string sha256 description The SHA256 hash of the certificate, as a hex-encoded string. type string subject description Subject of the certificate. type string version description Certificate version. type string type object Chip id Chip properties text type string type enum UNSPECIFIED ALERT NETWORK_CONNECTION EDR UNPARSED_RAW_LOG LOGIN_EVENT EMAIL_EVENT GENERIC TELEMETRY enumDescriptions type string type object Client description Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash). id Client properties certificate $ref Certificate description Client certificate. ja3 description JA3 hash from the TLS ClientHello, as a hex-encoded string. type string serverName description Host name of the server, that the client is connecting to. type string supportedCiphers description Ciphers supported by the client during client hello. items type string type array type object Cloud description Metadata related to the cloud environment. id Cloud properties availabilityZone description The cloud environment availability zone (different from region which is location.name). type string environment description The Cloud environment. enum UNSPECIFIED_CLOUD_ENVIRONMENT GOOGLE_CLOUD_PLATFORM AMAZON_WEB_SERVICES MICROSOFT_AZURE enumDescriptions Default. Google Cloud Platform. Amazon Web Services. Microsoft Azure. type string project $ref Resource deprecated True description The cloud environment project information. Deprecated: Use Resource.resource_ancestors vpc $ref Resource deprecated True description The cloud environment VPC. Deprecated. type object Collection description Collection represents a container of objects (such as events, entity context metadata, detection finding metadata) and state (such as investigation details). BEGIN GOOGLE-INTERNAL See go/udm:collections for additional details. END GOOGLE-INTERNAL An example use case for Collection is to model a detection and investigation from detection finding metadata to investigative state collected in the course of the investigation. For more complex investigation and response workflows a Collection could represent an incident consisting of multiple child findings or incidents. This can be expanded on to model remediation elements of a full detection and response workflow. NEXT TAG: 20 id Collection properties caseName description The resource name of the Case that this collection belongs to. Example: projects/{project id}/locations/{region}/chronicle/cases/{internal_case_id} type string collectionElements description Constituent elements of the collection. Each element shares an association that groups it together and is a component of the overall collection. For example, a detection collection may have several constituent elements that each share a correlation association that together represent a particular pattern or behavior. items $ref Element type array createdTime description Time the collection was created. format google-datetime type string dataAccessScope description The resource name of the DataAccessScope of this collection. BEGIN GOOGLE-INTERNAL We may change this name based on the final resource design of the scope. END GOOGLE-INTERNAL type string detection description Detection metadata for findings that represent detections, can include rule details, machine learning model metadata, and indicators implicated in the detection (using the .about field). items $ref SecurityResult type array detectionTime description Timestamp within the time_window related to the time of the collection_elements. For Rule Detections, this timestamp is the end of the the time_window for multi-event rules or the time of the event for single event rules. For late-arriving events that trigger new alerts, the detection_time will be the event time of the event. format google-datetime type string feedbackHistory description The history of feedback submitted by analysts for this finding, in descending order by timestamp. This field is limited to the most recent 1000 feedback events. The primary feedback will also be included in this list. items $ref Feedback type array feedbackSummary $ref Feedback description The current primary analyst feedback. This does not include the history of feedback given, which may be supplied in `feedback`. id description Unique ID for the collection. The ID is specific to the type of collection. For example, with rule detections this is the detection ID. type string idNamespace description The ID namespace used for the Collection. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string investigation $ref Investigation description Consolidated investigation details (categorization, status, etc) typically for collections that begin as detection findings and then evolve with analyst action and feedback into investigations around the detection output. lastUpdatedTime description Time the collection was last updated. format google-datetime type string responsePlatformInfo $ref ResponsePlatformInfo description Alert related info of this same alert in customer's SOAR platform. soarAlert description A boolean field indicating that the alert is present in SOAR. type boolean soarAlertMetadata $ref SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems via SOAR. tags description Tags set by UC/DSML/RE for the Finding during creation. items type string type array timeWindow $ref Interval description Time interval that the collection represents. type description What the collection represents. enum COLLECTION_TYPE_UNSPECIFIED TELEMETRY_ALERT GCTI_FINDING UPPERCASE_ALERT RULE_DETECTION MACHINE_INTELLIGENCE_ALERT SOAR_ALERT enumDescriptions An unspecified collection type. An alert reported in customer telemetry. A finding from the Uppercase team. A detection found by applying a rule. An alert generated by Chronicle machine learning models. An alert coming from other SIEMs via Chronicle SOAR. type string type object ColumnNames id ColumnNames properties names items type string type array type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DNSRecord description DNS record. id DNSRecord properties expire description Expire. format google-duration type string minimum description Minimum. format google-duration type string priority description Priority. format int64 type string refresh description Refresh. format google-duration type string retry description Retry. format int64 type string rname description Rname. type string serial description Serial. format int64 type string ttl description Time to live. format google-duration type string type description Type. type string value description Value. type string type object DataAccessIngestionLabel id DataAccessIngestionLabel properties key description The key. type string value description The value. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessLabels id DataAccessLabels properties allowScopedAccess description Are the labels ready for scoped access type boolean customLabels description All the complex labels (UDM search syntax based). items type string type array ingestionKvLabels description All the ingestion labels (key/value pairs). items $ref DataAccessIngestionLabel type array ingestionLabels deprecated True description All the ingestion labels. items type string type array logTypes description All the LogType labels. items type string type array namespaces description All the namespaces. items type string type array type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Date description Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values. * A month and day, with a zero year (for example, an anniversary). * A year on its own, with a zero month and a zero day. * A year and month, with a zero day (for example, a credit card expiration date). Related types: * google.type.TimeOfDay * google.type.DateTime * google.protobuf.Timestamp id Date properties day description Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. format int32 type integer month description Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. format int32 type integer year description Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. format int32 type integer type object Detections id Detections properties baselineAlertsCount format int32 type integer complete type boolean detectionFieldAggregations $ref AlertFieldAggregations detections items $ref Collection type array filteredAlertsCount format int32 type integer tooManyDetections type boolean validSnapshotQuery type boolean type object Dhcp description DHCP information. id Dhcp properties chaddr description Client hardware address (chaddr). type string ciaddr description Client IP address (ciaddr). type string clientHostname description Client hostname. See RFC2132, section 3.14. type string clientIdentifier description Client identifier. See RFC2132, section 9.14. Note: Make sure to update the client_identifier_string field as well if you update this field. format byte type string clientIdentifierString description Client identifier as string. See RFC2132, section 9.14. This field holds the string value of the client_identifier. type string file description Boot image filename. type string flags description Flags. format uint32 type integer giaddr description Relay agent IP address (giaddr). type string hlen description Hardware address length. format uint32 type integer hops description Hardware ops. format uint32 type integer htype description Hardware address type. format uint32 type integer leaseTimeSeconds description Lease time in seconds. See RFC2132, section 9.2. format uint32 type integer opcode description The BOOTP op code. enum UNKNOWN_OPCODE BOOTREQUEST BOOTREPLY enumDescriptions Default opcode. Request. Reply. type string options description List of DHCP options. items $ref Option type array requestedAddress description Requested IP address. See RFC2132, section 9.1. type string seconds description Seconds elapsed since client began address acquisition/renewal process. format uint32 type integer siaddr description IP address of the next bootstrap server. type string sname description Server name that the client wishes to boot from. type string transactionId description Transaction ID. format uint32 type integer type description DHCP message type. enum UNKNOWN_MESSAGE_TYPE DISCOVER OFFER REQUEST DECLINE ACK NAK RELEASE INFORM WIN_DELETED WIN_EXPIRED enumDescriptions Default message type. DHCPDISCOVER. DHCPOFFER. DHCPREQUEST. DHCPDECLINE. DHCPACK. DHCPNAK. DHCPRELEASE. DHCPINFORM. Microsoft Windows DHCP "lease deleted". Microsoft Windows DHCP "lease expired". type string yiaddr description Your IP address (yiaddr). type string type object Dns description DNS information. id Dns properties additional description A list of additional domain name servers that can be used to verify the answer to the domain. items $ref ResourceRecord type array answers description A list of answers to the domain name query. items $ref ResourceRecord type array authoritative description Other DNS header flags. See RFC1035, section 4.1.1. type boolean authority description A list of domain name servers which verified the answers to the domain name queries. items $ref ResourceRecord type array id description DNS query id. format uint32 type integer opcode description The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS). format uint32 type integer questions description A list of domain protocol message questions. items $ref Question type array recursionAvailable description Whether a recursive DNS lookup is available. type boolean recursionDesired description Whether a recursive DNS lookup is desired. type boolean response description Set to true if the event is a DNS response. See QR field from RFC1035. type boolean responseCode description Response code. See RCODE from RFC1035. format uint32 type integer truncated description Whether the DNS response was truncated. type boolean type object Domain description Information about a domain. id Domain properties admin $ref User description Parsed contact information for the administrative contact for the domain. auditUpdateTime description Audit updated time. format google-datetime type string billing $ref User description Parsed contact information for the billing contact of the domain. categories description Categories assign to the domain as retrieved from VirusTotal. items type string type array contactEmail description Contact email address. type string creationTime description Domain creation time. format google-datetime type string expirationTime description Expiration time. format google-datetime type string favicon $ref Favicon description Includes difference hash and MD5 hash of the domain's favicon. firstSeenTime description First seen timestamp of the domain in the customer's environment. format google-datetime type string ianaRegistrarId description IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml format int32 type integer jarm description Domain's JARM hash. type string lastDnsRecords description Domain's DNS records from the last scan. items $ref DNSRecord type array lastDnsRecordsTime description Date when the DNS records list was retrieved by VirusTotal. format google-datetime type string lastHttpsCertificate $ref SSLCertificate description SSL certificate object retrieved last time the domain was analyzed. lastHttpsCertificateTime description When the certificate was retrieved by VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the domain in the customer's environment. format google-datetime type string name description The domain name. This field can be used as an entity indicator for Domain entities. type string nameServer description Repeated list of name servers. items type string type array popularityRanks description Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc items $ref PopularityRank type array prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. privateRegistration description Indicates whether the domain appears to be using a private registration service to mask the owner's contact information. type boolean registrant $ref User description Parsed contact information for the registrant of the domain. registrar description Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM". type string registryDataRawText description Registry Data raw text. format byte type string status description Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values type string tags description List of representative attributes. items type string type array tech $ref User description Parsed contact information for the technical contact for the domain updateTime description Last updated time. format google-datetime type string whoisRecordRawText description WHOIS raw text. format byte type string whoisServer description Whois server name. type string whoisTime description Date of the last update of the WHOIS record. format google-datetime type string zone $ref User description Parsed contact information for the zone. type object DoubleSequence description DoubleSequence represents a sequence of doubles. id DoubleSequence properties doubleVals description double sequence. items format double type number type array type object EC description EC public key information. id EC properties oid description Curve name. type string pub description Public key hexdump. type string type object Element description NEXT TAG: 5 id Element properties association $ref SecurityResult description Metadata that provides the relevant association for the references in the element. For a detection, this can be the correlated aspect of the references that contributed to the overall detection. For example, may include sub-rule condition, machine learning model metadata, and/or indicators implicated in this component of the detection (using the .about field). label description A name that labels the entire references group. type string references description References to model primatives including events and entities that share a common association. Even though a reference can have both UDM and entity, a collection of references (of a single element) will only have one type of message in it (either UDM / Entity). items $ref Reference type array referencesSampled description Copied from the detection event_sample.too_many_event_samples field. If true, the number of references will be capped at the sample limit (set at rule service). This is applicable to both UDM references and Entity references. type boolean type object Email description Email info. id Email properties bcc description A list of 'bcc' addresses. items type string type array bounceAddress description The envelope from address. https://en.wikipedia.org/wiki/Bounce_address type string cc description A list of 'cc' addresses. items type string type array from description The 'from' address. type string mailId description The mail (or message) ID. type string replyTo description The 'reply to' address. type string subject description The subject line(s) of the email. items type string type array to description A list of 'to' addresses. items type string type array type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityChangedCountTimelineBucket id EntityChangedCountTimelineBucket properties entityChangedInfo items $ref EntityChangedInfo type array totalChangedEntitiesCount format int32 type integer type object EntityChangedInfo id EntityChangedInfo properties artifacts $ref FieldAndValue entityCount format int32 type integer type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityMetadata description Information about the Entity and the product where the entity was created. Next Tag: 17 id EntityMetadata properties collectedTimestamp description GMT timestamp when the entity information was collected by the vendor's local collection infrastructure. format google-datetime type string creationTimestamp description GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected. format google-datetime type string description description Human-readable description of the entity. type string entityType description Entity type. If an entity has multiple possible types, this specifies the most specific type. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string eventMetadata $ref Metadata description Metadata field from the event. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object feed description Vendor feed name for a threat indicator feed. type string interval $ref Interval description Valid existence time range for the version of the entity represented by this entity data. productEntityId description A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar). type string productName description Product name that produced the entity information. type string productVersion description Version of the product that produced the entity information. type string sourceLabels description Entity source metadata labels. items $ref Label type array sourceType description The source of the entity. enum SOURCE_TYPE_UNSPECIFIED ENTITY_CONTEXT DERIVED_CONTEXT GLOBAL_CONTEXT enumDescriptions Default source type Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT) Entities derived from customer data such as prevalence, artifact first/last seen, or asset/user first seen stats. Global contextual entities such as WHOIS or Safe Browsing. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Structured fields extracted from the log. type object threat description Metadata provided by a threat intelligence feed that identified the entity as malicious. items $ref SecurityResult type array vendorName description Vendor name of the product that produced the entity information. type string type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object EntityRisk description Stores information related to the risk score of an entity. Next ID: 15 id EntityRisk properties DEPRECATEDRiskScore deprecated True description Deprecated risk score. format int32 type integer detailUri description Link to the Google Security Operations UI with information about the entity risk score. If the SecOps instance has multiple frontend paths configured, this will be a relative path that can be used to construct the full URL. type string detectionsCount description Number of detections that make up the risk score within the time window. format int32 type integer firstDetectionTime description Timestamp of the first detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastDetectionTime description Timestamp of the last detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastResetTime description Timestamp for UEBA risk score reset based deduplication. Used specifically for risk based meta rules. format google-datetime type string normalizedRiskScore description Normalized risk score for the entity. This value is between 0-1000. format int32 type integer rawRiskDelta $ref RiskDelta description Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window. riskDelta $ref RiskDelta description Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window. riskScore description Raw risk score for the entity. format float type number riskVersion description Version of the risk score calculation algorithm. type string riskWindow $ref Interval description Time window used when computing the risk score for an entity, for example 24 hours or 7 days. riskWindowHasNewDetections description Whether there are new detections for the risk window. type boolean riskWindowSize description Risk window duration for the entity. format google-duration type string type object ErrorMessage id ErrorMessage properties errorText type string type enum UNDEFINED_ERROR_TYPE INVALID_QUERY_TYPE INVALID_FIELD_PATH_TYPE UNCLOSED_BRACKET_TYPE BACKEND_ERROR_TYPE UNCLOSED_QUOTES_TYPE QUERY_TOO_LARGE_TYPE enumDescriptions type string type object EventCountTimeline id EventCountTimeline properties buckets items $ref EventCountTimelineBucket type array sizeOfBucketMs format int64 type string type object EventCountTimelineBucket id EventCountTimelineBucket properties alertCount format int32 type integer baselineAlertCount format int32 type integer baselineEventCount format int32 type integer baselineTimedEntityCount format int32 type integer entityChangedCount $ref EntityChangedCountTimelineBucket eventCount format int32 type integer filteredTimedEntityCount format int32 type integer type object Execution description Execution can be used to store metadata required for what action the UI should execute. id Execution properties metadata additionalProperties type string description Output only. The payload to use when executing the action. readOnly True type object type object ExifInfo description Exif information. id ExifInfo properties company description company name. type string compilationTime description Compilation time. format google-datetime type string entryPoint description entry point. format int64 type string fileDescription description description of a file. type string originalFile description original file name. type string product description product name. type string type object Extension description Certificate's extensions. id Extension properties authorityKeyId $ref AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. ca description Whether the subject acts as a certificate authority (CA) or not. type boolean caInfoAccess description Authority information access locations are URLs that are added to a certificate in its authority information access extension. type string certTemplateNameDc description BMP data value "DomainController". See MS Q291010. type string certificatePolicies description Different certificate policies will relate to different applications which may use the certified key. type string crlDistributionPoints description CRL distribution points to which a certificate user should refer to ascertain if the certificate has been revoked. type string extendedKeyUsage description One or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field. type string keyUsage description The purpose for which the certified public key is used. type string netscapeCertComment description Used to include free-form text comments inside certificates. type string netscapeCertificate description Identify whether the certificate subject is an SSL client, an SSL server, or a CA. type boolean oldAuthorityKeyId description Whether the certificate has an old authority key identifier extension. type boolean peLogotype description Whether the certificate includes a logotype. type boolean subjectAlternativeName description Contains one or more alternative names, using any of a variety of name forms, for the entity that is bound by the CA to the certified public key. type string subjectKeyId description Identifies the public key being certified. type string type object Extensions description Extensions to a UDM event. id Extensions properties auth $ref Authentication description An authentication extension. entityRisk $ref EntityRisk description An entity risk change extension. vulns $ref Vulnerabilities description A vulnerability extension. type object Favicon description Difference hash and MD5 hash of the domain's favicon. id Favicon properties dhash description Difference hash. type string rawMd5 description Favicon's MD5 hash. type string type object Feedback id Feedback properties comment description Optional. type string confidenceScore format int32 type integer createdTime format google-datetime type string disregarded type boolean idpUserId type string priority description Optional. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string priorityDisplay description Optional. type string reason description Optional. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore format int32 type integer rootCause description Optional. type string severity format int32 type integer severityDisplay description Optional. type string status description Optional. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object FieldAndValue id FieldAndValue properties entityNamespace type string fieldPath type string kvalueType enum UNKNOWN COLLECTOR_ID EVENT_SHARD ASSET_IP_ADDRESS MAC HOSTNAME PRODUCT_SPECIFIC_ID NAMESPACE DOMAIN_NAME RESOLVED_IP_ADDRESS STEMMED_DOMAIN_NAME PROCESS_ID FULL_COMMAND_LINE FILE_NAME FILE_PATH HASH_MD5 HASH_SHA256 HASH_SHA1 RAW_PID PARENT_PROCESS_ID EMAIL USERNAME WINDOWS_SID EMPLOYEE_ID PRODUCT_OBJECT_ID USER_DISPLAY_NAME CLOUD_RESOURCE_NAME REGISTRY_KEY REGISTRY_VALUE_DATA REGISTRY_VALUE_NAME enumDescriptions type string value type string type object FileMetadata description Metadata about a file. Place metadata about different file types here, for example data from the Microsoft Windows VersionInfo block or digital signer details. Use a different sub-message per file type. id FileMetadata properties pe $ref PeFileMetadata deprecated True description Metadata for Microsoft Windows PE files. Deprecate PeFileMetadata in favor of single File proto. type object FileMetadataCodesign description File metadata from the codesign utility. id FileMetadataCodesign properties compilationTime description Code sign timestamp format google-datetime type string format description Code sign format. type string id description Code sign identifier. type string teamId description The assigned team identifier of the developer who signed the application. type string type object FileMetadataImports description File metadata imports. id FileMetadataImports properties functions description Function field. items type string type array library description Library field. type string type object FileMetadataPE description Metadata about the Portable Executable (PE) file. id FileMetadataPE properties compilationExiftoolTime description info.exiftool.TimeStamp. format google-datetime type string compilationTime description info.pe-timestamp. format google-datetime type string entryPoint description info.pe-entry-point. format int64 type string entryPointExiftool description info.exiftool.EntryPoint. format int64 type string imphash description Imphash of the file. type string imports description FilemetadataImports fields. items $ref FileMetadataImports type array resource description FilemetadataPeResourceInfo fields. items $ref FileMetadataPeResourceInfo type array resourcesLanguageCount deprecated True description Deprecated: use resources_language_count_str. items $ref StringToInt64MapEntry type array resourcesLanguageCountStr description Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10 items $ref Label type array resourcesTypeCount deprecated True description Deprecated: use resources_type_count_str. items $ref StringToInt64MapEntry type array resourcesTypeCountStr description Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5 items $ref Label type array section description FilemetadataSection fields. items $ref FileMetadataSection type array signatureInfo $ref FileMetadataSignatureInfo deprecated True description FilemetadataSignatureInfo field. deprecated, user File.signature_info instead. type object FileMetadataPeResourceInfo description File metadata for PE resource. id FileMetadataPeResourceInfo properties entropy description Entropy of the resource. format double type number fileType description File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum. type string filetypeMagic description Type of resource content, as identified by the magic Python module. type string languageCode description Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US | type string sha256Hex description SHA256_hex field.. type string type object FileMetadataSection description File metadata section. id FileMetadataSection properties entropy description Entropy of the section. format double type number md5Hex description MD5 hex of the file. type string name description Name of the section. type string rawSizeBytes description Raw file size in bytes. format int64 type string virtualSizeBytes description Virtual file size in bytes. format int64 type string type object FileMetadataSignatureInfo description Signature information. id FileMetadataSignatureInfo properties signer deprecated True description Deprecated: use signers field. items type string type array signers description File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority. items $ref SignerInfo type array verificationMessage description Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found. type string verified description True if verification_message == "Signed" type boolean x509 description List of certificates. items $ref X509 type array type object FilterProperties id FilterProperties properties hidden type boolean stringProperties additionalProperties $ref StringValues type object type object FindingVariable description A structure that holds the value and associated metadata for values extracted while producing a Finding. id FindingVariable properties boolSeq $ref BoolSequence description The value in boolsequence format. boolVal description The value in boolean format. type boolean bytesSeq $ref BytesSequence description The value in bytessequence format. bytesVal description The value in bytes format. format byte type string doubleSeq $ref DoubleSequence description The value in doublesequence format. doubleVal description The value in double format. format double type number int64Seq $ref Int64Sequence description The value in int64sequence format. int64Val description The value in int64 format. format int64 type string nullVal description Whether the value is null. type boolean sourcePath description The UDM field path for the field which this value was derived from. Example: `principal.user.username` type string stringSeq $ref StringSequence description The value in stringsequence format. stringVal description The value in string format. Enum values are returned as strings. type string type description The type of the variable. enum TYPE_UNSPECIFIED MATCH OUTCOME enumDescriptions An unspecified variable type. A variable coming from the match conditions. A variable representing significant data that was found in the detection logic. type string uint64Seq $ref Uint64Sequence description The value in uint64sequence format. uint64Val description The value in uint64 format. format uint64 type string value description The value in string form. type string type object FollowUp description FollowUp can be used to store metadata required to send a follow up message by the UI. id FollowUp properties followUp description Output only. The text to use as input when generating the follow up message. readOnly True type string type object Ftp description FTP info. id Ftp properties command description The FTP command. type string type object FunctionResponse id FunctionResponse properties rows items $ref FunctionResponseRow type array tooManyRows type boolean type object FunctionResponseRow id FunctionResponseRow properties values items $ref UdmFieldValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description LINT.IfChange(stats_data) Stats results when the query is for statistics NEXT TAG = 6; id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats properties dataQueryExpression description Expression that represent the subset of the requested query used to filter data. The expression will be used to enable features such as drill-down from stats results to UDM events. In that case, the new query will be composed by this expression and the expression related to a stats result. type string results description Result rows that are queried. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData type array sortOrder description Indicates the columns used for sorting and the order in which they are sorted. If no ORDER section is specified in the query, this will be empty. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort type array tooManyResults description If true, there are too many results to return and some have been omitted. type boolean totalResults description The total number of results returned. format int32 type integer type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData description Represents a single column in the set of columns returned as the stats query result. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData properties column description Used to store column names. type string filterExpression description Expression used to compose a query for filtering/drill-downs related to the data in this column. type string filterable description To identify if the column can be used for filtering/drill-downs. type boolean values description To store store column data. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort description Contains the column name and which direction the column is sorted (ascending or descenging). id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort properties descending description Whether the column is sorted in descending order (ascending by default); type boolean name description Name of the column. type string type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType description Singular vs list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType properties list $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description List of values in a column e.g. IPs value $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Single value in a column. type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description Store list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList properties values description List of values in one cell of the column. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Value of the column based on data type id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue properties boolVal description Boolean value. type boolean bytesVal description Bytes value. format byte type string dateVal $ref Date description Date values. doubleVal description Double value. format double type number int64Val description Integer value (signed). format int64 type string nullVal description True if the value is NULL. type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any description For any proto values that are not any of the above. type object stringVal description String value. Enum values are returned as strings. type string timestampVal description Timestamp values. format google-datetime type string uint64Val description Un-signed integer value. format uint64 type string type object Group description Information about an organizational group. id Group properties attribute $ref Attribute description Generic entity metadata attributes of the group. creationTime deprecated True description Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata. format google-datetime type string emailAddresses description Email addresses of the group. items type string type array groupDisplayName description Group display name. e.g. "Finance". type string productObjectId description Product globally unique user object identifier, such as an LDAP Object Identifier. type string windowsSid description Microsoft Windows SID of the group. type string type object GroupAggregationByField id GroupAggregationByField properties baselineEventCount format int32 type integer eventCount format int32 type integer fieldName type string fieldValue $ref UdmFieldValue fields items $ref UdmFieldAggregation type array valueCount format int32 type integer type object Hardware description Hardware specification details for a resource, including both physical and virtual hardware. id Hardware properties cpuClockSpeed description Clock speed of the hardware CPU in MHz. format uint64 type string cpuMaxClockSpeed description Maximum possible clock speed of the hardware CPU in MHz. format uint64 type string cpuModel description Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5"). type string cpuNumberCores description Number of CPU cores. format uint64 type string cpuPlatform description Platform of the hardware CPU (e.g. "Intel Broadwell"). type string manufacturer description Hardware manufacturer. type string model description Hardware model. type string ram description Amount of the hardware ramdom access memory (RAM) in Mb. format uint64 type string serialNumber description Hardware serial number. type string type object Http description Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target". id Http properties method description The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE"). type string parsedUserAgent $ref UserAgentProto description The parsed user_agent string. referralUrl description The URL for the HTTP referer. type string responseCode description The response status code, for example 200, 302, 404, or 500. format int32 type integer userAgent description The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent. type string type object Id description Identifier to identify a UDM object like a UDM event, Entity, Collection. The full identifier for persistence is created by setting the 32 most significant bits as the Id.Namespace enum and the rest according to go/udm:ids. This is a convenience wrapper to define the id space enum values and provide an easy interface for RPCs, most persistence use cases should use a denormalized form. See go/udm:ids for background and details. id Id properties id description Full raw ID. format byte type string namespace description Namespace the id belongs to. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string stringId description Some ids are stored as strings that are not able to be translated to bytes, so store these separately. Ex. detection id of the form de_aaaaaaaa-aaaa... type string type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{location}/instances/{instance} readOnly True type string type object InstanceUdmSearchResponse id InstanceUdmSearchResponse properties baselineEventsCount format int32 type integer complete type boolean detections $ref Detections filteredEventsCount format int32 type integer instanceId type string prevalence $ref UdmPrevalenceResponse progress format double type number runtimeErrors $ref RuntimeError timeline $ref EventCountTimeline tooManyEvents type boolean type object Int64Sequence description Int64Sequence represents a sequence of int64s. id Int64Sequence properties int64Vals description int64 sequence. items format int64 type string type array type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object Investigation description Represents the aggregated state of an investigation such as categorization, severity, and status. Can be expanded to include analyst assignment details and more. id Investigation properties comments description Comment added by the Analyst. items type string type array priority description Priority of the Alert or Finding set by analyst. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string reason description Reason for closing the Case or Alert. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation description Describes whether a finding was useful or not-useful. enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore description Risk score for a finding set by an analyst. format uint32 type integer rootCause description Root cause of the Alert or Finding set by analyst. type string severityScore description Severity score for a finding set by an analyst. format uint32 type integer status description Describes the workflow status of a finding. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict description Describes reason a finding investigation was resolved. enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object IoCStats description Information about the threat intelligence source. These fields are used to model Mandiant sources. id IoCStats properties benignCount description Count of responses where the IoC was identified as benign. format int32 type integer firstLevelSource description Name of first level IoC source, for example Mandiant or a third-party. type string iocStatsType description Describes the source of the IoCStat. enum UNSPECIFIED_IOC_STATS_TYPE MANDIANT_SOURCES THIRD_PARTY_SOURCES THREAT_INTELLIGENCE_IOC_STATS enumDescriptions IoCStat source is unidentified. IoCStat is from a Mandiant Source. IoCStat is from a third-party source. IoCStat is from a threat intelligence feed. type string maliciousCount description Count of responses where the IoC was identified as malicious. format int32 type integer quality description Level of confidence in the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total number of response from the source. format int32 type integer secondLevelSource description Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph. type string sourceCount description Number of sources from which information was extracted. format int32 type integer type object Label description Key value labels. id Label properties key description The key. type string rbacEnabled description Indicates whether this label can be used for Data RBAC type boolean source description Where the label is derived from. type string value description The value. type string type object LatLng description An object that represents a latitude/longitude pair. This is expressed as a pair of doubles to represent degrees latitude and degrees longitude. Unless specified otherwise, this object must conform to the WGS84 standard. Values must be within normalized ranges. id LatLng properties latitude description The latitude in degrees. It must be in the range [-90.0, +90.0]. format double type number longitude description The longitude in degrees. It must be in the range [-180.0, +180.0]. format double type number type object LegacyFederatedUdmSearchViewResponse description Response to a Federated UDM Search query. This will be used by StreamSearchOperation RPC to return the results of a federated search operation. id LegacyFederatedUdmSearchViewResponse properties activityTimeline $ref EventCountTimeline description Timeline of event counts broken into hourly/daily buckets to identify activity. aiOverview $ref AIOverview description LINT.ThenChange( //depot/google3/google/cloud/chronicle/v1main/dashboard_query.proto:data_sources, //depot/google3/googlex/security/malachite/proto/udm_search.proto:data_sources ) AI generated overview for the search results. Only populated if the AI features are enabled for the customer and generate_ai_overview is set to true in the request. baselineEventsCount description The number of events in the baseline query. format int32 type integer complete description Streaming for this response is done. There will be no additional updates. type boolean dataSources description Datasource of the query and results in case of a statistics query items enum SEARCH_DATA_SOURCE_UNSPECIFIED SEARCH_UDM SEARCH_ENTITY SEARCH_RULE_DETECTIONS SEARCH_RULESETS enumDescriptions Unspecified data source. Events Entities To be used for detections data source. To be used for ruleset with detections datasource. type string type array detectionFieldAggregations $ref AlertFieldAggregations description List of detection fields with aggregated values. This enabled filtering in the Alerts panel for federated search. events $ref UdmEventList description List of UDM events. NOTE: After complete is set to true, the `UdmEventList` message will be omitted from the response. The latest message should be used as reference. If the `UdmEventList` message is returned again, then it should replace the previous value. fieldAggregations $ref UdmFieldAggregations description List of UDM fields with aggregated values. filteredEventsCount description The number of events in the snapshot that match the snapshot_query. This is <= `baseline_events_count`. If the snapshot query is empty this will be equivalent to `baseline_events_count`. format int32 type integer groupedFieldAggregations $ref UdmFieldAggregations description List of grouped fields with aggregated values. instanceAggregations $ref UdmFieldAggregations description Instance aggregations for the search results. Provides information on the number of events per instance for the aggregations panel in the UI. This allows users to easily drill-down into the individual instances. instanceUdmSearchResponses description All the instance specific UDM search responses. items $ref InstanceUdmSearchResponse type array operation description The name of the operation resource representing the UDM Search operation. This can be passed to `StreamSearchOperation` to fetch stored results or stream the results of an in-progress operation. The metadata type of the operation is `UdmSearchMetadata`. The response type is `LegacyFetchUdmSearchViewResponse`. Format: projects/{project}/locations/{location}/instances/{instance}/operations/{operation} type string progress description Progress of the query represented as a double between 0 and 1. format double type number queryValidationErrors description Parse error for the baseline_query and/or the snapshot_query. items $ref ErrorMessage type array runtimeErrors description Runtime errors. items $ref RuntimeError type array stats $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description Stats results when the query is for statistics statsFunctionParameterValidationErrorMessage description If the request's stats_function_parameter` is invalid, this field will contain the detailed error message. type string statsFunctionResponse $ref FunctionResponse description Result for statistical function. timeline $ref EventCountTimeline description Timeline of event counts broken into buckets. This populates the trend-over-time chart in the UI. tooLargeResponse description If true, the response to be returned to the UI is too large and some events have been omitted. type boolean tooManyEvents description If true, there are too many events to return and some have been omitted. type boolean validBaselineQuery description Indicates whether the request baseline_query is a valid structured query or not. If not, `query_validation_errors` will include the parse error. type boolean validSnapshotQuery description Indicates whether the request baseline and snapshot queries are valid. If not, `query_validation_errors` will include the parse error. type boolean type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Location description Information about a location. id Location properties city description The city. type string countryOrRegion description The country or region. type string deskName description Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D"). type string floorName description Floor name, number or a combination of the two for a building. (e.g. "1-A"). type string name description Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2"). type string regionCoordinates $ref LatLng description Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. regionLatitude deprecated True description Deprecated: use region_coordinates. format float type number regionLongitude deprecated True description Deprecated: use region_coordinates. format float type number state description The state. type string type object Manual description Entities are added manually. id Manual properties type object Measure description Describes the precomputed measure. id Measure properties aggregateFunction description Function used to calculate the aggregated measure. enum AGGREGATE_FUNCTION_UNSPECIFIED MIN MAX COUNT SUM AVG STDDEV enumDescriptions Default value. Minimum. Maximum. Count. Sum. Average. Standard Deviation. type string value description Value of the aggregated measure. format double type number type object Metadata description General information associated with a UDM event. id Metadata properties baseLabels $ref DataAccessLabels description Data access labels on the base event. collectedTimestamp description The GMT timestamp when the event was collected by the vendor's local collection infrastructure. format google-datetime type string description description A human-readable unparsable description of the event. type string enrichmentLabels $ref DataAccessLabels description Data access labels from all the contextual events used to enrich the base event. enrichmentState description The enrichment state. enum ENRICHMENT_STATE_UNSPECIFIED ENRICHED UNENRICHED enumDescriptions Unspecified. The event has been enriched by Chronicle. The event has not been enriched by Chronicle. type string eventTimestamp description The GMT timestamp when the event was generated. format google-datetime type string eventType description The event type. If an event has multiple possible types, this specifies the most specific type. enum EVENTTYPE_UNSPECIFIED PROCESS_UNCATEGORIZED PROCESS_LAUNCH PROCESS_INJECTION PROCESS_PRIVILEGE_ESCALATION PROCESS_TERMINATION PROCESS_OPEN PROCESS_MODULE_LOAD REGISTRY_UNCATEGORIZED REGISTRY_CREATION REGISTRY_MODIFICATION REGISTRY_DELETION SETTING_UNCATEGORIZED SETTING_CREATION SETTING_MODIFICATION SETTING_DELETION MUTEX_UNCATEGORIZED MUTEX_CREATION FILE_UNCATEGORIZED FILE_CREATION FILE_DELETION FILE_MODIFICATION FILE_READ FILE_COPY FILE_OPEN FILE_MOVE FILE_SYNC USER_UNCATEGORIZED USER_LOGIN USER_LOGOUT USER_CREATION USER_CHANGE_PASSWORD USER_CHANGE_PERMISSIONS USER_STATS USER_BADGE_IN USER_DELETION USER_RESOURCE_CREATION USER_RESOURCE_UPDATE_CONTENT USER_RESOURCE_UPDATE_PERMISSIONS USER_COMMUNICATION USER_RESOURCE_ACCESS USER_RESOURCE_DELETION GROUP_UNCATEGORIZED GROUP_CREATION GROUP_DELETION GROUP_MODIFICATION EMAIL_UNCATEGORIZED EMAIL_TRANSACTION EMAIL_URL_CLICK NETWORK_UNCATEGORIZED NETWORK_FLOW NETWORK_CONNECTION NETWORK_FTP NETWORK_DHCP NETWORK_DNS NETWORK_HTTP NETWORK_SMTP STATUS_UNCATEGORIZED STATUS_HEARTBEAT STATUS_STARTUP STATUS_SHUTDOWN STATUS_UPDATE SCAN_UNCATEGORIZED SCAN_FILE SCAN_PROCESS_BEHAVIORS SCAN_PROCESS SCAN_HOST SCAN_VULN_HOST SCAN_VULN_NETWORK SCAN_NETWORK SCHEDULED_TASK_UNCATEGORIZED SCHEDULED_TASK_CREATION SCHEDULED_TASK_DELETION SCHEDULED_TASK_ENABLE SCHEDULED_TASK_DISABLE SCHEDULED_TASK_MODIFICATION SYSTEM_AUDIT_LOG_UNCATEGORIZED SYSTEM_AUDIT_LOG_WIPE SERVICE_UNSPECIFIED SERVICE_CREATION SERVICE_DELETION SERVICE_START SERVICE_STOP SERVICE_MODIFICATION GENERIC_EVENT RESOURCE_CREATION RESOURCE_DELETION RESOURCE_PERMISSIONS_CHANGE RESOURCE_READ RESOURCE_WRITTEN DEVICE_FIRMWARE_UPDATE DEVICE_CONFIG_UPDATE DEVICE_PROGRAM_UPLOAD DEVICE_PROGRAM_DOWNLOAD ANALYST_UPDATE_VERDICT ANALYST_UPDATE_REPUTATION ANALYST_UPDATE_SEVERITY_SCORE ANALYST_UPDATE_STATUS ANALYST_ADD_COMMENT ANALYST_UPDATE_PRIORITY ANALYST_UPDATE_ROOT_CAUSE ANALYST_UPDATE_REASON ANALYST_UPDATE_RISK_SCORE ENTITY_RISK_CHANGE enumDeprecated False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False enumDescriptions Default event type Activity related to a process which does not match any other event types. Process launch. Process injecting into another process. Process privilege escalation. Process termination. Process being opened. Process loading a module. Registry event which does not match any of the other event types. Registry creation. Registry modification. Registry deletion. Settings-related event which does not match any of the other event types. Setting creation. Setting modification. Setting deletion. Any mutex event other than creation. Mutex creation. File event which does not match any of the other event types. File created. File deleted. File modified. File read. File copied. Used for file copies, for example, to a thumb drive. File opened. File moved or renamed. File synced (for example, Google Drive, Dropbox, backup). User activity which does not match any of the other event types. User login. User logout. User creation. User password change event. Change in user permissions. Deprecated. Used to update user info for an LDAP dump. User physically badging into a location. User deletion. User creating a virtual resource. This is equivalent to RESOURCE_CREATION. User updating content of a virtual resource. This is equivalent to RESOURCE_WRITTEN. User updating permissions of a virtual resource. This is equivalent to RESOURCE_PERMISSIONS_CHANGE. User initiating communication through a medium (for example, video). User accessing a virtual resource. This is equivalent to RESOURCE_READ. User deleting a virtual resource. This is equivalent to RESOURCE_DELETION. A group activity that does not fall into one of the other event types. A group creation. A group deletion. A group modification. Email messages An email transaction. Deprecated: use NETWORK_HTTP instead. An email URL click event. A network event that does not fit into one of the other event types. Aggregated flow stats like netflow. Network connection details like from a FW. FTP telemetry. DHCP payload. DNS payload. HTTP telemetry. SMTP telemetry. A status message that does not fit into one of the other event types. Heartbeat indicating product is alive. An agent startup. An agent shutdown. A software or fingerprint update. Scan item that does not fit into one of the other event types. A file scan. Scan process behaviors. Please use SCAN_PROCESS instead. Scan process. Scan results from scanning an entire host device for threats/sensitive documents. Vulnerability scan logs about host vulnerabilities (e.g., out of date software) and network vulnerabilities (e.g., unprotected service detected via a network scan). Vulnerability scan logs about network vulnerabilities. Scan network for suspicious activity Scheduled task event that does not fall into one of the other event types. Scheduled task creation. Scheduled task deletion. Scheduled task being enabled. Scheduled task being disabled. Scheduled task being modified. A system audit log event that is not a wipe. A system audit log wipe. Service event that does not fit into one of the other event types. A service creation. A service deletion. A service start. A service stop. A service modification. Operating system events that are not described by any of the other event types. Might include uncategorized Microsoft Windows event logs. The resource was created/provisioned. This is equivalent to USER_RESOURCE_CREATION. The resource was deleted/deprovisioned. This is equivalent to USER_RESOURCE_DELETION. The resource had it's permissions or ACLs updated. This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS. The resource was read. This is equivalent to USER_RESOURCE_ACCESS. The resource was written to. This is equivalent to USER_RESOURCE_UPDATE_CONTENT. Firmware update. Configuration update. A program or application uploaded to a device. A program or application downloaded to a device. Analyst update about the Verdict (such as true positive, false positive, or disregard) of a finding. Analyst update about the Reputation (such as useful or not useful) of a finding. Analyst update about the Severity score (0-100) of a finding. Analyst update about the finding status. Analyst addition of a comment for a finding. Analyst update about the priority (such as low, medium, or high) for a finding. Analyst update about the root cause for a finding. Analyst update about the reason (such as malicious or not malicious) for a finding. Analyst update about the risk score (0-100) of a finding. An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. type string id description ID of the UDM event. Can be used for raw and normalized event retrieval. format byte type string ingestedTimestamp description The GMT timestamp when the event was ingested (received) by Chronicle. format google-datetime type string ingestionLabels description User-configured ingestion metadata labels. items $ref Label type array logType description The string value of log type. type string productDeploymentId description The deployment identifier assigned by the vendor for a product deployment. type string productEventType description A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start"). type string productLogId description A vendor-specific event identifier to uniquely identify the event (e.g. a GUID). type string productName description The name of the product. type string productVersion description The version of the product. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Flattened fields extracted from the log. type object tags $ref Tags description Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser. urlBackToProduct description A URL that takes the user to the source product console for this event. type string vendorName description The name of the product vendor. type string type object Metric description Stores precomputed aggregated analytic data for an entity. id Metric properties dimensions description All group by clauses used to calculate the metric. items enum DIMENSION_UNSPECIFIED PRINCIPAL_DEVICE TARGET_USER TARGET_DEVICE PRINCIPAL_USER TARGET_IP PRINCIPAL_FILE_HASH PRINCIPAL_COUNTRY SECURITY_CATEGORY NETWORK_ASN CLIENT_CERTIFICATE_HASH DNS_QUERY_TYPE DNS_DOMAIN HTTP_USER_AGENT EVENT_TYPE PRODUCT_NAME PRODUCT_EVENT_TYPE PARENT_FOLDER_PATH TARGET_RESOURCE_NAME PRINCIPAL_APPLICATION TARGET_APPLICATION EMAIL_TO_ADDRESS EMAIL_FROM_ADDRESS MAIL_ID PRINCIPAL_IP SECURITY_ACTION SECURITY_RULE_ID TARGET_NETWORK_ORGANIZATION_NAME PRINCIPAL_NETWORK_ORGANIZATION_NAME PRINCIPAL_PROCESS_FILE_PATH PRINCIPAL_PROCESS_FILE_HASH SECURITY_RESULT_RULE_NAME TARGET_RESOURCE_LABEL_KEY VENDOR_NAME TARGET_RESOURCE_TYPE TARGET_LOCATION_NAME enumDescriptions Default Principal Device Target User Target Device Principal User Target IP Principal File Hash Principal Country Security Category Network ASN Client Certificate Hash DNS Query Type DNS Domain HTTP User Agent Event Type Product Name Product Event Type Parent Folder Path Target resource Name Principal Application. Target Application. Email To Address. Email From Address. Mail Id. Principal IP. Security Action. Security Rule Id. Target Network Organization name. Principal Network Organization name. Principal Process File Path. Principal Process File SHA256 Hash. Security Result rule name. Target Resource label key. Vendor name. Target Resource type. Target Location name. type string type array exportWindow description Export window for which the metric was exported. format int64 type string firstSeen description Timestamp of the first time the entity was seen in the environment. format google-datetime type string lastSeen description Time stamp of the last time last time the entity was seen in the environment. format google-datetime type string metricName description Name of the analytic. enum METRIC_NAME_UNSPECIFIED NETWORK_BYTES_INBOUND NETWORK_BYTES_OUTBOUND NETWORK_BYTES_TOTAL AUTH_ATTEMPTS_SUCCESS AUTH_ATTEMPTS_FAIL AUTH_ATTEMPTS_TOTAL DNS_BYTES_OUTBOUND NETWORK_FLOWS_INBOUND NETWORK_FLOWS_OUTBOUND NETWORK_FLOWS_TOTAL DNS_QUERIES_SUCCESS DNS_QUERIES_FAIL DNS_QUERIES_TOTAL FILE_EXECUTIONS_SUCCESS FILE_EXECUTIONS_FAIL FILE_EXECUTIONS_TOTAL HTTP_QUERIES_SUCCESS HTTP_QUERIES_FAIL HTTP_QUERIES_TOTAL WORKSPACE_EMAILS_SENT_TOTAL WORKSPACE_TOTAL_DOWNLOAD_ACTIONS WORKSPACE_TOTAL_CHANGE_ACTIONS WORKSPACE_AUTH_ATTEMPTS_TOTAL WORKSPACE_NETWORK_BYTES_OUTBOUND WORKSPACE_NETWORK_BYTES_TOTAL ALERT_EVENT_NAME_COUNT RESOURCE_CREATION_TOTAL RESOURCE_CREATION_SUCCESS RESOURCE_READ_SUCCESS RESOURCE_READ_FAIL RESOURCE_DELETION_SUCCESS enumDescriptions Default Total received network bytes. Total network sent bytes. Total network sent bytes and received bytes. Successful authentication attempts. Failed authentication attempts. Total authentication attempts. Total number of sent bytes for DNS events. Total number of events having non-null received bytes. Total number of events having non-null sent bytes. Total events having non-null sent or received bytes. DNS query success count - Number of events with response_code = 0. Number of events with response_code != 0. Total number of DNS queries made. Number of successfule file executions. Number of failed file executions. Total number file executions. Number of successful HTTP queries. Number of failed HTTP queries. Total number of HTTP queries. Total number of emails sent in Google Workspace. Total number of download actions in Google Workspace. Total number of change actions in Google Workspace. Total number of authentication attempts in Google Workspace. Number of outbound network bytes (total sent) in Google Workspace. Total number of network bytes (both sent and received) in Google Workspace. Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH. First-time analytic tracking successful resource creations. Volume-based analytic tracking successful resource creations. Volume-based analytic tracking successful resource reads. Volume-based analytic tracking failed resource reads. Volume-based analytic tracking successful resource deletions. type string sumMeasure $ref Measure description Sum of all precomputed measures for the given metric. totalEvents description Total number of events used to calculate the given precomputed metric. format int64 type string type object Navigation description Navigation can be used to store the metadata required to navigate the user to a new URL. id Navigation properties targetUri description Output only. The URI to redirect the user to. readOnly True type string type object Network description A network event. id Network properties applicationProtocol description The application protocol. enum UNKNOWN_APPLICATION_PROTOCOL AFP APPC AMQP ATOM BEEP BITCOIN BIT_TORRENT CFDP CIP COAP COTP DCERPC DDS DEVICE_NET DHCP DICOM DNP3 DNS E_DONKEY ENRP FAST_TRACK FINGER FREENET FTAM GOOSE GOPHER GRPC HL7 H323 HTTP HTTPS IEC104 IRCP KADEMLIA KRB5 LDAP LPD MIME MMS MODBUS MQTT NETCONF NFS NIS NNTP NTCIP NTP OSCAR PNRP PTP QUIC RDP RELP RIP RLOGIN RPC RTMP RTP RTPS RTSP SAP SDP SIP SLP SMB SMTP SNMP SNTP SSH SSMS STYX SV TCAP TDS TOR TSP VTP WHOIS WEB_DAV X400 X500 XMPP enumDescriptions The default application protocol. Apple Filing Protocol. Advanced Program-to-Program Communication. Advanced Message Queuing Protocol. Publishing Protocol. Block Extensible Exchange Protocol. Crypto currency protocol. Peer-to-peer file sharing. Coherent File Distribution Protocol. Common Industrial Protocol. Constrained Application Protocol. Connection Oriented Transport Protocol. DCE/RPC. Data Distribution Service. Automation industry protocol. DHCP. Digital Imaging and Communications in Medicine Protocol. Distributed Network Protocol 3 (DNP3) DNS. Classic file sharing protocol. Endpoint Handlespace Redundancy Protocol. Filesharing peer-to-peer protocol. User Information Protocol. Censorship resistant peer-to-peer network. File Transfer Access and Management. GOOSE Protocol. Gopher protocol. gRPC Remote Procedure Call. Health Level Seven. Packet-based multimedia communications system. HTTP. HTTPS. IEC 60870-5-104 (IEC 104) Protocol. Internet Relay Chat Protocol. Peer-to-peer hashtables. Kerberos 5. Lightweight Directory Access Protocol. Line Printer Daemon Protocol. Multipurpose Internet Mail Extensions and Secure MIME. Multimedia Messaging Service. Serial communications protocol. Message Queuing Telemetry Transport. Network Configuration. Network File System. Network Information Service. Network News Transfer Protocol. National Transportation Communications for Intelligent Transportation System. Network Time Protocol. AOL Instant Messenger Protocol. Peer Name Resolution Protocol. Precision Time Protocol. QUIC. Remote Desktop Protocol. Reliable Event Logging Protocol. Routing Information Protocol. Remote Login in UNIX Systems. Remote Procedure Call. Real Time Messaging Protocol. Real-time Transport Protocol. Real Time Publish Subscribe. Real Time Streaming Protocol. Session Announcement Protocol. Session Description Protocol. Session Initiation Protocol. Service Location Protocol. Server Message Block. Simple Mail Transfer Protocol. Simple Network Management Protocol. Simple Network Time Protocol. Secure Shell. Secure SMS Messaging Protocol. Styx/9P - Plan 9 from Bell Labs distributed file system protocol. Sampled Values Protocol. Transaction Capabilities Application Part. Tabular Data Stream. Anonymity network. Time Stamp Protocol. Virtual Terminal Protocol. Remote Directory Access Protocol. Web Distributed Authoring and Versioning. Message Handling Service Protocol. Directory Access Protocol (DAP). Extensible Messaging and Presence Protocol. type string applicationProtocolVersion description The version of the application protocol. e.g. "1.1, 2.0" type string asn description Autonomous system number. type string carrierName description Carrier identification. type string communityId description Community ID network flow value. type string dhcp $ref Dhcp description DHCP info. direction description The direction of network traffic. enum UNKNOWN_DIRECTION INBOUND OUTBOUND BROADCAST enumDescriptions The default direction. An inbound request. An outbound request. A broadcast. type string dns $ref Dns description DNS info. dnsDomain description DNS domain name. type string email $ref Email description Email info for the sender/recipient. ftp $ref Ftp description FTP info. http $ref Http description HTTP info. ipProtocol description The IP protocol. enum UNKNOWN_IP_PROTOCOL ICMP IGMP TCP UDP IP6IN4 GRE ESP ICMP6 EIGRP ETHERIP PIM VRRP SCTP enumDescriptions The default protocol. ICMP. IGMP TCP. UDP. IPv6 Encapsulation Generic Routing Encapsulation Encapsulating Security Payload ICMPv6 Enhanced Interior Gateway Routing Ethernet-within-IP Encapsulation Protocol Independent Multicast Virtual Router Redundancy Protocol Stream Control Transmission Protocol type string ipSubnetRange description Associated human-readable IP subnet range (e.g. 10.1.2.0/24). type string organizationName description Organization name (e.g Google). type string parentSessionId description The ID of the parent network session. type string receivedBytes description The number of bytes received. format uint64 type string receivedPackets description The number of packets received. format int64 type string sentBytes description The number of bytes sent. format uint64 type string sentPackets description The number of packets sent. format int64 type string sessionDuration description The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer. format google-duration type string sessionId description The ID of the network session. type string smtp $ref Smtp description SMTP info. Store fields specific to SMTP not covered by Email. tls $ref Tls description TLS info. type object Noun description The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event. id Noun properties administrativeDomain description Domain which the device belongs to (for example, the Microsoft Windows domain). type string application description The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle". type string artifact $ref Artifact description Information about an artifact. asset $ref Asset description Information about the asset. assetId description The asset ID. This field can be used as an entity indicator for asset entities. type string cloud $ref Cloud deprecated True description Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud). domain $ref Domain description Information about the domain. email description Email address. Only filled in for security_result.about type string file $ref BackstoryFile description Information about the file. group $ref Group description Information about the group. hostname description Client hostname or domain name field. Hostname also doubles as the domain for remote entities. This field can be used as an entity indicator for asset entities. type string investigation $ref Investigation description Analyst feedback/investigation for alerts. ip description A list of IP addresses associated with a network connection. This field can be used as an entity indicator for asset entities. items type string type array ipGeoArtifact description Enriched geographic information corresponding to an IP address. Specifically, location and network data. items $ref Artifact type array ipLocation deprecated True description Deprecated: use ip_geo_artifact.location instead. items $ref Location type array labels deprecated True description Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels). items $ref Label type array location $ref Location description Physical location. For cloud environments, set the region in location.name. mac description List of MAC addresses associated with a device. This field can be used as an entity indicator for asset entities. items type string type array namespace description Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition. This field can be used along with an asset indicator to identify an asset. type string natIp description A list of NAT translated IP addresses associated with a network connection. items type string type array natPort description NAT external network port number when a specific network connection is described within an event. format int32 type integer network $ref Network description Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). objectReference $ref Id description Finding to which the Analyst updated the feedback. platform description Platform. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description Platform patch level. For example, "Build 17134.48" type string platformVersion description Platform version. For example, "Microsoft Windows 1803". type string port description Source or destination network port number when a specific network connection is described within an event. format int32 type integer process $ref Process description Information about the process. processAncestors description Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery. items $ref Process type array registry $ref Registry description Registry information. resource $ref Resource description Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun. resourceAncestors description Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource). items $ref Resource type array securityResult description A list of security results. items $ref SecurityResult type array url description The URL. type string urlMetadata $ref Url description Information about the URL. user $ref User description Information about the user. userManagementChain description Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery. items $ref User type array type object NtfsFileMetadata description NTFS-specific file metadata. id NtfsFileMetadata properties changeTime description NTFS MFT entry changed timestamp. format google-datetime type string filenameAccessTime description NTFS $FILE_NAME attribute accessed timestamp. format google-datetime type string filenameChangeTime description NTFS $FILE_NAME attribute changed timestamp. format google-datetime type string filenameCreateTime description NTFS $FILE_NAME attribute created timestamp. format google-datetime type string filenameModifyTime description NTFS $FILE_NAME attribute modified timestamp. format google-datetime type string type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object Option description DHCP options. id Option properties code description Code. See RFC1533. format uint32 type integer data description Data. format byte type string type object PDFInfo description Information about the PDF file structure. See https://developers.virustotal.com/reference/pdf_info id PDFInfo properties acroform description Number of /AcroForm tags found in the PDF. format int64 type string autoaction description Number of /AA tags found in the PDF. format int64 type string embeddedFile description Number of /EmbeddedFile tags found in the PDF. format int64 type string encrypted description Whether the document is encrypted or not. This is defined by the /Encrypt tag. format int64 type string endobjCount description Number of object definitions (endobj keyword). format int64 type string endstreamCount description Number of defined stream objects (stream keyword). format int64 type string flash description Number of /RichMedia tags found in the PDF. format int64 type string header description PDF version. type string javascript description Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios. format int64 type string jbig2Compression description Number of /JBIG2Decode tags found in the PDF. format int64 type string js description Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios. format int64 type string launchActionCount description Number of /Launch tags found in the PDF file. format int64 type string objCount description Number of objects definitions (obj keyword). format int64 type string objectStreamCount description Number of object streams. format int64 type string openaction description Number of /OpenAction tags found in the PDF. format int64 type string pageCount description Number of pages in the PDF. format int64 type string startxref description Number of startxref keywords in the PDF. format int64 type string streamCount description Number of defined stream objects (stream keyword). format int64 type string suspiciousColors description Number of colors expressed with more than 3 bytes (CVE-2009-3459). format int64 type string trailer description Number of trailer keywords in the PDF. format int64 type string xfa description Number of \XFA tags found in the PDF. format int64 type string xref description Number of xref keywords in the PDF. format int64 type string type object PeFileMetadata description Metadata about a Microsoft Windows Portable Executable. id PeFileMetadata properties importHash description Hash of PE imports. type string type object Permission description System permission for resource access and modification. id Permission properties description description Description of the permission (e.g. 'Ability to update detect rules'). type string name description Name of the permission (e.g. chronicle.analyst.updateRule). type string type description Type of the permission. enum UNKNOWN_PERMISSION_TYPE ADMIN_WRITE ADMIN_READ DATA_WRITE DATA_READ enumDescriptions Default permission type. Administrator write permission. Administrator read permission. Data resource access write permission. Data resource access read permission. type string type object PlatformSoftware description Platform software information about an operating system. id PlatformSoftware properties platform description The platform operating system. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description The platform software patch level ( e.g. "Build 17134.48", "SP1"). type string platformVersion description The platform software version ( e.g. "Microsoft Windows 1803"). type string type object PopularityRank description Domain's position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo. id PopularityRank properties giver description Name of the rank serial number hexdump. type string ingestionTime description Timestamp when the rank was ingested. format google-datetime type string rank description Rank position. format int64 type string type object Prevalence description The prevalence of a resource within the customer's environment. This measures how common it is for assets to access the resource. id Prevalence properties dayCount description The number of days over which rolling_max is calculated. format int32 type integer dayMax description The max prevalence score in a day interval window. format int32 type integer dayMaxSubDomains description The max prevalence score in a day interval window across sub-domains. This field is only valid for domains. format int32 type integer rollingMax description The maximum number of assets per day accessing the resource over the trailing day_count days. format int32 type integer rollingMaxSubDomains description The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains. format int32 type integer type object Process description Information about a process. id Process properties accessMask description A bit mask representing the level of access. format uint64 type string commandLine description The command line command that created the process. This field can be used as an entity indicator for process entities. type string commandLineHistory description The command line history of the process. items type string type array egid description The effective group ID of the process. type string euid description The effective user ID of the process. type string file $ref BackstoryFile description Information about the file in use by the process. integrityLevelRid description The Microsoft Windows integrity level relative ID (RID) of the process. format uint64 type string parentPid deprecated True description The ID of the parent process. Deprecated: use parent_process.pid instead. type string parentProcess $ref Process description Information about the parent process. pgid description The identifier that points to the process group ID leader. type string pid description The process ID. This field can be used as an entity indicator for process entities. type string productSpecificParentProcessId deprecated True description A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. type string productSpecificProcessId description A product specific process id. type string rgid description The real group ID of the process. type string ruid description The real user ID of the process. type string sessionLeaderPid description The process ID of the session leader process. type string tokenElevationType description The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled. enum UNKNOWN TYPE_1 TYPE_2 TYPE_3 enumDescriptions An undetermined token type. A full token with no privileges removed or groups disabled. An elevated token with no privileges removed or groups disabled. Used when running as administrator. A limited token with administrative privileges removed and administrative groups disabled. type string tty description The teletype terminal which the command was executed within. type string type object ProviderMLVerdict description Deprecated. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. id ProviderMLVerdict properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer confidenceScore description Confidence score of the verdict. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer mandiantSources description List of mandiant sources from which the verdict was generated. items $ref Source type array sourceProvider description Source provider giving the ML verdict. type string thirdPartySources description List of third-party sources from which the verdict was generated. items $ref Source type array type object PublicKey description Subject public key info. id PublicKey properties algorithm description Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the certificate. type string rsa $ref RSA description RSA public key information. type object Question description DNS Questions. See RFC1035, section 4.1.2. id Question properties class description The code specifying the class of the query. format uint32 type integer name description The domain name. type string prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. type description The code specifying the type of the query. format uint32 type integer type object RSA description RSA public key information. id RSA properties exponent description Key exponent hexdump. type string keySize description Key size. format int64 type string modulus description Key modulus hexdump. type string type object Reference description Reference to model primatives including event and entity. As support is added for fast retrieval of objects by identifiers, this will be expanded to include ID references rather than full object copies. BEGIN GOOGLE-INTERNAL See go/udm:ids for additional details. END GOOGLE-INTERNAL id Reference properties entity $ref BackstoryEntity description Entity being referenced. End one-of event $ref UDM description Only one of event or entity will be populated for a single reference. Start one-of Event being referenced. id $ref Id description Id being referenced. This field will also be populated for both event and entity with the event id. For detections, only this field will be populated. type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Registry description Information about a registry key or value. id Registry properties registryKey description Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...). type string registryValueData description Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp). type string registryValueName description Name of the registry value associated with an application or system component (e.g. TEMP). type string registryValueType description Type of the registry value. enum TYPE_UNSPECIFIED NONE SZ EXPAND_SZ BINARY DWORD DWORD_LITTLE_ENDIAN DWORD_BIG_ENDIAN LINK MULTI_SZ RESOURCE_LIST QWORD QWORD_LITTLE_ENDIAN enumDescriptions Default registry value type used when the type is unknown. The registry value is not set and only the key exists. A null-terminated string. A null-terminated string that contains unexpanded references to environment variables Binary data in any form. A 32-bit number. A 32-bit number in little-endian format. A 32-bit number in big-endian format. A null-terminated Unicode string that contains the target path of a symbolic link. A sequence of null-terminated strings, terminated by an empty string A device driver resource list. A 64-bit number. A 64-bit number in little-endian format. type string type object Relation description Defines the relationship between the entity (a) and another entity (b). id Relation properties direction description Directionality of relationship between primary entity (a) and the related entity (b). enum DIRECTIONALITY_UNSPECIFIED BIDIRECTIONAL UNIDIRECTIONAL enumDescriptions Default value. Modeled in both directions. Primary entity (a) to related entity (b) and related entity (b) to primary entity (a). Modeled in a single direction. Primary entity (a) to related entity (b). type string entity $ref Noun description Entity (b) that the primary entity (a) is related to. entityLabel description Label to identify the Noun of the relation. enum ENTITY_LABEL_UNSPECIFIED PRINCIPAL TARGET OBSERVER SRC NETWORK SECURITY_RESULT INTERMEDIARY enumDescriptions Default value. The Noun represents a principal type object. The Noun represents a target type object. The Noun represents an observer type object. The Noun represents src type object. The Noun represents a network type object. The Noun represents a SecurityResult object. The Noun represents an intermediary type object. type string entityType description Type of the related entity (b) in this relationship. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string relationship description Type of relationship. enum RELATIONSHIP_UNSPECIFIED OWNS ADMINISTERS MEMBER EXECUTES DOWNLOADED_FROM CONTACTS enumDescriptions Default value Related entity is owned by the primary entity (e.g. user owns device asset). Related entity is administered by the primary entity (e.g. user administers a group). Primary entity is a member of the related entity (e.g. user is a member of a group). Primary entity may have executed the related entity. Primary entity may have been downloaded from the related entity. Primary entity contacts the related entity. type string uid description UID of the relationship. format byte type string type object Resource description Information about a resource such as a task, Cloud Storage bucket, database, disk, logical policy, or something similar. id Resource properties attribute $ref Attribute description Generic entity metadata attributes of the resource. id deprecated True description Deprecated: Use resource.name or resource.product_object_id. type string name description The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. type string parent deprecated True description The parent of the resource. For a database table, the parent is the database. For a storage object, the bucket name. Deprecated: use resource_ancestors.name. type string productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) This field can be used as an entity indicator for a Resource entity. type string resourceSubtype description Resource sub-type (e.g. "BigQuery", "Bigtable"). type string resourceType description Resource type. enum UNSPECIFIED MUTEX TASK PIPE DEVICE FIREWALL_RULE MAILBOX_FOLDER VPC_NETWORK VIRTUAL_MACHINE STORAGE_BUCKET STORAGE_OBJECT DATABASE TABLE CLOUD_PROJECT CLOUD_ORGANIZATION SERVICE_ACCOUNT ACCESS_POLICY CLUSTER SETTING DATASET BACKEND_SERVICE POD CONTAINER FUNCTION RUNTIME IP_ADDRESS DISK VOLUME IMAGE SNAPSHOT REPOSITORY CREDENTIAL LOAD_BALANCER GATEWAY SUBNET USER enumDescriptions Default type. Mutex. Task. Named pipe. Device. Firewall rule. Mailbox folder. VPC Network. Virtual machine. Storage bucket. Storage object. Database. Data table. Cloud project. Cloud organization. Service account. Access policy. Cluster. Settings. Dataset. Endpoint that receive traffic from a load balancer or proxy. Pod, which is a collection of containers. Often used in Kubernetes. Container. Cloud function. Runtime. IP address. Disk. Volume. Machine image. Snapshot. Repository. Credential, e.g. access keys, ssh keys, tokens, certificates. Load balancer. Gateway. Subnet. User. type string type deprecated True description Deprecated: use resource_type instead. type string type object ResourceRecord description DNS Resource Records. See RFC1035, section 4.1.3. id ResourceRecord properties binaryData description The raw bytes of any non-UTF8 strings that might be included as part of a DNS response. format byte type string class description The code specifying the class of the resource record. format uint32 type integer data description The payload or response to the DNS question for all responses encoded in UTF-8 format type string name description The name of the owner of the resource record. type string ttl description The time interval for which the resource record can be cached before the source of the information should again be queried. format uint32 type integer type description The code specifying the type of the resource record. format uint32 type integer type object ResponsePlatformInfo description Related info of an Alert in customer's SOAR platform. id ResponsePlatformInfo properties alertId description Id of the alert in SOAR product. type string responsePlatformType description Type of SOAR product. enum RESPONSE_PLATFORM_TYPE_UNSPECIFIED RESPONSE_PLATFORM_TYPE_SIEMPLIFY enumDescriptions Response platform not specified. Siemplify type string type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object RiskDelta description Describes the difference in risk score between two points in time. id RiskDelta properties previousRangeEndTime description End time of the previous time window. format google-datetime type string previousRiskScore description Risk score from previous risk window format int32 type integer riskScoreDelta description Difference in the normalized risk score from the previous recorded value. format int32 type integer riskScoreNumericDelta description Numeric change between current and previous risk score format int32 type integer type object Role description System role for resource access and modification. id Role properties description description System role description for user. type string name description System role name for user. type string type description System role type for well known roles. enum TYPE_UNSPECIFIED ADMINISTRATOR SERVICE_ACCOUNT enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object RuntimeError id RuntimeError properties errorText type string timeRange $ref Interval type object SSLCertificate description SSL certificate. id SSLCertificate properties certExtensions additionalProperties description Properties of the object. type any description Certificate's extensions. type object certSignature $ref CertSignature description Certificate's signature and algorithm. ec $ref EC description EC public key information. extension $ref Extension deprecated True description (DEPRECATED) certificate's extension. firstSeenTime description Date the certificate was first retrieved by VirusTotal. format google-datetime type string issuer $ref Subject description Certificate's issuer data. publicKey $ref PublicKey description Public key information. serialNumber description Certificate's serial number hexdump. type string signatureAlgorithm description Algorithm used for the signature (for example, "sha1RSA"). type string size description Certificate content length. format int64 type string subject $ref Subject description Certificate's subject data. thumbprint description Certificate's content SHA1 hash. type string thumbprintSha256 description Certificate's content SHA256 hash. type string validity $ref Validity description Certificate's validity period. version description Certificate version (typically "V1", "V2" or "V3"). type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object SearchDataTableColumnInfo id SearchDataTableColumnInfo properties isDefault type boolean originalColumn type string type object SearchDataTableInfo id SearchDataTableInfo properties columnInfo items $ref SearchDataTableColumnInfo type array dataTable type string type object SearchDataTableRow id SearchDataTableRow properties column type string value type string type object SearchDataTableRowInfo id SearchDataTableRowInfo properties dataTable type string rows items $ref SearchDataTableRow type array type object SecurityResult description Security related metadata for the event. A security result might be something like "virus detected and quarantined," "malicious connection blocked," or "sensitive data included in document foo.doc." Each security result, of which there may be more than one, may either pertain to the whole event, or to a specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (such as process, user, IP, domain, URL, IP, or email address) in the about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty. id SecurityResult properties about $ref Noun description If the security result is about a specific entity (Noun), add it here. This field is not populated when the SecurityResult appears in a finding (a detection or alert). action description Actions taken for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_ACTION ALLOW BLOCK ALLOW_WITH_MODIFICATION QUARANTINE FAIL CHALLENGE enumDescriptions The default action. Allowed. Blocked. Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded). Put somewhere for later analysis (does NOT imply block). Failed (e.g. the event was allowed but failed). Challenged (e.g. the user was challenged by a Captcha, 2FA). type string type array actionDetails description The detail of the action taken as provided by the vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string alertState description The alerting types of this security result. This is primarily set for rule-generated detections and alerts. enum UNSPECIFIED NOT_ALERTING ALERTING enumDescriptions The security result type is not known. The security result is not an alert. The security result is an alert. type string analyticsMetadata description Stores metadata about each risk analytic metric the rule uses. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref AnalyticsMetadata type array associations description Associations related to the threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref Association type array attackDetails $ref AttackDetails description MITRE ATT&CK details. This field is not populated when the SecurityResult appears in a finding (a detection or alert). campaigns description Campaigns using this IOC threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array category description The security category. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_CATEGORY SOFTWARE_MALICIOUS SOFTWARE_SUSPICIOUS SOFTWARE_PUA NETWORK_MALICIOUS NETWORK_SUSPICIOUS NETWORK_CATEGORIZED_CONTENT NETWORK_DENIAL_OF_SERVICE NETWORK_RECON NETWORK_COMMAND_AND_CONTROL ACL_VIOLATION AUTH_VIOLATION EXPLOIT DATA_EXFILTRATION DATA_AT_REST DATA_DESTRUCTION TOR_EXIT_NODE MAIL_SPAM MAIL_PHISHING MAIL_SPOOFING POLICY_VIOLATION SOCIAL_ENGINEERING PHISHING enumDescriptions The default category. Malware, spyware, rootkit. Below the conviction threshold; probably bad. Potentially Unwanted App (such as adware). Includes C&C or network exploit. Suspicious activity, such as potential reverse tunnel. Non-security related: URL has category like gambling or porn. DoS, DDoS. Port scan detected by an IDS, probing of web app. If we know this is a C&C channel. Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc. Authentication failed (e.g. bad password or bad 2-factor authentication). Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits. DLP: Sensitive data transmission, copy to thumb drive. DLP: Sensitive data found at rest in a scan. Attempt to destroy/delete data. TOR Exit Nodes. Spam email, message, etc. Phishing email, chat messages, etc. Spoofed source email address, etc. Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action). Threats which manipulate to break normal security procedures. Phishing pages, pops, https phishing etc. type string type array categoryDetails description For vendor-specific categories. For web categorization, put type in here such as "gambling" or "porn". This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array confidence description The confidence level of the result as estimated by the product. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string confidenceDetails description Additional detail with regards to the confidence of a security event as estimated by the product vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string confidenceScore description The confidence score of the security result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format float type number description description A human-readable description (e.g. "user password was wrong"). This can be more detailed than the summary. type string detectionDepth description The depth of the detection chain. Applies only to composite detections. format int64 type string detectionFields description An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (the security result matched variables). This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array firstDiscoveredTime description First time the IoC threat was discovered in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastDiscoveredTime description Last time the IoC was seen in the provider data. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastUpdatedTime description Last time the IoC threat was updated in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string outcomes description A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to a stringified version of their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array priority description The priority of the result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_PRIORITY LOW_PRIORITY MEDIUM_PRIORITY HIGH_PRIORITY enumDescriptions Default priority level. Low priority. Medium priority. High priority. type string priorityDetails description Vendor-specific information about the security result priority. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string reports description Reports that reference this IOC threat. These are the report IDs. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array riskScore description The risk score of the security result. format float type number ruleAuthor description Author of the security rule. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string ruleId description A vendor-specific ID for a rule, varying by observer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe"). type string ruleLabels description A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John"). This is primarily set in rule-generated detections and alerts. items $ref Label type array ruleName description Name of the security rule (e.g. "BlockInboundToOracle"). type string ruleSet description The curated detection's rule set identifier. (for example, "windows-threats") This is primarily set in rule-generated detections and alerts. type string ruleSetDisplayName description The curated detections rule set display name. This is primarily set in rule-generated detections and alerts. type string ruleType description The type of security rule. type string ruleVersion description Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed. type string rulesetCategoryDisplayName description The curated detection rule set category display name. (for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration", the rule_set_category is "Cloud Threats"). This is primarily set in rule-generated detections and alerts. type string severity description The severity of the result. enum UNKNOWN_SEVERITY INFORMATIONAL ERROR NONE LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Info severity. An error. No malicious result. Low-severity malicious result. Medium-severity malicious result. High-severity malicious result. Critical-severity malicious result. type string severityDetails description Vendor-specific severity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string summary description A short human-readable summary (e.g. "failed login occurred") type string threatFeedName description Vendor feed name for a threat indicator feed. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatId description Vendor-specific ID for a threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatIdNamespace description The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string threatName description A vendor-assigned classification common across multiple customers (for example, "W32/File-A", "Slammer"). This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatStatus description Current status of the threat This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_STATUS_UNSPECIFIED ACTIVE CLEARED FALSE_POSITIVE enumDescriptions Default threat status Active threat. Cleared threat. False positive. type string threatVerdict description GCTI threat verdict on the security result entity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_VERDICT_UNSPECIFIED UNDETECTED SUSPICIOUS MALICIOUS enumDescriptions Unspecified threat verdict level. Undetected threat verdict level. Suspicious threat verdict level. Malicious threat verdict level. type string urlBackToProduct description URL that takes the user to the source product console for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string variables additionalProperties $ref FindingVariable description A list of outcomes and match variables that represent the results of this security finding. This list represents a mapping of names of the requested outcomes or match variables, to their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). type object verdict $ref Verdict deprecated True description Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead. verdictInfo description Verdict information about the IoC from the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref VerdictInfo type array type object Server description Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash). id Server properties certificate $ref Certificate description Server certificate. ja3s description JA3 hash from the TLS ServerHello, as a hex-encoded string. type string type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object SignatureInfo description File signature information extracted from different tools. id SignatureInfo properties codesign $ref FileMetadataCodesign description Signature information extracted from the codesign utility. sigcheck $ref FileMetadataSignatureInfo description Signature information extracted from the sigcheck tool. type object SignerInfo description File metadata related to the signer information. id SignerInfo properties certIssuer description Company that issued the certificate. type string name description Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority. type string status description It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid."). type string validUsage description Indicates which situations the certificate is valid for (e.g. "Code Signing"). type string type object Smtp description SMTP info. See RFC 2821. id Smtp properties helo description The client's 'HELO'/'EHLO' string. type string isTls description If the connection switched to TLS. type boolean isWebmail description If the message was sent via a webmail client. type boolean mailFrom description The client's 'MAIL FROM' string. type string messagePath description The message's path (extracted from the headers). type string rcptTo description The client's 'RCPT TO' string(s). items type string type array serverResponse description The server's response(s) to the client. items type string type array type object SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems. id SoarAlertMetadata properties alertId description Alert ID in the source SIEM system. type string product description Name of the product the alert is coming from. type string sourceRule description Name of the rule triggering the alert in the source SIEM. type string sourceSystem description Name of the Source SIEM system. type string sourceSystemTicketId description Ticket id for the alert in the source system. type string sourceSystemUri description Url to the source SIEM system. type string vendor description Name of the vendor. type string type object Software description Information about a software package or application. id Software properties description description The description of the software. type string name description The name of the software. type string permissions description System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE" items $ref Permission type array vendorName description The name of the software vendor. type string version description The version of the software. type string type object Source description Deprecated. Information about the threat intelligence source. These fields are used to model Mandiant sources. id Source properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer name description Name of the IoC source. type string quality description Quality of the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total response count from this source. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer threatIntelligenceSources description Different threat intelligence sources from which IoC info was extracted. items $ref Source type array type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object StringSequence description StringSequence represents a sequence of string. id StringSequence properties stringVals description string sequence. items type string type array type object StringToInt64MapEntry id StringToInt64MapEntry properties key description Key field. type string value description Value field. format int64 type string type object StringValue id StringValue properties displayValue type string rawValue type string type object StringValues id StringValues properties values items $ref StringValue type array type object Subject description Subject data. id Subject properties commonName description CN: CommonName. type string countryName description C: Country name. type string locality description L: Locality. type string organization description O: Organization. type string organizationalUnit description OU: OrganizationalUnit. type string stateOrProvinceName description ST: StateOrProvinceName. type string type object Tactic description Tactic information related to an attack or threat. id Tactic properties id description Tactic ID (e.g. "TA0043"). type string name description Tactic Name (e.g. "Reconnaissance") type string type object Tags description Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenant_id based on certain customer-defined parameters. id Tags properties dataTapConfigName description A list of sink name values defined in DataTap configurations. items type string type array tenantId description A list of subtenant ids that this event belongs to. items format byte type string type array type object Technique description Technique information related to an attack or threat. id Technique properties id description Technique ID (e.g. "T1595"). type string name description Technique Name (e.g. "Active Scanning"). type string subtechniqueId description Subtechnique ID (e.g. "T1595.001"). type string subtechniqueName description Subtechnique Name (e.g. "Scanning IP Blocks"). type string type object TimeOff description System record for leave/time-off from a Human Capital Management (HCM) system. id TimeOff properties description description Description of the leave if available (e.g. 'Vacation'). type string interval $ref Interval description Interval duration of the leave. type object Tls description Transport Layer Security (TLS) information. id Tls properties cipher description Cipher used during the connection. type string client $ref Client description Certificate information for the client certificate. curve description Elliptical curve used for a given cipher. type string established description Indicates whether the TLS negotiation was successful. type boolean nextProtocol description Protocol to be used for tunnel. type string resumed description Indicates whether the TLS connection was resumed from a previous TLS negotiation. type boolean server $ref Server description Certificate information for the server certificate. version description TLS version. type string versionProtocol description Protocol. type string type object Tracker description URL Tracker. id Tracker properties id description Tracker ID, if available. type string timestamp description Tracker ingestion date. format google-datetime type string tracker description Tracker name. type string url description Tracker script URL. type string type object Tunnels description VPN tunnels. id Tunnels properties provider description The provider of the VPN tunnels being used. type string type description The type of the VPN tunnels. type string type object UDM description A Unified Data Model event. id UDM properties about description Represents entities referenced by the event that are not otherwise described in principal, src, target, intermediary or observer. For example, it could be used to track email file attachments, domains/URLs/IPs embedded within an email body, and DLLs that are loaded during a PROCESS_LAUNCH event. items $ref Noun type array additional additionalProperties description Properties of the object. type any description Any important vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model. type object extensions $ref Extensions description All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object intermediary description Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a proxy server or SMTP relay server. If an active event (that has a principal and possibly target) passes through any intermediaries, they're added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that 'principal', 'target', and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C). items $ref Noun type array metadata $ref Metadata description Event metadata such as timestamp, source product, etc. network $ref Network description All network details go here, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). observer $ref Noun description Represents an observer entity (for example, a packet sniffer or network-based vulnerability scanner), which is not a direct intermediary, but which observes and reports on the event in question. principal $ref Noun description Represents the acting entity that originates the activity described in the event. The principal must include at least one machine detail (hostname, MACs, IPs, port, product-specific identifiers like an EDR asset ID) or user detail (for example, username), and optionally include process details. It must NOT include any of the following fields: email, files, registry keys or values. securityResult description A list of security results. items $ref SecurityResult type array src $ref Noun description Represents a source entity being acted upon by the participant along with the device or process context for the source object (the machine where the source object resides). For example, if user U copies file A on machine X to file B on machine Y, both file A and machine X would be specified in the src portion of the UDM event. target $ref Noun description Represents a target entity being referenced by the event or an object on the target entity. For example, in a firewall connection from device A to device B, A is described as the principal and B is described as the target. For a process injection by process C into target process D, process C is described as the principal and process D is described as the target. type object UdmColumnList id UdmColumnList properties values items $ref UdmColumnValue type array type object UdmColumnType id UdmColumnType properties list $ref UdmColumnList value $ref UdmColumnValue type object UdmColumnValue id UdmColumnValue properties boolVal type boolean bytesVal format byte type string dateVal $ref Date doubleVal format double type number int64Val format int64 type string nullVal type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any type object stringVal type string timestampVal format google-datetime type string uint64Val format uint64 type string type object UdmEventInfo id UdmEventInfo properties alertNumber format int32 type integer annotations items enum ANNOTATION_UNSPECIFIED ANNOTATION_ALERT enumDescriptions type string type array chip $ref Chip deprecated True connectedComponentLabel description Optional. format byte type string datatableRowInfo items $ref SearchDataTableRowInfo type array detections items $ref Collection type array displayName deprecated True type string entity $ref BackstoryEntity event $ref UDM eventLogToken type string filterProperties $ref FilterProperties deprecated True outcomes items $ref UdmColumnType type array tenantId description Optional. type string uid format byte type string type object UdmEventList id UdmEventList properties columnNames $ref ColumnNames complete type boolean datatableInfo items $ref SearchDataTableInfo type array events items $ref UdmEventInfo type array progress format double type number tooManyEvents type boolean type object UdmFieldAggregation id UdmFieldAggregation properties aggregationType enum UNSPECIFIED_FIELD_AGGREGATION_TYPE UDM_FIELD_AGGREGATION_TYPE ENTITY_FIELD_AGGREGATION_TYPE enumDescriptions type string allValues items $ref UdmValueCount type array baselineEventCount format int32 type integer bottomValues items $ref UdmValueCount type array eventCount format int32 type integer fieldName type string tooManyValues type boolean topValues items $ref UdmValueCount type array valueCount format int32 type integer type object UdmFieldAggregations id UdmFieldAggregations properties complete type boolean fields items $ref UdmFieldAggregation type array groupByFields items $ref GroupAggregationByField type array type object UdmFieldValue id UdmFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string isNull type boolean stringValue type string timestampValue format google-datetime type string uint32Value format uint32 type integer uint64Value format uint64 type string type object UdmPrevalence id UdmPrevalence properties artifacts items $ref FieldAndValue type array prevalence format int32 type integer type object UdmPrevalenceBucket id UdmPrevalenceBucket properties prevalence items $ref UdmPrevalence type array type object UdmPrevalenceResponse id UdmPrevalenceResponse properties buckets items $ref UdmPrevalenceBucket type array partialPrevalence type boolean type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UdmValueCount id UdmValueCount properties baselineEventCount format int32 type integer eventCount format int32 type integer value $ref UdmFieldValue type object Uint64Sequence description Uint64Sequence represents a sequence of uint64s. id Uint64Sequence properties uint64Vals description uint64 sequence. items format uint64 type string type array type object Url description Url. id Url properties categories description Categorisation done by VirusTotal partners. items type string type array favicon $ref Favicon description Difference hash and MD5 hash of the URL's. htmlMeta additionalProperties description Properties of the object. type any description Meta tags (only for URLs downloading HTML). type object lastFinalUrl description If the original URL redirects, where does it end. type string lastHttpResponseCode description HTTP response code of the last response. format int32 type integer lastHttpResponseContentLength description Length in bytes of the content received. format int64 type string lastHttpResponseContentSha256 description URL response body's SHA256 hash. type string lastHttpResponseCookies additionalProperties description Properties of the object. type any description Website's cookies. type object lastHttpResponseHeaders additionalProperties description Properties of the object. type any description Headers and values of the last HTTP response. type object tags description Tags. items type string type array title description Webpage title. type string trackers description Trackers found in the URL in a historical manner. items $ref Tracker type array url description URL. type string type object User description Information about a user. id User properties accountExpirationTime description User account expiration timestamp. format google-datetime type string accountLockoutTime description User account lockout timestamp. format google-datetime type string accountType description Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/ enum ACCOUNT_TYPE_UNSPECIFIED DOMAIN_ACCOUNT_TYPE LOCAL_ACCOUNT_TYPE CLOUD_ACCOUNT_TYPE SERVICE_ACCOUNT_TYPE DEFAULT_ACCOUNT_TYPE enumDescriptions Default user account type. A human account part of some domain in directory services. A local machine account. A SaaS service account type (such as Slack or GitHub). A non-human account for data access. A system built in default account. type string attribute $ref Attribute description Generic entity metadata attributes of the user. companyName description User job company name. type string department description User job department items type string type array emailAddresses description Email addresses of the user. This field can be used as an entity indicator for user entities. items type string type array employeeId description Human capital management identifier. This field can be used as an entity indicator for user entities. type string firstName description First name of the user (e.g. "John"). type string firstSeenTime description The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string groupIdentifiers description Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar). items type string type array groupid deprecated True description The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. type string hireDate description User job employment hire date. format google-datetime type string lastBadPasswordAttemptTime description User last bad password attempt timestamp. format google-datetime type string lastLoginTime description User last login timestamp. format google-datetime type string lastName description Last name of the user (e.g. "Locke"). type string lastPasswordChangeTime description User last password change timestamp. format google-datetime type string managers description User job manager(s). items $ref User type array middleName description Middle name of the user. type string officeAddress $ref Location description User job office location. passwordExpirationTime description User password expiration timestamp. format google-datetime type string personalAddress $ref Location description Personal address of the user. phoneNumbers description Phone numbers for the user. items type string type array productObjectId description A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar). This field can be used as an entity indicator for user entities. type string roleDescription deprecated True description System role description for user. Deprecated: use attribute.roles. type string roleName deprecated True description System role name for user. Deprecated: use attribute.roles. type string terminationDate description User job employment termination date. format google-datetime type string timeOff description User time off leaves from active work. items $ref TimeOff type array title description User job title. type string userAuthenticationStatus description System authentication status for user. enum UNKNOWN_AUTHENTICATION_STATUS ACTIVE SUSPENDED NO_ACTIVE_CREDENTIALS DELETED enumDescriptions The default authentication status. The authentication method is in active state. The authentication method is in suspended/disabled state. The authentication method has no active credentials. The authentication method has been deleted. type string userDisplayName description The display name of the user (e.g. "John Locke"). type string userRole deprecated True description System role for user. Deprecated: use attribute.roles. enum UNKNOWN_ROLE ADMINISTRATOR SERVICE_ACCOUNT enumDeprecated False False True enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. Deprecated: not a role, instead set User.account_type. type string userid description The ID of the user. This field can be used as an entity indicator for user entities. type string windowsSid description The Microsoft Windows SID of the user. This field can be used as an entity indicator for user entities. type string type object UserAgentProto id UserAgentProto properties annotation items $ref Annotation type array browser description Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents. type string browserEngineVersion description Version of the rendering engine e.g. "8.01" for "Opera/8.01" type string browserVersion description Minor and lower versions unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string carrier description Mobile specific: name of mobile carrier type string device description (Usually) Mobile specific: name of hardware device, may or may not contain the full model name. e.g. iPhone, Palm750, SPH-M800. Reduced to "K" for Android devices with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string deviceVersion description (Usually) Mobile specific: version of hardware device Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string family description User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.. enum USER_DEFINED MSIE GECKO APPLEWEBKIT OPERA KHTML OTHER APPLE BLACKBERRY DOCOMO GOOGLE OPENWAVE POLARIS OBIGO TELECA MICROSOFT NOKIA NETFRONT SEMC SMIT KOREAN CLIENT_HINTS enumDescriptions Used to represent new families supported by user-defined parsers Desktop user agent families WebKit based browsers e.g. Safari e.g. Konqueror Mobile and non-browser user agent families UA's w/o enough data to fit into a family Apple apps e.g. YouTube on iPhone Google Earth, Sketchup, UpdateChecker etc... UP.Browser Windows Media Player, RSS platform etc... Sony Ericsson Mobile Communications SKT, LGT Constructed from UA-CH instead of UserAgent string. type string googleToolbarVersion description Version number of GoogleToolbar, if installed. Applies only to MSIE and Firefox at this time. type string javaConfiguration description Mobile specific: e.g. Configuration/CLDC-1.1 type string javaConfigurationVersion type string javaProfile description Mobile specific: e.g. Profile/MIDP-2.0 type string javaProfileVersion type string locale description Locale in which the browser is running as country code and optionally language pair. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string messaging description Mobile specific: e.g. MMP/2.0 type string messagingVersion type string os description Full name of the operating system e.g. "Darwin/9.7.0", "Android 1.5", "Windows 98" Version is reduced, and other data might also be missing, for reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string osVariant description Extra qualifier for the OS e.g. "(i386)", "Build/CUPCAKE", "PalmSource/Palm-D061" Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string platform description The platform describes the environment in which the browser or app runs. For desktop user agents, Platform is a string describing the OS family e.g. Windows, Macintosh, Linux. For mobile user agents, Platform either describes the OS family (if available) or the hardware maker. e.g. Linux, or HTC, LG, Palm. type string security description Security level reported by user agent, either U, I or N. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string subFamily description Sub-family identifies individual regexps when a family has more than 1. This is used to generate the right UA string from a protobuf. Examples in the AppleWebKit family: Chrome and Safari. Can also be an arbitrary identifier. type string type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Validity description Defines certificate's validity period. id Validity properties expiryTime description Expiry date. format google-datetime type string issueTime description Issue date. format google-datetime type string type object Verdict description Deprecated. Encapsulates the threat verdict provided by human analysts and ML models. These fields are used to model Mandiant sources. id Verdict properties analystVerdict $ref AnalystVerdict description Human analyst verdict provided by sources like Mandiant. neighbourInfluence description Describes the neighbour influence of the verdict. type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer verdict $ref ProviderMLVerdict description ML Verdict provided by sources like Mandiant. type object VerdictInfo description Describes the threat verdict provided by human analysts and machine learning models. These fields are used to model Mandiant sources. id VerdictInfo properties benignCount description Count of responses where this IoC was marked as benign. format int32 type integer categoryDetails description Tags related to the verdict. type string confidenceScore description Confidence score of the verdict. format int32 type integer globalCustomerCount description Global customer count over the last 30 days format int32 type integer globalHitsCount description Global hit count over the last 30 days. format int32 type integer iocStats description List of IoCStats from which the verdict was generated. items $ref IoCStats type array maliciousCount description Count of responses where this IoC was marked as malicious. format int32 type integer neighbourInfluence description Describes the near neighbor influence of the verdict. type string pwn description Whether one or more Mandiant incident response customers had this indicator in their environment. type boolean pwnFirstTaggedTime description The timestamp of the first time a pwn was associated to this entity. format google-datetime type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer sourceProvider description Source provider giving the machine learning verdict. type string verdictResponse description Details about the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp when the verdict was generated. format google-datetime type string verdictType description Type of verdict. enum VERDICT_TYPE_UNSPECIFIED PROVIDER_ML_VERDICT ANALYST_VERDICT enumDescriptions Verdict category not specified. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. Verdict provided by the human analyst. These fields are used to model Mandiant sources. type string type object Vulnerabilities description The Vulnerabilities extension captures details on observed/detected vulnerabilities. id Vulnerabilities properties vulnerabilities description A list of vulnerabilities. items $ref Vulnerability type array type object Vulnerability description A vulnerability. id Vulnerability properties about $ref Noun description If the vulnerability is about a specific noun (e.g. executable), then add it here. cveDescription description Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record type string cveId description Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id type string cvssBaseScore description CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting. format float type number cvssVector description Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator type string cvssVersion description Version of CVSS Vector/Score. type string description description Description of the vulnerability. type string firstFound description Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset. format google-datetime type string lastFound description Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset. format google-datetime type string name description Name of the vulnerability (e.g. "Unsupported OS Version detected"). type string scanEndTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable. format google-datetime type string scanStartTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable. format google-datetime type string severity description The severity of the vulnerability. enum UNKNOWN_SEVERITY LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Low severity. Medium severity. High severity. Critical severity. type string severityDetails description Vendor-specific severity type string vendor description Vendor of scan that discovered vulnerability. type string vendorKnowledgeBaseArticleId description Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase type string vendorVulnerabilityId description Vendor specific vulnerability id (e.g. Microsoft security bulletin id). type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object X509 description File certificate. id X509 properties algorithm description Certificate algorithm. type string certIssuer description Issuer of the certificate. type string name description Certificate name. type string serialNumber description Certificate serial number. type string thumbprint description Certificate thumbprint. type string type object old_value CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{region}/instances/{instance} readOnly True type string type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Manual description Entities are added manually. id Manual properties type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object
prod/asia-south1-chronicle-v1alpha	dictionary_item_added root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['delete'] root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['undelete'] root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['legacy']['methods']['legacyCreateOrUpdateCase'] root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['legacy']['methods']['legacyCreateSoarAlert'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue'] root['schemas']['GoogleCloudStorageEventDrivenSettings'] root['schemas']['InstanceUdmSearchResponse'] root['schemas']['LegacyCreateOrUpdateCaseRequest'] root['schemas']['LegacyCreateSoarAlertRequest'] root['schemas']['LegacyFederatedUdmSearchViewResponse'] root['schemas']['LegacySoarAlert'] root['schemas']['SQSV2AccessKeySecretAuth'] root['schemas']['SoarEvent'] root['schemas']['UndeleteInstanceRequest'] root['schemas']['BackstoryFile']['properties']['symhash'] root['schemas']['ColumnMetadata']['properties']['latitude'] root['schemas']['ColumnMetadata']['properties']['longitude'] root['schemas']['EntityRisk']['properties']['riskWindowHasNewDetections'] root['schemas']['Extensions']['properties']['entityRisk'] root['schemas']['FeedDetails']['properties']['googleCloudStorageEventDrivenSettings'] root['schemas']['Instance']['properties']['customerCode'] root['schemas']['Instance']['properties']['deleteTime'] root['schemas']['Instance']['properties']['purgeTime'] root['schemas']['Instance']['properties']['wipeoutStatus'] root['schemas']['SQSAuthV2']['properties']['sqsV2AccessKeySecretAuth'] dictionary_item_removed root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['findings'] root['schemas']['FetchSimilarFindingsResponse'] root['schemas']['OmniflowAmazonS3Settings'] root['schemas']['OmniflowAmazonSQSSettings'] root['schemas']['OmniflowGoogleCloudStorageSettings'] root['schemas']['OmniflowS3Auth'] root['schemas']['FeedDetails']['properties']['omniflowAmazonS3Settings'] root['schemas']['FeedDetails']['properties']['omniflowAmazonSqsSettings'] root['schemas']['FeedDetails']['properties']['omniflowGcsSettings'] root['schemas']['FeedDetails']['properties']['feedSourceType']['enumDeprecated'] root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enumDeprecated'] root['schemas']['PackLogType']['properties']['recommendedSourceType']['enumDeprecated'] values_changed root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['generateCollectionAgentAuth']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to generate a collection agent auth json file for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to generate a collection agent auth json file for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['generateSoarAuthJwt']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['generateWorkspaceConnectionToken']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to create workspace token for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to create workspace token for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['get']['parameters']['name']['description'] new_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['report']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['legacy']['methods']['legacyBatchGetCases']['parameters']['instance']['description'] new_value Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}/legacy old_value Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}/legacy root['revision'] new_value 20250310 old_value 20250227 root['schemas']['EntityRisk']['description'] new_value Stores information related to the risk score of an entity. Next ID: 15 old_value Stores information related to the risk score of an entity. Next ID: 14 root['schemas']['EntityRisk']['properties']['riskWindowSize']['description'] new_value Risk window duration for the entity. old_value Risk window duration for the Entity. root['schemas']['Instance']['properties']['name']['description'] new_value Output only. The resource name of this instance. Format: projects/{project}/locations/{location}/instances/{instance} old_value Output only. The resource name of this instance. Format: projects/{project}/locations/{region}/instances/{instance} root['schemas']['SQSAuthV2']['properties']['additionalS3AccessKeySecretAuth']['description'] new_value Required. Deprecated. If the S3 objects referred to by the SQS queue require different auth info other than the SQS auth, that can be specified here. Additional S3AccessKeySecret. Required. old_value Required. If the S3 objects referred to by the SQS queue require different auth info other than the SQS auth, that can be specified here. Additional S3AccessKeySecret. Required. root['schemas']['StatusProto']['properties']['canonicalCode']['description'] new_value copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional int32 canonical_code = 6; old_value The canonical error code (see codes.proto) that most closely corresponds to this status. This may be missing, and in the common case of the generic space, it definitely will be. copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional int32 canonical_code = 6; root['schemas']['StatusProto']['properties']['space']['description'] new_value copybara:strip_begin(b/383363683) Space to which this status belongs copybara:strip_end_and_replace optional string space = 2; // Space to which this status belongs old_value The following are usually only present when code != 0 Space to which this status belongs copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional string space = 2; iterable_item_added root['schemas']['AnalyticValue']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['AnalyticValue']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['EnrichmentDisablementTarget']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['EnrichmentDisablementTarget']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['EventTypesSuggestion']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['EventTypesSuggestion']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][19] GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN root['schemas']['FeedDetails']['properties']['feedSourceType']['enumDescriptions'][19] Google Cloud Storage Feed backed by Omniflow STS driven by pubsub events. root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][19] GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enumDescriptions'][19] Google Cloud Storage Feed backed by Omniflow STS driven by pubsub events. root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][1412] BLOCKDAEMON_METOMIC root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2124] JIT root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2125] PROCORE root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2126] HP_INC_MFP root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2127] MERU_CONTENTKEEPER_PROXY root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2128] KPMG_JAPAN_HR root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2129] FORD_ADFS_IDP root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2130] FORD_BLUE_DNS root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2131] TSA_VMS root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2132] ALLIANZ_CPAM root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2133] HKBK_ASE1_DIGITALGUARDIAN_NDLP root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2134] PANORAYS root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2135] BBVA_BAEMPRE root['schemas']['Metadata']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['Metadata']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][19] GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN root['schemas']['PackLogType']['properties']['recommendedSourceType']['enumDescriptions'][19] Google Cloud Storage Feed backed by Omniflow STS driven by pubsub events. root['schemas']['RawLog']['properties']['type']['enum'][1412] BLOCKDAEMON_METOMIC root['schemas']['RawLog']['properties']['type']['enum'][2124] JIT root['schemas']['RawLog']['properties']['type']['enum'][2125] PROCORE root['schemas']['RawLog']['properties']['type']['enum'][2126] HP_INC_MFP root['schemas']['RawLog']['properties']['type']['enum'][2127] MERU_CONTENTKEEPER_PROXY root['schemas']['RawLog']['properties']['type']['enum'][2128] KPMG_JAPAN_HR root['schemas']['RawLog']['properties']['type']['enum'][2129] FORD_ADFS_IDP root['schemas']['RawLog']['properties']['type']['enum'][2130] FORD_BLUE_DNS root['schemas']['RawLog']['properties']['type']['enum'][2131] TSA_VMS root['schemas']['RawLog']['properties']['type']['enum'][2132] ALLIANZ_CPAM root['schemas']['RawLog']['properties']['type']['enum'][2133] HKBK_ASE1_DIGITALGUARDIAN_NDLP root['schemas']['RawLog']['properties']['type']['enum'][2134] PANORAYS root['schemas']['RawLog']['properties']['type']['enum'][2135] BBVA_BAEMPRE root['schemas']['RawLogEventInformation']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['RawLogEventInformation']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['SIEventData']['properties']['rawLogType']['enum'][1412] BLOCKDAEMON_METOMIC root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2124] JIT root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2125] PROCORE root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2126] HP_INC_MFP root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2127] MERU_CONTENTKEEPER_PROXY root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2128] KPMG_JAPAN_HR root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2129] FORD_ADFS_IDP root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2130] FORD_BLUE_DNS root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2131] TSA_VMS root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2132] ALLIANZ_CPAM root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2133] HKBK_ASE1_DIGITALGUARDIAN_NDLP root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2134] PANORAYS root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2135] BBVA_BAEMPRE iterable_item_removed root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][14] OMNIFLOW_GOOGLE_CLOUD_STORAGE root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][15] OMNIFLOW_AMAZON_S3 root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][16] OMNIFLOW_AMAZON_SQS root['schemas']['FeedDetails']['properties']['feedSourceType']['enumDescriptions'][14] root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][14] OMNIFLOW_GOOGLE_CLOUD_STORAGE root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][15] OMNIFLOW_AMAZON_S3 root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][16] OMNIFLOW_AMAZON_SQS root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enumDescriptions'][14] root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][14] OMNIFLOW_GOOGLE_CLOUD_STORAGE root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][15] OMNIFLOW_AMAZON_S3 root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][16] OMNIFLOW_AMAZON_SQS root['schemas']['PackLogType']['properties']['recommendedSourceType']['enumDescriptions'][14]
prod/asia-south1-chronicle-v1beta	values_changed root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['get']['parameters']['name']['description'] new_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{region}/instances/{instance} root['revision'] new_value 20250310 old_value 20250227 root['schemas'] new_value AIOverview description AI generated overview for the search results. id AIOverview properties aiSummary description AI summary for the search results. Markdown formatted. type string complete description Whether AI overview generation is complete. type boolean suggestions description Suggested actions to continue the investigation in chat. items $ref Action type array type object Action description Action represents an action that can be performed in the host UI. id Action properties actionType description Output only. Type of action. enum ACTION_TYPE_UNSPECIFIED FOLLOW_UP NAVIGATION EXECUTION enumDescriptions The action type is unspecified. The action is a follow up action. The action is a navigation action. The action is an execution action. readOnly True type string displayText description Output only. The text that'll be displayed to the user if this is rendered in the UI as a suggested action. readOnly True type string execution $ref Execution description Metadata for execution action. followUp $ref FollowUp description Metadata for follow up action. navigation $ref Navigation description Metadata for navigation action. useCaseId description Output only. The use case ID of the action. It's used internally to identify in which context the action is used. readOnly True type string type object AlertFieldAggregation id AlertFieldAggregation properties alertCount format int32 type integer allValues items $ref AlertFieldValueCount type array baselineAlertCount format int32 type integer bottomValues items $ref AlertFieldValueCount type array fieldName type string tooManyValues type boolean topValues items $ref AlertFieldValueCount type array valueCount format int32 type integer type object AlertFieldAggregations id AlertFieldAggregations properties fields items $ref AlertFieldAggregation type array type object AlertFieldValue id AlertFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string stringValue type string uint32Value format uint32 type integer uint64Value format uint64 type string type object AlertFieldValueCount id AlertFieldValueCount properties alertCount format int32 type integer baselineAlertCount format int32 type integer value $ref AlertFieldValue type object AnalystVerdict description Verdict provided by the human analyst. These fields are used to model Mandiant sources. id AnalystVerdict properties confidenceScore description Confidence score of the verdict. format int32 type integer verdictResponse description Details of the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp at which the verdict was generated. format google-datetime type string type object AnalyticsMetadata description Stores information about an analytics metric used in a rule. id AnalyticsMetadata properties analytic description Name of the analytic. type string type object Annotation description Extra parameters that don't fit anywhere else, captured as key/value. For example "VendorID/42" in BlackBerry user agents. The following keys are modified with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference): * "Chrome" (see `browser_version`) * "ChromiumBrowser" (unavailable) * "ChromeWebview" (unavailable) * "OS_VERSION" (see `os`) * "Rest" (unavailable) * "misc" (see `device`) id Annotation properties key type string value type string type object Artifact description Information about an artifact. The artifact can only be an IP. id Artifact properties anonymous description Whether the VPN tunnels are configured for anonymous browsing or not. type boolean artifactClient $ref ArtifactClient description Entity or software accessing or utilizing network resources. asOwner description Owner of the Autonomous System to which the IP address belongs. type string asn description Autonomous System Number to which the IP address belongs. format int64 type string firstSeenTime description First seen timestamp of the IP in the customer's environment. format google-datetime type string ip description IP address of the artifact. This field can be used as an entity indicator for an external destination IP entity. type string jarm description The JARM hash for the IP address. (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a). type string lastHttpsCertificate $ref SSLCertificate description SSL certificate information about the IP address. lastHttpsCertificateDate description Most recent date for the certificate in VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the IP address in the customer's environment. format google-datetime type string location $ref Location description Location of the Artifact's IP address. network $ref Network description Network information related to the Artifact's IP address. prevalence $ref Prevalence description The prevalence of the artifact within the customer's environment. regionalInternetRegistry description RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC). type string risks description This field lists potential risks associated with the network activity. items type string type array tags description Identification attributes items type string type array tunnels description VPN tunnels. items $ref Tunnels type array whois description WHOIS information as returned from the pertinent WHOIS server. type string whoisDate description Date of the last update of the WHOIS record in VirusTotal. format google-datetime type string type object ArtifactClient description Entity or software accessing or utilizing network resources. id ArtifactClient properties behaviors description The behaviors of the client accessing the network. items type string type array proxies description The type of proxies used by the client. items type string type array type object Asset description Information about a compute asset such as a workstation, laptop, phone, virtual desktop, or VM. id Asset properties assetId description The asset ID. Value must contain the ':' character. For example, cs:abcdd23434. This field can be used as an entity indicator for asset entities. type string attribute $ref Attribute description Generic entity metadata attributes of the asset. category description The category of the asset (e.g. "End User Asset", "Workstation", "Server"). type string creationTime deprecated True description Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. format google-datetime type string deploymentStatus description The deployment status of the asset for device lifecycle purposes. enum DEPLOYMENT_STATUS_UNSPECIFIED ACTIVE PENDING_DECOMISSION DECOMISSIONED enumDescriptions Unspecified deployment status. Asset is active, functional and deployed. Asset is pending decommission and no longer deployed. Asset is decommissioned. type string firstDiscoverTime description Time the asset was first discovered (by asset management/discoverability software). format google-datetime type string firstSeenTime description The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string hardware description The asset hardware specifications. items $ref Hardware type array hostname description Asset hostname or domain name field. This field can be used as an entity indicator for asset entities. type string ip description A list of IP addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array labels deprecated True description Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata. items $ref Label type array lastBootTime description Time the asset was last boot started. format google-datetime type string lastDiscoverTime description Time the asset was last discovered (by asset management/discoverability software). format google-datetime type string location $ref Location description Location of the asset. mac description List of MAC addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array natIp description List of NAT IP addresses associated with an asset. items type string type array networkDomain description The network domain of the asset (e.g. "corp.acme.com") type string platformSoftware $ref PlatformSoftware description The asset operating system platform software. productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID or similar). This field can be used as an entity indicator for asset entities. type string software description The asset software details. items $ref Software type array systemLastUpdateTime description Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a VM), use Attribute.last_update_time. format google-datetime type string type description The type of the asset (e.g. workstation or laptop or server). enum ROLE_UNSPECIFIED WORKSTATION LAPTOP IOT NETWORK_ATTACHED_STORAGE PRINTER SCANNER SERVER TAPE_LIBRARY MOBILE enumDescriptions Unspecified asset role. A workstation or desktop. A laptop computer. An IOT asset. A network attached storage device. A printer. A scanner. A server. A tape library device. A mobile device such as a mobile phone or PDA. type string vulnerabilities description Vulnerabilities discovered on asset. items $ref Vulnerability type array type object Association description Associations represents different metadata about malware and threat actors involved with an IoC. id Association properties alias description Different aliases of the threat actor given by different sources. items $ref AssociationAlias type array associatedActors description List of associated threat actors for a malware. Not applicable for threat actors. items $ref Association type array countryCode description Country from which the threat actor/ malware is originated. items type string type array description description Human readable description about the association. type string firstReferenceTime description First time the threat actor was referenced or seen. format google-datetime type string id description Unique association id generated by mandiant. type string industriesAffected description List of industries the threat actor affects. items type string type array lastReferenceTime description Last time the threat actor was referenced or seen. format google-datetime type string name description Name of the threat actor/malware. type string regionCode $ref Location description Name of the country, the threat is originating from. role description Role of the malware. Not applicable for threat actor. type string sourceCountry deprecated True description Name of the country the threat originated from. type string sponsorRegion $ref Location description Sponsor region of the threat actor. tags description Tags. items type string type array targetedRegions description Targeted regions. items $ref Location type array type description Signifies the type of association. enum ASSOCIATION_TYPE_UNSPECIFIED THREAT_ACTOR MALWARE enumDescriptions The default Association Type. Association type Threat actor. Association type Malware. type string type object AssociationAlias description Association Alias used to represent Mandiant Threat Intelligence. id AssociationAlias properties company description Name of the provider who gave the association's name. type string name description Name of the alias. type string type object AttackDetails description MITRE ATT&CK details. id AttackDetails properties tactics description Tactics employed. items $ref Tactic type array techniques description Techniques employed. items $ref Technique type array version description ATT&CK version (e.g. 12.1). type string type object Attribute description Attribute is a container for generic entity attributes including common attributes across core entities (such as, user or asset). For example, Cloud is a generic entity attribute since it can apply to an asset (for example, a VM) or a user (for example, an identity service account). id Attribute properties cloud $ref Cloud description Cloud metadata attributes such as project ID, account ID, or organizational hierarchy. creationTime description Time the resource or entity was created or provisioned. format google-datetime type string labels description Set of labels for the entity. Should only be used for product labels (for example, Google Cloud resource labels or Azure AD sensitivity labels. Should not be used for arbitrary key-value mappings. items $ref Label type array lastUpdateTime description Time the resource or entity was last updated. format google-datetime type string permissions description System permissions for IAM entity (human principal, service account, group). items $ref Permission type array roles description System IAM roles to be assumed by resources to use the role's permissions for access control. items $ref Role type array type object Authentication description The Authentication extension captures details specific to authentication events. General guidelines for authentication events: * Details about the source of the authentication event (for example, client IP or hostname), should be captured in principal. The principal may be empty if we have no details about the source of the login. * Details about the target of the authentication event (for example, details about the machine that is being logged into or logged out of) should be captured in target. * Some authentication events may involve a third-party. For example, a user logs into a cloud service (for example, Chronicle) via their company's SSO (the event is logged by their SSO solution). In this case, the principal captures information about the user's device, the target captures details about the cloud service they logged into, and the intermediary captures details about the SSO solution. id Authentication properties authDetails description The vendor defined details of the authentication. type string mechanism description The authentication mechanism. items enum MECHANISM_UNSPECIFIED USERNAME_PASSWORD OTP HARDWARE_KEY LOCAL REMOTE REMOTE_INTERACTIVE MECHANISM_OTHER BADGE_READER NETWORK BATCH SERVICE UNLOCK NETWORK_CLEAR_TEXT NEW_CREDENTIALS INTERACTIVE CACHED_INTERACTIVE CACHED_REMOTE_INTERACTIVE CACHED_UNLOCK BIOMETRIC WEARABLE enumDescriptions The default mechanism. Username + password authentication. OTP authentication. Hardware key authentication. Local authentication. Remote authentication. RDP, Terminal Services, or VNC. Some other mechanism that is not defined here. Badge reader authentication Network authentication. Batch authentication. Service authentication Direct human-interactive unlock authentication. Network clear text authentication. Authentication with new credentials. Interactive authentication. Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Biometric device such as a fingerprint reader. Wearable such as an Apple Watch. type string type array type description The type of authentication. enum AUTHTYPE_UNSPECIFIED MACHINE SSO VPN PHYSICAL TACACS enumDescriptions The default type. A machine authentication. An SSO authentication. A VPN authentication. A Physical authentication (e.g. "Badge reader"). A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+). type string type object AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. id AuthorityKeyId properties keyid description Key hexdump. type string serialNumber description Serial number hexdump. type string type object BackstoryEntity description An Entity provides additional context about an item in a UDM event. For example, a PROCESS_LAUNCH event describes that user 'abc@example.corp' launched process 'shady.exe'. The event does not include information that user 'abc@example.com' is a recently terminated employee who administers a server storing finance data. Information stored in one or more Entities can add this additional context. id BackstoryEntity properties additional additionalProperties description Properties of the object. type any description Important entity data that cannot be adequately represented within the formal sections of the Entity. type object entity $ref Noun description Noun in the UDM event that this entity represents. metadata $ref EntityMetadata description Entity metadata such as timestamp, product, etc. metric $ref Metric description Stores statistical metrics about the entity. Used if metadata.entity_type is METRIC. relations description One or more relationships between the entity (a) and other entities, including the relationship type and related entity. items $ref Relation type array riskScore $ref EntityRisk description Stores information related to the entity's risk score. type object BackstoryFile description Information about a file. id BackstoryFile properties ahash deprecated True description Deprecated. Use authentihash instead. type string authentihash description Authentihash of the file. type string capabilitiesTags description Capabilities tags. items type string type array createTime description Timestamp when the file was created. format google-datetime type string embeddedDomains description Embedded domains found in the file. items type string type array embeddedIps description Embedded IP addresses found in the file. items type string type array embeddedUrls description Embedded urls found in the file. items type string type array exifInfo $ref ExifInfo description Exif metadata from different file formats extracted by exiftool. fileMetadata $ref FileMetadata deprecated True description Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File. fileType description FileType field. enum FILE_TYPE_UNSPECIFIED FILE_TYPE_PE_EXE FILE_TYPE_PE_DLL FILE_TYPE_MSI FILE_TYPE_NE_EXE FILE_TYPE_NE_DLL FILE_TYPE_DOS_EXE FILE_TYPE_DOS_COM FILE_TYPE_COFF FILE_TYPE_ELF FILE_TYPE_LINUX_KERNEL FILE_TYPE_RPM FILE_TYPE_LINUX FILE_TYPE_MACH_O FILE_TYPE_JAVA_BYTECODE FILE_TYPE_DMG FILE_TYPE_DEB FILE_TYPE_PKG FILE_TYPE_PYC FILE_TYPE_LNK FILE_TYPE_DESKTOP_ENTRY FILE_TYPE_JPEG FILE_TYPE_TIFF FILE_TYPE_GIF FILE_TYPE_PNG FILE_TYPE_BMP FILE_TYPE_GIMP FILE_TYPE_IN_DESIGN FILE_TYPE_PSD FILE_TYPE_TARGA FILE_TYPE_XWD FILE_TYPE_DIB FILE_TYPE_JNG FILE_TYPE_ICO FILE_TYPE_FPX FILE_TYPE_EPS FILE_TYPE_SVG FILE_TYPE_EMF FILE_TYPE_WEBP FILE_TYPE_DWG FILE_TYPE_DXF FILE_TYPE_THREEDS FILE_TYPE_OGG FILE_TYPE_FLC FILE_TYPE_FLI FILE_TYPE_MP3 FILE_TYPE_FLAC FILE_TYPE_WAV FILE_TYPE_MIDI FILE_TYPE_AVI FILE_TYPE_MPEG FILE_TYPE_QUICKTIME FILE_TYPE_ASF FILE_TYPE_DIVX FILE_TYPE_FLV FILE_TYPE_WMA FILE_TYPE_WMV FILE_TYPE_RM FILE_TYPE_MOV FILE_TYPE_MP4 FILE_TYPE_T3GP FILE_TYPE_WEBM FILE_TYPE_MKV FILE_TYPE_PDF FILE_TYPE_PS FILE_TYPE_DOC FILE_TYPE_DOCX FILE_TYPE_PPT FILE_TYPE_PPTX FILE_TYPE_XLS FILE_TYPE_XLSX FILE_TYPE_RTF FILE_TYPE_PPSX FILE_TYPE_ODP FILE_TYPE_ODS FILE_TYPE_ODT FILE_TYPE_HWP FILE_TYPE_GUL FILE_TYPE_ODF FILE_TYPE_ODG FILE_TYPE_ONE_NOTE FILE_TYPE_OOXML FILE_TYPE_SLK FILE_TYPE_EBOOK FILE_TYPE_LATEX FILE_TYPE_TTF FILE_TYPE_EOT FILE_TYPE_WOFF FILE_TYPE_CHM FILE_TYPE_ZIP FILE_TYPE_GZIP FILE_TYPE_BZIP FILE_TYPE_RZIP FILE_TYPE_DZIP FILE_TYPE_SEVENZIP FILE_TYPE_CAB FILE_TYPE_JAR FILE_TYPE_RAR FILE_TYPE_MSCOMPRESS FILE_TYPE_ACE FILE_TYPE_ARC FILE_TYPE_ARJ FILE_TYPE_ASD FILE_TYPE_BLACKHOLE FILE_TYPE_KGB FILE_TYPE_ZLIB FILE_TYPE_TAR FILE_TYPE_ZST FILE_TYPE_LZFSE FILE_TYPE_PYTHON_WHL FILE_TYPE_PYTHON_PKG FILE_TYPE_MSIX FILE_TYPE_TEXT FILE_TYPE_SCRIPT FILE_TYPE_PHP FILE_TYPE_PYTHON FILE_TYPE_PERL FILE_TYPE_RUBY FILE_TYPE_C FILE_TYPE_CPP FILE_TYPE_JAVA FILE_TYPE_SHELLSCRIPT FILE_TYPE_PASCAL FILE_TYPE_AWK FILE_TYPE_DYALOG FILE_TYPE_FORTRAN FILE_TYPE_JAVASCRIPT FILE_TYPE_POWERSHELL FILE_TYPE_VBA FILE_TYPE_M4 FILE_TYPE_OBJETIVEC FILE_TYPE_JMOD FILE_TYPE_MAKEFILE FILE_TYPE_INI FILE_TYPE_CLJ FILE_TYPE_PDB FILE_TYPE_SQL FILE_TYPE_NEKO FILE_TYPE_WER FILE_TYPE_GOLANG FILE_TYPE_M3U FILE_TYPE_BAT FILE_TYPE_MSC FILE_TYPE_RDP FILE_TYPE_SYMBIAN FILE_TYPE_PALMOS FILE_TYPE_WINCE FILE_TYPE_ANDROID FILE_TYPE_IPHONE FILE_TYPE_HTML FILE_TYPE_XML FILE_TYPE_SWF FILE_TYPE_FLA FILE_TYPE_COOKIE FILE_TYPE_TORRENT FILE_TYPE_EMAIL_TYPE FILE_TYPE_OUTLOOK FILE_TYPE_SGML FILE_TYPE_JSON FILE_TYPE_CSV FILE_TYPE_HTA FILE_TYPE_INTERNET_SHORTCUT FILE_TYPE_CAP FILE_TYPE_ISOIMAGE FILE_TYPE_SQUASHFS FILE_TYPE_VHD FILE_TYPE_APPLE FILE_TYPE_MACINTOSH FILE_TYPE_APPLESINGLE FILE_TYPE_APPLEDOUBLE FILE_TYPE_MACINTOSH_HFS FILE_TYPE_APPLE_PLIST FILE_TYPE_MACINTOSH_LIB FILE_TYPE_APPLESCRIPT FILE_TYPE_APPLESCRIPT_COMPILED FILE_TYPE_CRX FILE_TYPE_XPI FILE_TYPE_ROM FILE_TYPE_IPS FILE_TYPE_PEM FILE_TYPE_PGP FILE_TYPE_CRT enumDescriptions File type is UNSPECIFIED. File type is PE_EXE. Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL. File type is MSI. File type is NE_EXE. File type is NE_DLL. File type is DOS_EXE. File type is DOS_COM. File type is COFF. File type is ELF. File type is LINUX_KERNEL. File type is RPM. File type is LINUX. File type is MACH_O. File type is JAVA_BYTECODE. File type is DMG. File type is DEB. File type is PKG. File type is PYC. File type is LNK. File type is DESKTOP_ENTRY. File type is JPEG. File type is TIFF. File type is GIF. File type is PNG. File type is BMP. File type is GIMP. File type is Adobe InDesign. File type is PSD. Adobe Photoshop. File type is TARGA. File type is XWD. File type is DIB. File type is JNG. File type is ICO. File type is FPX. File type is EPS. File type is SVG. File type is EMF. File type is WEBP. File type is DWG. File type is DXF. File type is 3DS. File type is OGG. File type is FLC. File type is FLI. File type is MP3. File type is FLAC. File type is WAV. File type is MIDI. File type is AVI. File type is MPEG. File type is QUICKTIME. File type is ASF. File type is DIVX. File type is FLV. File type is WMA. File type is WMV. File type is RM. RealMedia type. File type is MOV. File type is MP4. File type is T3GP. File type is WEBM. File type is MKV. File type is PDF. File type is PS. File type is DOC. File type is DOCX. File type is PPT. File type is PPTX. File type is XLS. File type is XLSX. File type is RTF. File type is PPSX. File type is ODP. File type is ODS. File type is ODT. File type is HWP. File type is GUL. File type is ODF. File type is ODG. File type is ONE_NOTE. File type is OOXML. File type is SLK. File type is EBOOK. File type is LATEX. File type is TTF. File type is EOT. File type is WOFF. File type is CHM. File type is ZIP. File type is GZIP. File type is BZIP. File type is RZIP. File type is DZIP. File type is SEVENZIP. File type is CAB. File type is JAR. File type is RAR. File type is MSCOMPRESS. File type is ACE. File type is ARC. File type is ARJ. File type is ASD. File type is BLACKHOLE. File type is KGB. File type is ZLIB. File type is TAR. File type is ZST. File type is LZFSE. File type is PYTHON_WHL. File type is PYTHON_PKG. File type is MSIX, new Windows app package format. File type is TEXT. File type is SCRIPT. File type is PHP. File type is PYTHON. File type is PERL. File type is RUBY. File type is C. File type is CPP. File type is JAVA. File type is SHELLSCRIPT. File type is PASCAL. File type is AWK. File type is DYALOG. File type is FORTRAN. File type is JAVASCRIPT. File type is POWERSHELL. File type is VBA. File type is M4. File type is OBJETIVEC. File type is JMOD. File type is MAKEFILE. File type is INI. File type is CLJ. File type is PDB. File type is SQL. File type is NEKO. File type is WER. File type is GOLANG. File type is M3U. File type is BAT, Windows .bat/.cmd (old files are tagged as SHELLSCRIPT). File type is MSC, Microsoft Management Console (MMC). File type is RDP, Microsoft Remote Desktop Protocol (RDP) file. File type is SYMBIAN. File type is PALMOS. File type is WINCE. File type is ANDROID. File type is IPHONE. File type is HTML. File type is XML. File type is SWF. File type is FLA. File type is COOKIE. File type is TORRENT. File type is EMAIL_TYPE. File type is OUTLOOK. File type is SGML. File type is JSON. File type is CSV. File type is HTA (HTML Application). File type is MSHTML .url. File type is CAP. File type is ISOIMAGE. File type is SQUASHFS. File type is VHD. File type is APPLE. File type is MACINTOSH. File type is APPLESINGLE. File type is APPLEDOUBLE. File type is MACINTOSH_HFS. File type is APPLE_PLIST. File type is MACINTOSH_LIB. File type is APPLESCRIPT. File type is APPLESCRIPT_COMPILED . File type is CRX. File type is XPI. File type is ROM. File type is IPS. File type is PEM. File type is PGP. File type is CRT. type string firstSeenTime description Timestamp the file was first seen in the customer's environment. format google-datetime type string firstSubmissionTime description First submission time of the file. format google-datetime type string fullPath description The full path identifying the location of the file on the system. This field can be used as an entity indicator for file entities. type string lastAccessTime description Timestamp when the file was accessed. format google-datetime type string lastAnalysisTime description Timestamp the file was last analysed. format google-datetime type string lastModificationTime description Timestamp when the file was last updated. format google-datetime type string lastSeenTime description Timestamp the file was last seen in the customer's environment. format google-datetime type string lastSubmissionTime description Last submission time of the file. format google-datetime type string mainIcon $ref Favicon description Icon's relevant hashes. md5 description The MD5 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string mimeType description The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script". type string names description Names fields. items type string type array ntfs $ref NtfsFileMetadata description NTFS metadata. pdfInfo $ref PDFInfo description Information about the PDF file structure. peFile $ref FileMetadataPE description Metadata about the Portable Executable (PE) file. prevalence $ref Prevalence description Prevalence of the file hash in the customer's environment. securityResult $ref SecurityResult description Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata. sha1 description The SHA1 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string sha256 description The SHA256 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string signatureInfo $ref SignatureInfo description File signature information extracted from different tools. size description The size of the file in bytes. format uint64 type string ssdeep description Ssdeep of the file type string statDev description The file system identifier to which the object belongs. format uint64 type string statFlags description User defined flags for file. format uint32 type integer statInode description The file identifier. Unique identifier of object within a file system. format uint64 type string statMode description The mode of the file. A bit string indicating the permissions and privileges of the file. format uint64 type string statNlink description Number of links to file. format uint64 type string symhash description SymHash of the file. Used for Mach-O (e.g. MacOS) binaries, to identify similar files based on their symbol table. type string tags description Tags for the file. items type string type array vhash description Vhash of the file. type string type object BoolSequence description BoolSequence represents a sequence of bools. id BoolSequence properties boolVals description bool sequence. items type boolean type array type object BytesSequence description BytesSequence represents a sequence of bytes. id BytesSequence properties bytesVals description bytes sequence. items format byte type string type array type object CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CertSignature description Certificate's signature and algorithm. id CertSignature properties signature description Signature. type string signatureAlgorithm description Algorithm. type string type object Certificate description Certificate information id Certificate properties issuer description Issuer of the certificate. type string md5 description The MD5 hash of the certificate, as a hex-encoded string. type string notAfter description Indicates when the certificate is no longer valid. format google-datetime type string notBefore description Indicates when the certificate is first valid. format google-datetime type string serial description Certificate serial number. type string sha1 description The SHA1 hash of the certificate, as a hex-encoded string. type string sha256 description The SHA256 hash of the certificate, as a hex-encoded string. type string subject description Subject of the certificate. type string version description Certificate version. type string type object Chip id Chip properties text type string type enum UNSPECIFIED ALERT NETWORK_CONNECTION EDR UNPARSED_RAW_LOG LOGIN_EVENT EMAIL_EVENT GENERIC TELEMETRY enumDescriptions type string type object Client description Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash). id Client properties certificate $ref Certificate description Client certificate. ja3 description JA3 hash from the TLS ClientHello, as a hex-encoded string. type string serverName description Host name of the server, that the client is connecting to. type string supportedCiphers description Ciphers supported by the client during client hello. items type string type array type object Cloud description Metadata related to the cloud environment. id Cloud properties availabilityZone description The cloud environment availability zone (different from region which is location.name). type string environment description The Cloud environment. enum UNSPECIFIED_CLOUD_ENVIRONMENT GOOGLE_CLOUD_PLATFORM AMAZON_WEB_SERVICES MICROSOFT_AZURE enumDescriptions Default. Google Cloud Platform. Amazon Web Services. Microsoft Azure. type string project $ref Resource deprecated True description The cloud environment project information. Deprecated: Use Resource.resource_ancestors vpc $ref Resource deprecated True description The cloud environment VPC. Deprecated. type object Collection description Collection represents a container of objects (such as events, entity context metadata, detection finding metadata) and state (such as investigation details). BEGIN GOOGLE-INTERNAL See go/udm:collections for additional details. END GOOGLE-INTERNAL An example use case for Collection is to model a detection and investigation from detection finding metadata to investigative state collected in the course of the investigation. For more complex investigation and response workflows a Collection could represent an incident consisting of multiple child findings or incidents. This can be expanded on to model remediation elements of a full detection and response workflow. NEXT TAG: 20 id Collection properties caseName description The resource name of the Case that this collection belongs to. Example: projects/{project id}/locations/{region}/chronicle/cases/{internal_case_id} type string collectionElements description Constituent elements of the collection. Each element shares an association that groups it together and is a component of the overall collection. For example, a detection collection may have several constituent elements that each share a correlation association that together represent a particular pattern or behavior. items $ref Element type array createdTime description Time the collection was created. format google-datetime type string dataAccessScope description The resource name of the DataAccessScope of this collection. BEGIN GOOGLE-INTERNAL We may change this name based on the final resource design of the scope. END GOOGLE-INTERNAL type string detection description Detection metadata for findings that represent detections, can include rule details, machine learning model metadata, and indicators implicated in the detection (using the .about field). items $ref SecurityResult type array detectionTime description Timestamp within the time_window related to the time of the collection_elements. For Rule Detections, this timestamp is the end of the the time_window for multi-event rules or the time of the event for single event rules. For late-arriving events that trigger new alerts, the detection_time will be the event time of the event. format google-datetime type string feedbackHistory description The history of feedback submitted by analysts for this finding, in descending order by timestamp. This field is limited to the most recent 1000 feedback events. The primary feedback will also be included in this list. items $ref Feedback type array feedbackSummary $ref Feedback description The current primary analyst feedback. This does not include the history of feedback given, which may be supplied in `feedback`. id description Unique ID for the collection. The ID is specific to the type of collection. For example, with rule detections this is the detection ID. type string idNamespace description The ID namespace used for the Collection. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string investigation $ref Investigation description Consolidated investigation details (categorization, status, etc) typically for collections that begin as detection findings and then evolve with analyst action and feedback into investigations around the detection output. lastUpdatedTime description Time the collection was last updated. format google-datetime type string responsePlatformInfo $ref ResponsePlatformInfo description Alert related info of this same alert in customer's SOAR platform. soarAlert description A boolean field indicating that the alert is present in SOAR. type boolean soarAlertMetadata $ref SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems via SOAR. tags description Tags set by UC/DSML/RE for the Finding during creation. items type string type array timeWindow $ref Interval description Time interval that the collection represents. type description What the collection represents. enum COLLECTION_TYPE_UNSPECIFIED TELEMETRY_ALERT GCTI_FINDING UPPERCASE_ALERT RULE_DETECTION MACHINE_INTELLIGENCE_ALERT SOAR_ALERT enumDescriptions An unspecified collection type. An alert reported in customer telemetry. A finding from the Uppercase team. A detection found by applying a rule. An alert generated by Chronicle machine learning models. An alert coming from other SIEMs via Chronicle SOAR. type string type object ColumnNames id ColumnNames properties names items type string type array type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DNSRecord description DNS record. id DNSRecord properties expire description Expire. format google-duration type string minimum description Minimum. format google-duration type string priority description Priority. format int64 type string refresh description Refresh. format google-duration type string retry description Retry. format int64 type string rname description Rname. type string serial description Serial. format int64 type string ttl description Time to live. format google-duration type string type description Type. type string value description Value. type string type object DataAccessIngestionLabel id DataAccessIngestionLabel properties key description The key. type string value description The value. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessLabels id DataAccessLabels properties allowScopedAccess description Are the labels ready for scoped access type boolean customLabels description All the complex labels (UDM search syntax based). items type string type array ingestionKvLabels description All the ingestion labels (key/value pairs). items $ref DataAccessIngestionLabel type array ingestionLabels deprecated True description All the ingestion labels. items type string type array logTypes description All the LogType labels. items type string type array namespaces description All the namespaces. items type string type array type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Date description Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values. * A month and day, with a zero year (for example, an anniversary). * A year on its own, with a zero month and a zero day. * A year and month, with a zero day (for example, a credit card expiration date). Related types: * google.type.TimeOfDay * google.type.DateTime * google.protobuf.Timestamp id Date properties day description Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. format int32 type integer month description Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. format int32 type integer year description Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. format int32 type integer type object Detections id Detections properties baselineAlertsCount format int32 type integer complete type boolean detectionFieldAggregations $ref AlertFieldAggregations detections items $ref Collection type array filteredAlertsCount format int32 type integer tooManyDetections type boolean validSnapshotQuery type boolean type object Dhcp description DHCP information. id Dhcp properties chaddr description Client hardware address (chaddr). type string ciaddr description Client IP address (ciaddr). type string clientHostname description Client hostname. See RFC2132, section 3.14. type string clientIdentifier description Client identifier. See RFC2132, section 9.14. Note: Make sure to update the client_identifier_string field as well if you update this field. format byte type string clientIdentifierString description Client identifier as string. See RFC2132, section 9.14. This field holds the string value of the client_identifier. type string file description Boot image filename. type string flags description Flags. format uint32 type integer giaddr description Relay agent IP address (giaddr). type string hlen description Hardware address length. format uint32 type integer hops description Hardware ops. format uint32 type integer htype description Hardware address type. format uint32 type integer leaseTimeSeconds description Lease time in seconds. See RFC2132, section 9.2. format uint32 type integer opcode description The BOOTP op code. enum UNKNOWN_OPCODE BOOTREQUEST BOOTREPLY enumDescriptions Default opcode. Request. Reply. type string options description List of DHCP options. items $ref Option type array requestedAddress description Requested IP address. See RFC2132, section 9.1. type string seconds description Seconds elapsed since client began address acquisition/renewal process. format uint32 type integer siaddr description IP address of the next bootstrap server. type string sname description Server name that the client wishes to boot from. type string transactionId description Transaction ID. format uint32 type integer type description DHCP message type. enum UNKNOWN_MESSAGE_TYPE DISCOVER OFFER REQUEST DECLINE ACK NAK RELEASE INFORM WIN_DELETED WIN_EXPIRED enumDescriptions Default message type. DHCPDISCOVER. DHCPOFFER. DHCPREQUEST. DHCPDECLINE. DHCPACK. DHCPNAK. DHCPRELEASE. DHCPINFORM. Microsoft Windows DHCP "lease deleted". Microsoft Windows DHCP "lease expired". type string yiaddr description Your IP address (yiaddr). type string type object Dns description DNS information. id Dns properties additional description A list of additional domain name servers that can be used to verify the answer to the domain. items $ref ResourceRecord type array answers description A list of answers to the domain name query. items $ref ResourceRecord type array authoritative description Other DNS header flags. See RFC1035, section 4.1.1. type boolean authority description A list of domain name servers which verified the answers to the domain name queries. items $ref ResourceRecord type array id description DNS query id. format uint32 type integer opcode description The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS). format uint32 type integer questions description A list of domain protocol message questions. items $ref Question type array recursionAvailable description Whether a recursive DNS lookup is available. type boolean recursionDesired description Whether a recursive DNS lookup is desired. type boolean response description Set to true if the event is a DNS response. See QR field from RFC1035. type boolean responseCode description Response code. See RCODE from RFC1035. format uint32 type integer truncated description Whether the DNS response was truncated. type boolean type object Domain description Information about a domain. id Domain properties admin $ref User description Parsed contact information for the administrative contact for the domain. auditUpdateTime description Audit updated time. format google-datetime type string billing $ref User description Parsed contact information for the billing contact of the domain. categories description Categories assign to the domain as retrieved from VirusTotal. items type string type array contactEmail description Contact email address. type string creationTime description Domain creation time. format google-datetime type string expirationTime description Expiration time. format google-datetime type string favicon $ref Favicon description Includes difference hash and MD5 hash of the domain's favicon. firstSeenTime description First seen timestamp of the domain in the customer's environment. format google-datetime type string ianaRegistrarId description IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml format int32 type integer jarm description Domain's JARM hash. type string lastDnsRecords description Domain's DNS records from the last scan. items $ref DNSRecord type array lastDnsRecordsTime description Date when the DNS records list was retrieved by VirusTotal. format google-datetime type string lastHttpsCertificate $ref SSLCertificate description SSL certificate object retrieved last time the domain was analyzed. lastHttpsCertificateTime description When the certificate was retrieved by VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the domain in the customer's environment. format google-datetime type string name description The domain name. This field can be used as an entity indicator for Domain entities. type string nameServer description Repeated list of name servers. items type string type array popularityRanks description Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc items $ref PopularityRank type array prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. privateRegistration description Indicates whether the domain appears to be using a private registration service to mask the owner's contact information. type boolean registrant $ref User description Parsed contact information for the registrant of the domain. registrar description Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM". type string registryDataRawText description Registry Data raw text. format byte type string status description Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values type string tags description List of representative attributes. items type string type array tech $ref User description Parsed contact information for the technical contact for the domain updateTime description Last updated time. format google-datetime type string whoisRecordRawText description WHOIS raw text. format byte type string whoisServer description Whois server name. type string whoisTime description Date of the last update of the WHOIS record. format google-datetime type string zone $ref User description Parsed contact information for the zone. type object DoubleSequence description DoubleSequence represents a sequence of doubles. id DoubleSequence properties doubleVals description double sequence. items format double type number type array type object EC description EC public key information. id EC properties oid description Curve name. type string pub description Public key hexdump. type string type object Element description NEXT TAG: 5 id Element properties association $ref SecurityResult description Metadata that provides the relevant association for the references in the element. For a detection, this can be the correlated aspect of the references that contributed to the overall detection. For example, may include sub-rule condition, machine learning model metadata, and/or indicators implicated in this component of the detection (using the .about field). label description A name that labels the entire references group. type string references description References to model primatives including events and entities that share a common association. Even though a reference can have both UDM and entity, a collection of references (of a single element) will only have one type of message in it (either UDM / Entity). items $ref Reference type array referencesSampled description Copied from the detection event_sample.too_many_event_samples field. If true, the number of references will be capped at the sample limit (set at rule service). This is applicable to both UDM references and Entity references. type boolean type object Email description Email info. id Email properties bcc description A list of 'bcc' addresses. items type string type array bounceAddress description The envelope from address. https://en.wikipedia.org/wiki/Bounce_address type string cc description A list of 'cc' addresses. items type string type array from description The 'from' address. type string mailId description The mail (or message) ID. type string replyTo description The 'reply to' address. type string subject description The subject line(s) of the email. items type string type array to description A list of 'to' addresses. items type string type array type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityChangedCountTimelineBucket id EntityChangedCountTimelineBucket properties entityChangedInfo items $ref EntityChangedInfo type array totalChangedEntitiesCount format int32 type integer type object EntityChangedInfo id EntityChangedInfo properties artifacts $ref FieldAndValue entityCount format int32 type integer type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityMetadata description Information about the Entity and the product where the entity was created. Next Tag: 17 id EntityMetadata properties collectedTimestamp description GMT timestamp when the entity information was collected by the vendor's local collection infrastructure. format google-datetime type string creationTimestamp description GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected. format google-datetime type string description description Human-readable description of the entity. type string entityType description Entity type. If an entity has multiple possible types, this specifies the most specific type. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string eventMetadata $ref Metadata description Metadata field from the event. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object feed description Vendor feed name for a threat indicator feed. type string interval $ref Interval description Valid existence time range for the version of the entity represented by this entity data. productEntityId description A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar). type string productName description Product name that produced the entity information. type string productVersion description Version of the product that produced the entity information. type string sourceLabels description Entity source metadata labels. items $ref Label type array sourceType description The source of the entity. enum SOURCE_TYPE_UNSPECIFIED ENTITY_CONTEXT DERIVED_CONTEXT GLOBAL_CONTEXT enumDescriptions Default source type Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT) Entities derived from customer data such as prevalence, artifact first/last seen, or asset/user first seen stats. Global contextual entities such as WHOIS or Safe Browsing. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Structured fields extracted from the log. type object threat description Metadata provided by a threat intelligence feed that identified the entity as malicious. items $ref SecurityResult type array vendorName description Vendor name of the product that produced the entity information. type string type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object EntityRisk description Stores information related to the risk score of an entity. Next ID: 15 id EntityRisk properties DEPRECATEDRiskScore deprecated True description Deprecated risk score. format int32 type integer detailUri description Link to the Google Security Operations UI with information about the entity risk score. If the SecOps instance has multiple frontend paths configured, this will be a relative path that can be used to construct the full URL. type string detectionsCount description Number of detections that make up the risk score within the time window. format int32 type integer firstDetectionTime description Timestamp of the first detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastDetectionTime description Timestamp of the last detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastResetTime description Timestamp for UEBA risk score reset based deduplication. Used specifically for risk based meta rules. format google-datetime type string normalizedRiskScore description Normalized risk score for the entity. This value is between 0-1000. format int32 type integer rawRiskDelta $ref RiskDelta description Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window. riskDelta $ref RiskDelta description Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window. riskScore description Raw risk score for the entity. format float type number riskVersion description Version of the risk score calculation algorithm. type string riskWindow $ref Interval description Time window used when computing the risk score for an entity, for example 24 hours or 7 days. riskWindowHasNewDetections description Whether there are new detections for the risk window. type boolean riskWindowSize description Risk window duration for the entity. format google-duration type string type object ErrorMessage id ErrorMessage properties errorText type string type enum UNDEFINED_ERROR_TYPE INVALID_QUERY_TYPE INVALID_FIELD_PATH_TYPE UNCLOSED_BRACKET_TYPE BACKEND_ERROR_TYPE UNCLOSED_QUOTES_TYPE QUERY_TOO_LARGE_TYPE enumDescriptions type string type object EventCountTimeline id EventCountTimeline properties buckets items $ref EventCountTimelineBucket type array sizeOfBucketMs format int64 type string type object EventCountTimelineBucket id EventCountTimelineBucket properties alertCount format int32 type integer baselineAlertCount format int32 type integer baselineEventCount format int32 type integer baselineTimedEntityCount format int32 type integer entityChangedCount $ref EntityChangedCountTimelineBucket eventCount format int32 type integer filteredTimedEntityCount format int32 type integer type object Execution description Execution can be used to store metadata required for what action the UI should execute. id Execution properties metadata additionalProperties type string description Output only. The payload to use when executing the action. readOnly True type object type object ExifInfo description Exif information. id ExifInfo properties company description company name. type string compilationTime description Compilation time. format google-datetime type string entryPoint description entry point. format int64 type string fileDescription description description of a file. type string originalFile description original file name. type string product description product name. type string type object Extension description Certificate's extensions. id Extension properties authorityKeyId $ref AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. ca description Whether the subject acts as a certificate authority (CA) or not. type boolean caInfoAccess description Authority information access locations are URLs that are added to a certificate in its authority information access extension. type string certTemplateNameDc description BMP data value "DomainController". See MS Q291010. type string certificatePolicies description Different certificate policies will relate to different applications which may use the certified key. type string crlDistributionPoints description CRL distribution points to which a certificate user should refer to ascertain if the certificate has been revoked. type string extendedKeyUsage description One or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field. type string keyUsage description The purpose for which the certified public key is used. type string netscapeCertComment description Used to include free-form text comments inside certificates. type string netscapeCertificate description Identify whether the certificate subject is an SSL client, an SSL server, or a CA. type boolean oldAuthorityKeyId description Whether the certificate has an old authority key identifier extension. type boolean peLogotype description Whether the certificate includes a logotype. type boolean subjectAlternativeName description Contains one or more alternative names, using any of a variety of name forms, for the entity that is bound by the CA to the certified public key. type string subjectKeyId description Identifies the public key being certified. type string type object Extensions description Extensions to a UDM event. id Extensions properties auth $ref Authentication description An authentication extension. entityRisk $ref EntityRisk description An entity risk change extension. vulns $ref Vulnerabilities description A vulnerability extension. type object Favicon description Difference hash and MD5 hash of the domain's favicon. id Favicon properties dhash description Difference hash. type string rawMd5 description Favicon's MD5 hash. type string type object Feedback id Feedback properties comment description Optional. type string confidenceScore format int32 type integer createdTime format google-datetime type string disregarded type boolean idpUserId type string priority description Optional. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string priorityDisplay description Optional. type string reason description Optional. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore format int32 type integer rootCause description Optional. type string severity format int32 type integer severityDisplay description Optional. type string status description Optional. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object FieldAndValue id FieldAndValue properties entityNamespace type string fieldPath type string kvalueType enum UNKNOWN COLLECTOR_ID EVENT_SHARD ASSET_IP_ADDRESS MAC HOSTNAME PRODUCT_SPECIFIC_ID NAMESPACE DOMAIN_NAME RESOLVED_IP_ADDRESS STEMMED_DOMAIN_NAME PROCESS_ID FULL_COMMAND_LINE FILE_NAME FILE_PATH HASH_MD5 HASH_SHA256 HASH_SHA1 RAW_PID PARENT_PROCESS_ID EMAIL USERNAME WINDOWS_SID EMPLOYEE_ID PRODUCT_OBJECT_ID USER_DISPLAY_NAME CLOUD_RESOURCE_NAME REGISTRY_KEY REGISTRY_VALUE_DATA REGISTRY_VALUE_NAME enumDescriptions type string value type string type object FileMetadata description Metadata about a file. Place metadata about different file types here, for example data from the Microsoft Windows VersionInfo block or digital signer details. Use a different sub-message per file type. id FileMetadata properties pe $ref PeFileMetadata deprecated True description Metadata for Microsoft Windows PE files. Deprecate PeFileMetadata in favor of single File proto. type object FileMetadataCodesign description File metadata from the codesign utility. id FileMetadataCodesign properties compilationTime description Code sign timestamp format google-datetime type string format description Code sign format. type string id description Code sign identifier. type string teamId description The assigned team identifier of the developer who signed the application. type string type object FileMetadataImports description File metadata imports. id FileMetadataImports properties functions description Function field. items type string type array library description Library field. type string type object FileMetadataPE description Metadata about the Portable Executable (PE) file. id FileMetadataPE properties compilationExiftoolTime description info.exiftool.TimeStamp. format google-datetime type string compilationTime description info.pe-timestamp. format google-datetime type string entryPoint description info.pe-entry-point. format int64 type string entryPointExiftool description info.exiftool.EntryPoint. format int64 type string imphash description Imphash of the file. type string imports description FilemetadataImports fields. items $ref FileMetadataImports type array resource description FilemetadataPeResourceInfo fields. items $ref FileMetadataPeResourceInfo type array resourcesLanguageCount deprecated True description Deprecated: use resources_language_count_str. items $ref StringToInt64MapEntry type array resourcesLanguageCountStr description Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10 items $ref Label type array resourcesTypeCount deprecated True description Deprecated: use resources_type_count_str. items $ref StringToInt64MapEntry type array resourcesTypeCountStr description Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5 items $ref Label type array section description FilemetadataSection fields. items $ref FileMetadataSection type array signatureInfo $ref FileMetadataSignatureInfo deprecated True description FilemetadataSignatureInfo field. deprecated, user File.signature_info instead. type object FileMetadataPeResourceInfo description File metadata for PE resource. id FileMetadataPeResourceInfo properties entropy description Entropy of the resource. format double type number fileType description File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum. type string filetypeMagic description Type of resource content, as identified by the magic Python module. type string languageCode description Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US | type string sha256Hex description SHA256_hex field.. type string type object FileMetadataSection description File metadata section. id FileMetadataSection properties entropy description Entropy of the section. format double type number md5Hex description MD5 hex of the file. type string name description Name of the section. type string rawSizeBytes description Raw file size in bytes. format int64 type string virtualSizeBytes description Virtual file size in bytes. format int64 type string type object FileMetadataSignatureInfo description Signature information. id FileMetadataSignatureInfo properties signer deprecated True description Deprecated: use signers field. items type string type array signers description File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority. items $ref SignerInfo type array verificationMessage description Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found. type string verified description True if verification_message == "Signed" type boolean x509 description List of certificates. items $ref X509 type array type object FilterProperties id FilterProperties properties hidden type boolean stringProperties additionalProperties $ref StringValues type object type object FindingVariable description A structure that holds the value and associated metadata for values extracted while producing a Finding. id FindingVariable properties boolSeq $ref BoolSequence description The value in boolsequence format. boolVal description The value in boolean format. type boolean bytesSeq $ref BytesSequence description The value in bytessequence format. bytesVal description The value in bytes format. format byte type string doubleSeq $ref DoubleSequence description The value in doublesequence format. doubleVal description The value in double format. format double type number int64Seq $ref Int64Sequence description The value in int64sequence format. int64Val description The value in int64 format. format int64 type string nullVal description Whether the value is null. type boolean sourcePath description The UDM field path for the field which this value was derived from. Example: `principal.user.username` type string stringSeq $ref StringSequence description The value in stringsequence format. stringVal description The value in string format. Enum values are returned as strings. type string type description The type of the variable. enum TYPE_UNSPECIFIED MATCH OUTCOME enumDescriptions An unspecified variable type. A variable coming from the match conditions. A variable representing significant data that was found in the detection logic. type string uint64Seq $ref Uint64Sequence description The value in uint64sequence format. uint64Val description The value in uint64 format. format uint64 type string value description The value in string form. type string type object FollowUp description FollowUp can be used to store metadata required to send a follow up message by the UI. id FollowUp properties followUp description Output only. The text to use as input when generating the follow up message. readOnly True type string type object Ftp description FTP info. id Ftp properties command description The FTP command. type string type object FunctionResponse id FunctionResponse properties rows items $ref FunctionResponseRow type array tooManyRows type boolean type object FunctionResponseRow id FunctionResponseRow properties values items $ref UdmFieldValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description LINT.IfChange(stats_data) Stats results when the query is for statistics NEXT TAG = 6; id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats properties dataQueryExpression description Expression that represent the subset of the requested query used to filter data. The expression will be used to enable features such as drill-down from stats results to UDM events. In that case, the new query will be composed by this expression and the expression related to a stats result. type string results description Result rows that are queried. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData type array sortOrder description Indicates the columns used for sorting and the order in which they are sorted. If no ORDER section is specified in the query, this will be empty. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort type array tooManyResults description If true, there are too many results to return and some have been omitted. type boolean totalResults description The total number of results returned. format int32 type integer type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData description Represents a single column in the set of columns returned as the stats query result. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData properties column description Used to store column names. type string filterExpression description Expression used to compose a query for filtering/drill-downs related to the data in this column. type string filterable description To identify if the column can be used for filtering/drill-downs. type boolean values description To store store column data. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort description Contains the column name and which direction the column is sorted (ascending or descenging). id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort properties descending description Whether the column is sorted in descending order (ascending by default); type boolean name description Name of the column. type string type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType description Singular vs list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType properties list $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description List of values in a column e.g. IPs value $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Single value in a column. type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description Store list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList properties values description List of values in one cell of the column. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Value of the column based on data type id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue properties boolVal description Boolean value. type boolean bytesVal description Bytes value. format byte type string dateVal $ref Date description Date values. doubleVal description Double value. format double type number int64Val description Integer value (signed). format int64 type string nullVal description True if the value is NULL. type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any description For any proto values that are not any of the above. type object stringVal description String value. Enum values are returned as strings. type string timestampVal description Timestamp values. format google-datetime type string uint64Val description Un-signed integer value. format uint64 type string type object Group description Information about an organizational group. id Group properties attribute $ref Attribute description Generic entity metadata attributes of the group. creationTime deprecated True description Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata. format google-datetime type string emailAddresses description Email addresses of the group. items type string type array groupDisplayName description Group display name. e.g. "Finance". type string productObjectId description Product globally unique user object identifier, such as an LDAP Object Identifier. type string windowsSid description Microsoft Windows SID of the group. type string type object GroupAggregationByField id GroupAggregationByField properties baselineEventCount format int32 type integer eventCount format int32 type integer fieldName type string fieldValue $ref UdmFieldValue fields items $ref UdmFieldAggregation type array valueCount format int32 type integer type object Hardware description Hardware specification details for a resource, including both physical and virtual hardware. id Hardware properties cpuClockSpeed description Clock speed of the hardware CPU in MHz. format uint64 type string cpuMaxClockSpeed description Maximum possible clock speed of the hardware CPU in MHz. format uint64 type string cpuModel description Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5"). type string cpuNumberCores description Number of CPU cores. format uint64 type string cpuPlatform description Platform of the hardware CPU (e.g. "Intel Broadwell"). type string manufacturer description Hardware manufacturer. type string model description Hardware model. type string ram description Amount of the hardware ramdom access memory (RAM) in Mb. format uint64 type string serialNumber description Hardware serial number. type string type object Http description Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target". id Http properties method description The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE"). type string parsedUserAgent $ref UserAgentProto description The parsed user_agent string. referralUrl description The URL for the HTTP referer. type string responseCode description The response status code, for example 200, 302, 404, or 500. format int32 type integer userAgent description The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent. type string type object Id description Identifier to identify a UDM object like a UDM event, Entity, Collection. The full identifier for persistence is created by setting the 32 most significant bits as the Id.Namespace enum and the rest according to go/udm:ids. This is a convenience wrapper to define the id space enum values and provide an easy interface for RPCs, most persistence use cases should use a denormalized form. See go/udm:ids for background and details. id Id properties id description Full raw ID. format byte type string namespace description Namespace the id belongs to. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string stringId description Some ids are stored as strings that are not able to be translated to bytes, so store these separately. Ex. detection id of the form de_aaaaaaaa-aaaa... type string type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{location}/instances/{instance} readOnly True type string type object InstanceUdmSearchResponse id InstanceUdmSearchResponse properties baselineEventsCount format int32 type integer complete type boolean detections $ref Detections filteredEventsCount format int32 type integer instanceId type string prevalence $ref UdmPrevalenceResponse progress format double type number runtimeErrors $ref RuntimeError timeline $ref EventCountTimeline tooManyEvents type boolean type object Int64Sequence description Int64Sequence represents a sequence of int64s. id Int64Sequence properties int64Vals description int64 sequence. items format int64 type string type array type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object Investigation description Represents the aggregated state of an investigation such as categorization, severity, and status. Can be expanded to include analyst assignment details and more. id Investigation properties comments description Comment added by the Analyst. items type string type array priority description Priority of the Alert or Finding set by analyst. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string reason description Reason for closing the Case or Alert. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation description Describes whether a finding was useful or not-useful. enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore description Risk score for a finding set by an analyst. format uint32 type integer rootCause description Root cause of the Alert or Finding set by analyst. type string severityScore description Severity score for a finding set by an analyst. format uint32 type integer status description Describes the workflow status of a finding. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict description Describes reason a finding investigation was resolved. enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object IoCStats description Information about the threat intelligence source. These fields are used to model Mandiant sources. id IoCStats properties benignCount description Count of responses where the IoC was identified as benign. format int32 type integer firstLevelSource description Name of first level IoC source, for example Mandiant or a third-party. type string iocStatsType description Describes the source of the IoCStat. enum UNSPECIFIED_IOC_STATS_TYPE MANDIANT_SOURCES THIRD_PARTY_SOURCES THREAT_INTELLIGENCE_IOC_STATS enumDescriptions IoCStat source is unidentified. IoCStat is from a Mandiant Source. IoCStat is from a third-party source. IoCStat is from a threat intelligence feed. type string maliciousCount description Count of responses where the IoC was identified as malicious. format int32 type integer quality description Level of confidence in the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total number of response from the source. format int32 type integer secondLevelSource description Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph. type string sourceCount description Number of sources from which information was extracted. format int32 type integer type object Label description Key value labels. id Label properties key description The key. type string rbacEnabled description Indicates whether this label can be used for Data RBAC type boolean source description Where the label is derived from. type string value description The value. type string type object LatLng description An object that represents a latitude/longitude pair. This is expressed as a pair of doubles to represent degrees latitude and degrees longitude. Unless specified otherwise, this object must conform to the WGS84 standard. Values must be within normalized ranges. id LatLng properties latitude description The latitude in degrees. It must be in the range [-90.0, +90.0]. format double type number longitude description The longitude in degrees. It must be in the range [-180.0, +180.0]. format double type number type object LegacyFederatedUdmSearchViewResponse description Response to a Federated UDM Search query. This will be used by StreamSearchOperation RPC to return the results of a federated search operation. id LegacyFederatedUdmSearchViewResponse properties activityTimeline $ref EventCountTimeline description Timeline of event counts broken into hourly/daily buckets to identify activity. aiOverview $ref AIOverview description LINT.ThenChange( //depot/google3/google/cloud/chronicle/v1main/dashboard_query.proto:data_sources, //depot/google3/googlex/security/malachite/proto/udm_search.proto:data_sources ) AI generated overview for the search results. Only populated if the AI features are enabled for the customer and generate_ai_overview is set to true in the request. baselineEventsCount description The number of events in the baseline query. format int32 type integer complete description Streaming for this response is done. There will be no additional updates. type boolean dataSources description Datasource of the query and results in case of a statistics query items enum SEARCH_DATA_SOURCE_UNSPECIFIED SEARCH_UDM SEARCH_ENTITY SEARCH_RULE_DETECTIONS SEARCH_RULESETS enumDescriptions Unspecified data source. Events Entities To be used for detections data source. To be used for ruleset with detections datasource. type string type array detectionFieldAggregations $ref AlertFieldAggregations description List of detection fields with aggregated values. This enabled filtering in the Alerts panel for federated search. events $ref UdmEventList description List of UDM events. NOTE: After complete is set to true, the `UdmEventList` message will be omitted from the response. The latest message should be used as reference. If the `UdmEventList` message is returned again, then it should replace the previous value. fieldAggregations $ref UdmFieldAggregations description List of UDM fields with aggregated values. filteredEventsCount description The number of events in the snapshot that match the snapshot_query. This is <= `baseline_events_count`. If the snapshot query is empty this will be equivalent to `baseline_events_count`. format int32 type integer groupedFieldAggregations $ref UdmFieldAggregations description List of grouped fields with aggregated values. instanceAggregations $ref UdmFieldAggregations description Instance aggregations for the search results. Provides information on the number of events per instance for the aggregations panel in the UI. This allows users to easily drill-down into the individual instances. instanceUdmSearchResponses description All the instance specific UDM search responses. items $ref InstanceUdmSearchResponse type array operation description The name of the operation resource representing the UDM Search operation. This can be passed to `StreamSearchOperation` to fetch stored results or stream the results of an in-progress operation. The metadata type of the operation is `UdmSearchMetadata`. The response type is `LegacyFetchUdmSearchViewResponse`. Format: projects/{project}/locations/{location}/instances/{instance}/operations/{operation} type string progress description Progress of the query represented as a double between 0 and 1. format double type number queryValidationErrors description Parse error for the baseline_query and/or the snapshot_query. items $ref ErrorMessage type array runtimeErrors description Runtime errors. items $ref RuntimeError type array stats $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description Stats results when the query is for statistics statsFunctionParameterValidationErrorMessage description If the request's stats_function_parameter` is invalid, this field will contain the detailed error message. type string statsFunctionResponse $ref FunctionResponse description Result for statistical function. timeline $ref EventCountTimeline description Timeline of event counts broken into buckets. This populates the trend-over-time chart in the UI. tooLargeResponse description If true, the response to be returned to the UI is too large and some events have been omitted. type boolean tooManyEvents description If true, there are too many events to return and some have been omitted. type boolean validBaselineQuery description Indicates whether the request baseline_query is a valid structured query or not. If not, `query_validation_errors` will include the parse error. type boolean validSnapshotQuery description Indicates whether the request baseline and snapshot queries are valid. If not, `query_validation_errors` will include the parse error. type boolean type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Location description Information about a location. id Location properties city description The city. type string countryOrRegion description The country or region. type string deskName description Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D"). type string floorName description Floor name, number or a combination of the two for a building. (e.g. "1-A"). type string name description Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2"). type string regionCoordinates $ref LatLng description Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. regionLatitude deprecated True description Deprecated: use region_coordinates. format float type number regionLongitude deprecated True description Deprecated: use region_coordinates. format float type number state description The state. type string type object Manual description Entities are added manually. id Manual properties type object Measure description Describes the precomputed measure. id Measure properties aggregateFunction description Function used to calculate the aggregated measure. enum AGGREGATE_FUNCTION_UNSPECIFIED MIN MAX COUNT SUM AVG STDDEV enumDescriptions Default value. Minimum. Maximum. Count. Sum. Average. Standard Deviation. type string value description Value of the aggregated measure. format double type number type object Metadata description General information associated with a UDM event. id Metadata properties baseLabels $ref DataAccessLabels description Data access labels on the base event. collectedTimestamp description The GMT timestamp when the event was collected by the vendor's local collection infrastructure. format google-datetime type string description description A human-readable unparsable description of the event. type string enrichmentLabels $ref DataAccessLabels description Data access labels from all the contextual events used to enrich the base event. enrichmentState description The enrichment state. enum ENRICHMENT_STATE_UNSPECIFIED ENRICHED UNENRICHED enumDescriptions Unspecified. The event has been enriched by Chronicle. The event has not been enriched by Chronicle. type string eventTimestamp description The GMT timestamp when the event was generated. format google-datetime type string eventType description The event type. If an event has multiple possible types, this specifies the most specific type. enum EVENTTYPE_UNSPECIFIED PROCESS_UNCATEGORIZED PROCESS_LAUNCH PROCESS_INJECTION PROCESS_PRIVILEGE_ESCALATION PROCESS_TERMINATION PROCESS_OPEN PROCESS_MODULE_LOAD REGISTRY_UNCATEGORIZED REGISTRY_CREATION REGISTRY_MODIFICATION REGISTRY_DELETION SETTING_UNCATEGORIZED SETTING_CREATION SETTING_MODIFICATION SETTING_DELETION MUTEX_UNCATEGORIZED MUTEX_CREATION FILE_UNCATEGORIZED FILE_CREATION FILE_DELETION FILE_MODIFICATION FILE_READ FILE_COPY FILE_OPEN FILE_MOVE FILE_SYNC USER_UNCATEGORIZED USER_LOGIN USER_LOGOUT USER_CREATION USER_CHANGE_PASSWORD USER_CHANGE_PERMISSIONS USER_STATS USER_BADGE_IN USER_DELETION USER_RESOURCE_CREATION USER_RESOURCE_UPDATE_CONTENT USER_RESOURCE_UPDATE_PERMISSIONS USER_COMMUNICATION USER_RESOURCE_ACCESS USER_RESOURCE_DELETION GROUP_UNCATEGORIZED GROUP_CREATION GROUP_DELETION GROUP_MODIFICATION EMAIL_UNCATEGORIZED EMAIL_TRANSACTION EMAIL_URL_CLICK NETWORK_UNCATEGORIZED NETWORK_FLOW NETWORK_CONNECTION NETWORK_FTP NETWORK_DHCP NETWORK_DNS NETWORK_HTTP NETWORK_SMTP STATUS_UNCATEGORIZED STATUS_HEARTBEAT STATUS_STARTUP STATUS_SHUTDOWN STATUS_UPDATE SCAN_UNCATEGORIZED SCAN_FILE SCAN_PROCESS_BEHAVIORS SCAN_PROCESS SCAN_HOST SCAN_VULN_HOST SCAN_VULN_NETWORK SCAN_NETWORK SCHEDULED_TASK_UNCATEGORIZED SCHEDULED_TASK_CREATION SCHEDULED_TASK_DELETION SCHEDULED_TASK_ENABLE SCHEDULED_TASK_DISABLE SCHEDULED_TASK_MODIFICATION SYSTEM_AUDIT_LOG_UNCATEGORIZED SYSTEM_AUDIT_LOG_WIPE SERVICE_UNSPECIFIED SERVICE_CREATION SERVICE_DELETION SERVICE_START SERVICE_STOP SERVICE_MODIFICATION GENERIC_EVENT RESOURCE_CREATION RESOURCE_DELETION RESOURCE_PERMISSIONS_CHANGE RESOURCE_READ RESOURCE_WRITTEN DEVICE_FIRMWARE_UPDATE DEVICE_CONFIG_UPDATE DEVICE_PROGRAM_UPLOAD DEVICE_PROGRAM_DOWNLOAD ANALYST_UPDATE_VERDICT ANALYST_UPDATE_REPUTATION ANALYST_UPDATE_SEVERITY_SCORE ANALYST_UPDATE_STATUS ANALYST_ADD_COMMENT ANALYST_UPDATE_PRIORITY ANALYST_UPDATE_ROOT_CAUSE ANALYST_UPDATE_REASON ANALYST_UPDATE_RISK_SCORE ENTITY_RISK_CHANGE enumDeprecated False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False enumDescriptions Default event type Activity related to a process which does not match any other event types. Process launch. Process injecting into another process. Process privilege escalation. Process termination. Process being opened. Process loading a module. Registry event which does not match any of the other event types. Registry creation. Registry modification. Registry deletion. Settings-related event which does not match any of the other event types. Setting creation. Setting modification. Setting deletion. Any mutex event other than creation. Mutex creation. File event which does not match any of the other event types. File created. File deleted. File modified. File read. File copied. Used for file copies, for example, to a thumb drive. File opened. File moved or renamed. File synced (for example, Google Drive, Dropbox, backup). User activity which does not match any of the other event types. User login. User logout. User creation. User password change event. Change in user permissions. Deprecated. Used to update user info for an LDAP dump. User physically badging into a location. User deletion. User creating a virtual resource. This is equivalent to RESOURCE_CREATION. User updating content of a virtual resource. This is equivalent to RESOURCE_WRITTEN. User updating permissions of a virtual resource. This is equivalent to RESOURCE_PERMISSIONS_CHANGE. User initiating communication through a medium (for example, video). User accessing a virtual resource. This is equivalent to RESOURCE_READ. User deleting a virtual resource. This is equivalent to RESOURCE_DELETION. A group activity that does not fall into one of the other event types. A group creation. A group deletion. A group modification. Email messages An email transaction. Deprecated: use NETWORK_HTTP instead. An email URL click event. A network event that does not fit into one of the other event types. Aggregated flow stats like netflow. Network connection details like from a FW. FTP telemetry. DHCP payload. DNS payload. HTTP telemetry. SMTP telemetry. A status message that does not fit into one of the other event types. Heartbeat indicating product is alive. An agent startup. An agent shutdown. A software or fingerprint update. Scan item that does not fit into one of the other event types. A file scan. Scan process behaviors. Please use SCAN_PROCESS instead. Scan process. Scan results from scanning an entire host device for threats/sensitive documents. Vulnerability scan logs about host vulnerabilities (e.g., out of date software) and network vulnerabilities (e.g., unprotected service detected via a network scan). Vulnerability scan logs about network vulnerabilities. Scan network for suspicious activity Scheduled task event that does not fall into one of the other event types. Scheduled task creation. Scheduled task deletion. Scheduled task being enabled. Scheduled task being disabled. Scheduled task being modified. A system audit log event that is not a wipe. A system audit log wipe. Service event that does not fit into one of the other event types. A service creation. A service deletion. A service start. A service stop. A service modification. Operating system events that are not described by any of the other event types. Might include uncategorized Microsoft Windows event logs. The resource was created/provisioned. This is equivalent to USER_RESOURCE_CREATION. The resource was deleted/deprovisioned. This is equivalent to USER_RESOURCE_DELETION. The resource had it's permissions or ACLs updated. This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS. The resource was read. This is equivalent to USER_RESOURCE_ACCESS. The resource was written to. This is equivalent to USER_RESOURCE_UPDATE_CONTENT. Firmware update. Configuration update. A program or application uploaded to a device. A program or application downloaded to a device. Analyst update about the Verdict (such as true positive, false positive, or disregard) of a finding. Analyst update about the Reputation (such as useful or not useful) of a finding. Analyst update about the Severity score (0-100) of a finding. Analyst update about the finding status. Analyst addition of a comment for a finding. Analyst update about the priority (such as low, medium, or high) for a finding. Analyst update about the root cause for a finding. Analyst update about the reason (such as malicious or not malicious) for a finding. Analyst update about the risk score (0-100) of a finding. An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. type string id description ID of the UDM event. Can be used for raw and normalized event retrieval. format byte type string ingestedTimestamp description The GMT timestamp when the event was ingested (received) by Chronicle. format google-datetime type string ingestionLabels description User-configured ingestion metadata labels. items $ref Label type array logType description The string value of log type. type string productDeploymentId description The deployment identifier assigned by the vendor for a product deployment. type string productEventType description A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start"). type string productLogId description A vendor-specific event identifier to uniquely identify the event (e.g. a GUID). type string productName description The name of the product. type string productVersion description The version of the product. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Flattened fields extracted from the log. type object tags $ref Tags description Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser. urlBackToProduct description A URL that takes the user to the source product console for this event. type string vendorName description The name of the product vendor. type string type object Metric description Stores precomputed aggregated analytic data for an entity. id Metric properties dimensions description All group by clauses used to calculate the metric. items enum DIMENSION_UNSPECIFIED PRINCIPAL_DEVICE TARGET_USER TARGET_DEVICE PRINCIPAL_USER TARGET_IP PRINCIPAL_FILE_HASH PRINCIPAL_COUNTRY SECURITY_CATEGORY NETWORK_ASN CLIENT_CERTIFICATE_HASH DNS_QUERY_TYPE DNS_DOMAIN HTTP_USER_AGENT EVENT_TYPE PRODUCT_NAME PRODUCT_EVENT_TYPE PARENT_FOLDER_PATH TARGET_RESOURCE_NAME PRINCIPAL_APPLICATION TARGET_APPLICATION EMAIL_TO_ADDRESS EMAIL_FROM_ADDRESS MAIL_ID PRINCIPAL_IP SECURITY_ACTION SECURITY_RULE_ID TARGET_NETWORK_ORGANIZATION_NAME PRINCIPAL_NETWORK_ORGANIZATION_NAME PRINCIPAL_PROCESS_FILE_PATH PRINCIPAL_PROCESS_FILE_HASH SECURITY_RESULT_RULE_NAME TARGET_RESOURCE_LABEL_KEY VENDOR_NAME TARGET_RESOURCE_TYPE TARGET_LOCATION_NAME enumDescriptions Default Principal Device Target User Target Device Principal User Target IP Principal File Hash Principal Country Security Category Network ASN Client Certificate Hash DNS Query Type DNS Domain HTTP User Agent Event Type Product Name Product Event Type Parent Folder Path Target resource Name Principal Application. Target Application. Email To Address. Email From Address. Mail Id. Principal IP. Security Action. Security Rule Id. Target Network Organization name. Principal Network Organization name. Principal Process File Path. Principal Process File SHA256 Hash. Security Result rule name. Target Resource label key. Vendor name. Target Resource type. Target Location name. type string type array exportWindow description Export window for which the metric was exported. format int64 type string firstSeen description Timestamp of the first time the entity was seen in the environment. format google-datetime type string lastSeen description Time stamp of the last time last time the entity was seen in the environment. format google-datetime type string metricName description Name of the analytic. enum METRIC_NAME_UNSPECIFIED NETWORK_BYTES_INBOUND NETWORK_BYTES_OUTBOUND NETWORK_BYTES_TOTAL AUTH_ATTEMPTS_SUCCESS AUTH_ATTEMPTS_FAIL AUTH_ATTEMPTS_TOTAL DNS_BYTES_OUTBOUND NETWORK_FLOWS_INBOUND NETWORK_FLOWS_OUTBOUND NETWORK_FLOWS_TOTAL DNS_QUERIES_SUCCESS DNS_QUERIES_FAIL DNS_QUERIES_TOTAL FILE_EXECUTIONS_SUCCESS FILE_EXECUTIONS_FAIL FILE_EXECUTIONS_TOTAL HTTP_QUERIES_SUCCESS HTTP_QUERIES_FAIL HTTP_QUERIES_TOTAL WORKSPACE_EMAILS_SENT_TOTAL WORKSPACE_TOTAL_DOWNLOAD_ACTIONS WORKSPACE_TOTAL_CHANGE_ACTIONS WORKSPACE_AUTH_ATTEMPTS_TOTAL WORKSPACE_NETWORK_BYTES_OUTBOUND WORKSPACE_NETWORK_BYTES_TOTAL ALERT_EVENT_NAME_COUNT RESOURCE_CREATION_TOTAL RESOURCE_CREATION_SUCCESS RESOURCE_READ_SUCCESS RESOURCE_READ_FAIL RESOURCE_DELETION_SUCCESS enumDescriptions Default Total received network bytes. Total network sent bytes. Total network sent bytes and received bytes. Successful authentication attempts. Failed authentication attempts. Total authentication attempts. Total number of sent bytes for DNS events. Total number of events having non-null received bytes. Total number of events having non-null sent bytes. Total events having non-null sent or received bytes. DNS query success count - Number of events with response_code = 0. Number of events with response_code != 0. Total number of DNS queries made. Number of successfule file executions. Number of failed file executions. Total number file executions. Number of successful HTTP queries. Number of failed HTTP queries. Total number of HTTP queries. Total number of emails sent in Google Workspace. Total number of download actions in Google Workspace. Total number of change actions in Google Workspace. Total number of authentication attempts in Google Workspace. Number of outbound network bytes (total sent) in Google Workspace. Total number of network bytes (both sent and received) in Google Workspace. Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH. First-time analytic tracking successful resource creations. Volume-based analytic tracking successful resource creations. Volume-based analytic tracking successful resource reads. Volume-based analytic tracking failed resource reads. Volume-based analytic tracking successful resource deletions. type string sumMeasure $ref Measure description Sum of all precomputed measures for the given metric. totalEvents description Total number of events used to calculate the given precomputed metric. format int64 type string type object Navigation description Navigation can be used to store the metadata required to navigate the user to a new URL. id Navigation properties targetUri description Output only. The URI to redirect the user to. readOnly True type string type object Network description A network event. id Network properties applicationProtocol description The application protocol. enum UNKNOWN_APPLICATION_PROTOCOL AFP APPC AMQP ATOM BEEP BITCOIN BIT_TORRENT CFDP CIP COAP COTP DCERPC DDS DEVICE_NET DHCP DICOM DNP3 DNS E_DONKEY ENRP FAST_TRACK FINGER FREENET FTAM GOOSE GOPHER GRPC HL7 H323 HTTP HTTPS IEC104 IRCP KADEMLIA KRB5 LDAP LPD MIME MMS MODBUS MQTT NETCONF NFS NIS NNTP NTCIP NTP OSCAR PNRP PTP QUIC RDP RELP RIP RLOGIN RPC RTMP RTP RTPS RTSP SAP SDP SIP SLP SMB SMTP SNMP SNTP SSH SSMS STYX SV TCAP TDS TOR TSP VTP WHOIS WEB_DAV X400 X500 XMPP enumDescriptions The default application protocol. Apple Filing Protocol. Advanced Program-to-Program Communication. Advanced Message Queuing Protocol. Publishing Protocol. Block Extensible Exchange Protocol. Crypto currency protocol. Peer-to-peer file sharing. Coherent File Distribution Protocol. Common Industrial Protocol. Constrained Application Protocol. Connection Oriented Transport Protocol. DCE/RPC. Data Distribution Service. Automation industry protocol. DHCP. Digital Imaging and Communications in Medicine Protocol. Distributed Network Protocol 3 (DNP3) DNS. Classic file sharing protocol. Endpoint Handlespace Redundancy Protocol. Filesharing peer-to-peer protocol. User Information Protocol. Censorship resistant peer-to-peer network. File Transfer Access and Management. GOOSE Protocol. Gopher protocol. gRPC Remote Procedure Call. Health Level Seven. Packet-based multimedia communications system. HTTP. HTTPS. IEC 60870-5-104 (IEC 104) Protocol. Internet Relay Chat Protocol. Peer-to-peer hashtables. Kerberos 5. Lightweight Directory Access Protocol. Line Printer Daemon Protocol. Multipurpose Internet Mail Extensions and Secure MIME. Multimedia Messaging Service. Serial communications protocol. Message Queuing Telemetry Transport. Network Configuration. Network File System. Network Information Service. Network News Transfer Protocol. National Transportation Communications for Intelligent Transportation System. Network Time Protocol. AOL Instant Messenger Protocol. Peer Name Resolution Protocol. Precision Time Protocol. QUIC. Remote Desktop Protocol. Reliable Event Logging Protocol. Routing Information Protocol. Remote Login in UNIX Systems. Remote Procedure Call. Real Time Messaging Protocol. Real-time Transport Protocol. Real Time Publish Subscribe. Real Time Streaming Protocol. Session Announcement Protocol. Session Description Protocol. Session Initiation Protocol. Service Location Protocol. Server Message Block. Simple Mail Transfer Protocol. Simple Network Management Protocol. Simple Network Time Protocol. Secure Shell. Secure SMS Messaging Protocol. Styx/9P - Plan 9 from Bell Labs distributed file system protocol. Sampled Values Protocol. Transaction Capabilities Application Part. Tabular Data Stream. Anonymity network. Time Stamp Protocol. Virtual Terminal Protocol. Remote Directory Access Protocol. Web Distributed Authoring and Versioning. Message Handling Service Protocol. Directory Access Protocol (DAP). Extensible Messaging and Presence Protocol. type string applicationProtocolVersion description The version of the application protocol. e.g. "1.1, 2.0" type string asn description Autonomous system number. type string carrierName description Carrier identification. type string communityId description Community ID network flow value. type string dhcp $ref Dhcp description DHCP info. direction description The direction of network traffic. enum UNKNOWN_DIRECTION INBOUND OUTBOUND BROADCAST enumDescriptions The default direction. An inbound request. An outbound request. A broadcast. type string dns $ref Dns description DNS info. dnsDomain description DNS domain name. type string email $ref Email description Email info for the sender/recipient. ftp $ref Ftp description FTP info. http $ref Http description HTTP info. ipProtocol description The IP protocol. enum UNKNOWN_IP_PROTOCOL ICMP IGMP TCP UDP IP6IN4 GRE ESP ICMP6 EIGRP ETHERIP PIM VRRP SCTP enumDescriptions The default protocol. ICMP. IGMP TCP. UDP. IPv6 Encapsulation Generic Routing Encapsulation Encapsulating Security Payload ICMPv6 Enhanced Interior Gateway Routing Ethernet-within-IP Encapsulation Protocol Independent Multicast Virtual Router Redundancy Protocol Stream Control Transmission Protocol type string ipSubnetRange description Associated human-readable IP subnet range (e.g. 10.1.2.0/24). type string organizationName description Organization name (e.g Google). type string parentSessionId description The ID of the parent network session. type string receivedBytes description The number of bytes received. format uint64 type string receivedPackets description The number of packets received. format int64 type string sentBytes description The number of bytes sent. format uint64 type string sentPackets description The number of packets sent. format int64 type string sessionDuration description The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer. format google-duration type string sessionId description The ID of the network session. type string smtp $ref Smtp description SMTP info. Store fields specific to SMTP not covered by Email. tls $ref Tls description TLS info. type object Noun description The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event. id Noun properties administrativeDomain description Domain which the device belongs to (for example, the Microsoft Windows domain). type string application description The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle". type string artifact $ref Artifact description Information about an artifact. asset $ref Asset description Information about the asset. assetId description The asset ID. This field can be used as an entity indicator for asset entities. type string cloud $ref Cloud deprecated True description Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud). domain $ref Domain description Information about the domain. email description Email address. Only filled in for security_result.about type string file $ref BackstoryFile description Information about the file. group $ref Group description Information about the group. hostname description Client hostname or domain name field. Hostname also doubles as the domain for remote entities. This field can be used as an entity indicator for asset entities. type string investigation $ref Investigation description Analyst feedback/investigation for alerts. ip description A list of IP addresses associated with a network connection. This field can be used as an entity indicator for asset entities. items type string type array ipGeoArtifact description Enriched geographic information corresponding to an IP address. Specifically, location and network data. items $ref Artifact type array ipLocation deprecated True description Deprecated: use ip_geo_artifact.location instead. items $ref Location type array labels deprecated True description Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels). items $ref Label type array location $ref Location description Physical location. For cloud environments, set the region in location.name. mac description List of MAC addresses associated with a device. This field can be used as an entity indicator for asset entities. items type string type array namespace description Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition. This field can be used along with an asset indicator to identify an asset. type string natIp description A list of NAT translated IP addresses associated with a network connection. items type string type array natPort description NAT external network port number when a specific network connection is described within an event. format int32 type integer network $ref Network description Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). objectReference $ref Id description Finding to which the Analyst updated the feedback. platform description Platform. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description Platform patch level. For example, "Build 17134.48" type string platformVersion description Platform version. For example, "Microsoft Windows 1803". type string port description Source or destination network port number when a specific network connection is described within an event. format int32 type integer process $ref Process description Information about the process. processAncestors description Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery. items $ref Process type array registry $ref Registry description Registry information. resource $ref Resource description Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun. resourceAncestors description Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource). items $ref Resource type array securityResult description A list of security results. items $ref SecurityResult type array url description The URL. type string urlMetadata $ref Url description Information about the URL. user $ref User description Information about the user. userManagementChain description Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery. items $ref User type array type object NtfsFileMetadata description NTFS-specific file metadata. id NtfsFileMetadata properties changeTime description NTFS MFT entry changed timestamp. format google-datetime type string filenameAccessTime description NTFS $FILE_NAME attribute accessed timestamp. format google-datetime type string filenameChangeTime description NTFS $FILE_NAME attribute changed timestamp. format google-datetime type string filenameCreateTime description NTFS $FILE_NAME attribute created timestamp. format google-datetime type string filenameModifyTime description NTFS $FILE_NAME attribute modified timestamp. format google-datetime type string type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object Option description DHCP options. id Option properties code description Code. See RFC1533. format uint32 type integer data description Data. format byte type string type object PDFInfo description Information about the PDF file structure. See https://developers.virustotal.com/reference/pdf_info id PDFInfo properties acroform description Number of /AcroForm tags found in the PDF. format int64 type string autoaction description Number of /AA tags found in the PDF. format int64 type string embeddedFile description Number of /EmbeddedFile tags found in the PDF. format int64 type string encrypted description Whether the document is encrypted or not. This is defined by the /Encrypt tag. format int64 type string endobjCount description Number of object definitions (endobj keyword). format int64 type string endstreamCount description Number of defined stream objects (stream keyword). format int64 type string flash description Number of /RichMedia tags found in the PDF. format int64 type string header description PDF version. type string javascript description Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios. format int64 type string jbig2Compression description Number of /JBIG2Decode tags found in the PDF. format int64 type string js description Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios. format int64 type string launchActionCount description Number of /Launch tags found in the PDF file. format int64 type string objCount description Number of objects definitions (obj keyword). format int64 type string objectStreamCount description Number of object streams. format int64 type string openaction description Number of /OpenAction tags found in the PDF. format int64 type string pageCount description Number of pages in the PDF. format int64 type string startxref description Number of startxref keywords in the PDF. format int64 type string streamCount description Number of defined stream objects (stream keyword). format int64 type string suspiciousColors description Number of colors expressed with more than 3 bytes (CVE-2009-3459). format int64 type string trailer description Number of trailer keywords in the PDF. format int64 type string xfa description Number of \XFA tags found in the PDF. format int64 type string xref description Number of xref keywords in the PDF. format int64 type string type object PeFileMetadata description Metadata about a Microsoft Windows Portable Executable. id PeFileMetadata properties importHash description Hash of PE imports. type string type object Permission description System permission for resource access and modification. id Permission properties description description Description of the permission (e.g. 'Ability to update detect rules'). type string name description Name of the permission (e.g. chronicle.analyst.updateRule). type string type description Type of the permission. enum UNKNOWN_PERMISSION_TYPE ADMIN_WRITE ADMIN_READ DATA_WRITE DATA_READ enumDescriptions Default permission type. Administrator write permission. Administrator read permission. Data resource access write permission. Data resource access read permission. type string type object PlatformSoftware description Platform software information about an operating system. id PlatformSoftware properties platform description The platform operating system. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description The platform software patch level ( e.g. "Build 17134.48", "SP1"). type string platformVersion description The platform software version ( e.g. "Microsoft Windows 1803"). type string type object PopularityRank description Domain's position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo. id PopularityRank properties giver description Name of the rank serial number hexdump. type string ingestionTime description Timestamp when the rank was ingested. format google-datetime type string rank description Rank position. format int64 type string type object Prevalence description The prevalence of a resource within the customer's environment. This measures how common it is for assets to access the resource. id Prevalence properties dayCount description The number of days over which rolling_max is calculated. format int32 type integer dayMax description The max prevalence score in a day interval window. format int32 type integer dayMaxSubDomains description The max prevalence score in a day interval window across sub-domains. This field is only valid for domains. format int32 type integer rollingMax description The maximum number of assets per day accessing the resource over the trailing day_count days. format int32 type integer rollingMaxSubDomains description The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains. format int32 type integer type object Process description Information about a process. id Process properties accessMask description A bit mask representing the level of access. format uint64 type string commandLine description The command line command that created the process. This field can be used as an entity indicator for process entities. type string commandLineHistory description The command line history of the process. items type string type array egid description The effective group ID of the process. type string euid description The effective user ID of the process. type string file $ref BackstoryFile description Information about the file in use by the process. integrityLevelRid description The Microsoft Windows integrity level relative ID (RID) of the process. format uint64 type string parentPid deprecated True description The ID of the parent process. Deprecated: use parent_process.pid instead. type string parentProcess $ref Process description Information about the parent process. pgid description The identifier that points to the process group ID leader. type string pid description The process ID. This field can be used as an entity indicator for process entities. type string productSpecificParentProcessId deprecated True description A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. type string productSpecificProcessId description A product specific process id. type string rgid description The real group ID of the process. type string ruid description The real user ID of the process. type string sessionLeaderPid description The process ID of the session leader process. type string tokenElevationType description The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled. enum UNKNOWN TYPE_1 TYPE_2 TYPE_3 enumDescriptions An undetermined token type. A full token with no privileges removed or groups disabled. An elevated token with no privileges removed or groups disabled. Used when running as administrator. A limited token with administrative privileges removed and administrative groups disabled. type string tty description The teletype terminal which the command was executed within. type string type object ProviderMLVerdict description Deprecated. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. id ProviderMLVerdict properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer confidenceScore description Confidence score of the verdict. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer mandiantSources description List of mandiant sources from which the verdict was generated. items $ref Source type array sourceProvider description Source provider giving the ML verdict. type string thirdPartySources description List of third-party sources from which the verdict was generated. items $ref Source type array type object PublicKey description Subject public key info. id PublicKey properties algorithm description Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the certificate. type string rsa $ref RSA description RSA public key information. type object Question description DNS Questions. See RFC1035, section 4.1.2. id Question properties class description The code specifying the class of the query. format uint32 type integer name description The domain name. type string prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. type description The code specifying the type of the query. format uint32 type integer type object RSA description RSA public key information. id RSA properties exponent description Key exponent hexdump. type string keySize description Key size. format int64 type string modulus description Key modulus hexdump. type string type object Reference description Reference to model primatives including event and entity. As support is added for fast retrieval of objects by identifiers, this will be expanded to include ID references rather than full object copies. BEGIN GOOGLE-INTERNAL See go/udm:ids for additional details. END GOOGLE-INTERNAL id Reference properties entity $ref BackstoryEntity description Entity being referenced. End one-of event $ref UDM description Only one of event or entity will be populated for a single reference. Start one-of Event being referenced. id $ref Id description Id being referenced. This field will also be populated for both event and entity with the event id. For detections, only this field will be populated. type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Registry description Information about a registry key or value. id Registry properties registryKey description Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...). type string registryValueData description Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp). type string registryValueName description Name of the registry value associated with an application or system component (e.g. TEMP). type string registryValueType description Type of the registry value. enum TYPE_UNSPECIFIED NONE SZ EXPAND_SZ BINARY DWORD DWORD_LITTLE_ENDIAN DWORD_BIG_ENDIAN LINK MULTI_SZ RESOURCE_LIST QWORD QWORD_LITTLE_ENDIAN enumDescriptions Default registry value type used when the type is unknown. The registry value is not set and only the key exists. A null-terminated string. A null-terminated string that contains unexpanded references to environment variables Binary data in any form. A 32-bit number. A 32-bit number in little-endian format. A 32-bit number in big-endian format. A null-terminated Unicode string that contains the target path of a symbolic link. A sequence of null-terminated strings, terminated by an empty string A device driver resource list. A 64-bit number. A 64-bit number in little-endian format. type string type object Relation description Defines the relationship between the entity (a) and another entity (b). id Relation properties direction description Directionality of relationship between primary entity (a) and the related entity (b). enum DIRECTIONALITY_UNSPECIFIED BIDIRECTIONAL UNIDIRECTIONAL enumDescriptions Default value. Modeled in both directions. Primary entity (a) to related entity (b) and related entity (b) to primary entity (a). Modeled in a single direction. Primary entity (a) to related entity (b). type string entity $ref Noun description Entity (b) that the primary entity (a) is related to. entityLabel description Label to identify the Noun of the relation. enum ENTITY_LABEL_UNSPECIFIED PRINCIPAL TARGET OBSERVER SRC NETWORK SECURITY_RESULT INTERMEDIARY enumDescriptions Default value. The Noun represents a principal type object. The Noun represents a target type object. The Noun represents an observer type object. The Noun represents src type object. The Noun represents a network type object. The Noun represents a SecurityResult object. The Noun represents an intermediary type object. type string entityType description Type of the related entity (b) in this relationship. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string relationship description Type of relationship. enum RELATIONSHIP_UNSPECIFIED OWNS ADMINISTERS MEMBER EXECUTES DOWNLOADED_FROM CONTACTS enumDescriptions Default value Related entity is owned by the primary entity (e.g. user owns device asset). Related entity is administered by the primary entity (e.g. user administers a group). Primary entity is a member of the related entity (e.g. user is a member of a group). Primary entity may have executed the related entity. Primary entity may have been downloaded from the related entity. Primary entity contacts the related entity. type string uid description UID of the relationship. format byte type string type object Resource description Information about a resource such as a task, Cloud Storage bucket, database, disk, logical policy, or something similar. id Resource properties attribute $ref Attribute description Generic entity metadata attributes of the resource. id deprecated True description Deprecated: Use resource.name or resource.product_object_id. type string name description The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. type string parent deprecated True description The parent of the resource. For a database table, the parent is the database. For a storage object, the bucket name. Deprecated: use resource_ancestors.name. type string productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) This field can be used as an entity indicator for a Resource entity. type string resourceSubtype description Resource sub-type (e.g. "BigQuery", "Bigtable"). type string resourceType description Resource type. enum UNSPECIFIED MUTEX TASK PIPE DEVICE FIREWALL_RULE MAILBOX_FOLDER VPC_NETWORK VIRTUAL_MACHINE STORAGE_BUCKET STORAGE_OBJECT DATABASE TABLE CLOUD_PROJECT CLOUD_ORGANIZATION SERVICE_ACCOUNT ACCESS_POLICY CLUSTER SETTING DATASET BACKEND_SERVICE POD CONTAINER FUNCTION RUNTIME IP_ADDRESS DISK VOLUME IMAGE SNAPSHOT REPOSITORY CREDENTIAL LOAD_BALANCER GATEWAY SUBNET USER enumDescriptions Default type. Mutex. Task. Named pipe. Device. Firewall rule. Mailbox folder. VPC Network. Virtual machine. Storage bucket. Storage object. Database. Data table. Cloud project. Cloud organization. Service account. Access policy. Cluster. Settings. Dataset. Endpoint that receive traffic from a load balancer or proxy. Pod, which is a collection of containers. Often used in Kubernetes. Container. Cloud function. Runtime. IP address. Disk. Volume. Machine image. Snapshot. Repository. Credential, e.g. access keys, ssh keys, tokens, certificates. Load balancer. Gateway. Subnet. User. type string type deprecated True description Deprecated: use resource_type instead. type string type object ResourceRecord description DNS Resource Records. See RFC1035, section 4.1.3. id ResourceRecord properties binaryData description The raw bytes of any non-UTF8 strings that might be included as part of a DNS response. format byte type string class description The code specifying the class of the resource record. format uint32 type integer data description The payload or response to the DNS question for all responses encoded in UTF-8 format type string name description The name of the owner of the resource record. type string ttl description The time interval for which the resource record can be cached before the source of the information should again be queried. format uint32 type integer type description The code specifying the type of the resource record. format uint32 type integer type object ResponsePlatformInfo description Related info of an Alert in customer's SOAR platform. id ResponsePlatformInfo properties alertId description Id of the alert in SOAR product. type string responsePlatformType description Type of SOAR product. enum RESPONSE_PLATFORM_TYPE_UNSPECIFIED RESPONSE_PLATFORM_TYPE_SIEMPLIFY enumDescriptions Response platform not specified. Siemplify type string type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object RiskDelta description Describes the difference in risk score between two points in time. id RiskDelta properties previousRangeEndTime description End time of the previous time window. format google-datetime type string previousRiskScore description Risk score from previous risk window format int32 type integer riskScoreDelta description Difference in the normalized risk score from the previous recorded value. format int32 type integer riskScoreNumericDelta description Numeric change between current and previous risk score format int32 type integer type object Role description System role for resource access and modification. id Role properties description description System role description for user. type string name description System role name for user. type string type description System role type for well known roles. enum TYPE_UNSPECIFIED ADMINISTRATOR SERVICE_ACCOUNT enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object RuntimeError id RuntimeError properties errorText type string timeRange $ref Interval type object SSLCertificate description SSL certificate. id SSLCertificate properties certExtensions additionalProperties description Properties of the object. type any description Certificate's extensions. type object certSignature $ref CertSignature description Certificate's signature and algorithm. ec $ref EC description EC public key information. extension $ref Extension deprecated True description (DEPRECATED) certificate's extension. firstSeenTime description Date the certificate was first retrieved by VirusTotal. format google-datetime type string issuer $ref Subject description Certificate's issuer data. publicKey $ref PublicKey description Public key information. serialNumber description Certificate's serial number hexdump. type string signatureAlgorithm description Algorithm used for the signature (for example, "sha1RSA"). type string size description Certificate content length. format int64 type string subject $ref Subject description Certificate's subject data. thumbprint description Certificate's content SHA1 hash. type string thumbprintSha256 description Certificate's content SHA256 hash. type string validity $ref Validity description Certificate's validity period. version description Certificate version (typically "V1", "V2" or "V3"). type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object SearchDataTableColumnInfo id SearchDataTableColumnInfo properties isDefault type boolean originalColumn type string type object SearchDataTableInfo id SearchDataTableInfo properties columnInfo items $ref SearchDataTableColumnInfo type array dataTable type string type object SearchDataTableRow id SearchDataTableRow properties column type string value type string type object SearchDataTableRowInfo id SearchDataTableRowInfo properties dataTable type string rows items $ref SearchDataTableRow type array type object SecurityResult description Security related metadata for the event. A security result might be something like "virus detected and quarantined," "malicious connection blocked," or "sensitive data included in document foo.doc." Each security result, of which there may be more than one, may either pertain to the whole event, or to a specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (such as process, user, IP, domain, URL, IP, or email address) in the about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty. id SecurityResult properties about $ref Noun description If the security result is about a specific entity (Noun), add it here. This field is not populated when the SecurityResult appears in a finding (a detection or alert). action description Actions taken for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_ACTION ALLOW BLOCK ALLOW_WITH_MODIFICATION QUARANTINE FAIL CHALLENGE enumDescriptions The default action. Allowed. Blocked. Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded). Put somewhere for later analysis (does NOT imply block). Failed (e.g. the event was allowed but failed). Challenged (e.g. the user was challenged by a Captcha, 2FA). type string type array actionDetails description The detail of the action taken as provided by the vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string alertState description The alerting types of this security result. This is primarily set for rule-generated detections and alerts. enum UNSPECIFIED NOT_ALERTING ALERTING enumDescriptions The security result type is not known. The security result is not an alert. The security result is an alert. type string analyticsMetadata description Stores metadata about each risk analytic metric the rule uses. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref AnalyticsMetadata type array associations description Associations related to the threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref Association type array attackDetails $ref AttackDetails description MITRE ATT&CK details. This field is not populated when the SecurityResult appears in a finding (a detection or alert). campaigns description Campaigns using this IOC threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array category description The security category. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_CATEGORY SOFTWARE_MALICIOUS SOFTWARE_SUSPICIOUS SOFTWARE_PUA NETWORK_MALICIOUS NETWORK_SUSPICIOUS NETWORK_CATEGORIZED_CONTENT NETWORK_DENIAL_OF_SERVICE NETWORK_RECON NETWORK_COMMAND_AND_CONTROL ACL_VIOLATION AUTH_VIOLATION EXPLOIT DATA_EXFILTRATION DATA_AT_REST DATA_DESTRUCTION TOR_EXIT_NODE MAIL_SPAM MAIL_PHISHING MAIL_SPOOFING POLICY_VIOLATION SOCIAL_ENGINEERING PHISHING enumDescriptions The default category. Malware, spyware, rootkit. Below the conviction threshold; probably bad. Potentially Unwanted App (such as adware). Includes C&C or network exploit. Suspicious activity, such as potential reverse tunnel. Non-security related: URL has category like gambling or porn. DoS, DDoS. Port scan detected by an IDS, probing of web app. If we know this is a C&C channel. Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc. Authentication failed (e.g. bad password or bad 2-factor authentication). Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits. DLP: Sensitive data transmission, copy to thumb drive. DLP: Sensitive data found at rest in a scan. Attempt to destroy/delete data. TOR Exit Nodes. Spam email, message, etc. Phishing email, chat messages, etc. Spoofed source email address, etc. Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action). Threats which manipulate to break normal security procedures. Phishing pages, pops, https phishing etc. type string type array categoryDetails description For vendor-specific categories. For web categorization, put type in here such as "gambling" or "porn". This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array confidence description The confidence level of the result as estimated by the product. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string confidenceDetails description Additional detail with regards to the confidence of a security event as estimated by the product vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string confidenceScore description The confidence score of the security result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format float type number description description A human-readable description (e.g. "user password was wrong"). This can be more detailed than the summary. type string detectionDepth description The depth of the detection chain. Applies only to composite detections. format int64 type string detectionFields description An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (the security result matched variables). This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array firstDiscoveredTime description First time the IoC threat was discovered in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastDiscoveredTime description Last time the IoC was seen in the provider data. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastUpdatedTime description Last time the IoC threat was updated in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string outcomes description A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to a stringified version of their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array priority description The priority of the result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_PRIORITY LOW_PRIORITY MEDIUM_PRIORITY HIGH_PRIORITY enumDescriptions Default priority level. Low priority. Medium priority. High priority. type string priorityDetails description Vendor-specific information about the security result priority. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string reports description Reports that reference this IOC threat. These are the report IDs. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array riskScore description The risk score of the security result. format float type number ruleAuthor description Author of the security rule. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string ruleId description A vendor-specific ID for a rule, varying by observer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe"). type string ruleLabels description A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John"). This is primarily set in rule-generated detections and alerts. items $ref Label type array ruleName description Name of the security rule (e.g. "BlockInboundToOracle"). type string ruleSet description The curated detection's rule set identifier. (for example, "windows-threats") This is primarily set in rule-generated detections and alerts. type string ruleSetDisplayName description The curated detections rule set display name. This is primarily set in rule-generated detections and alerts. type string ruleType description The type of security rule. type string ruleVersion description Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed. type string rulesetCategoryDisplayName description The curated detection rule set category display name. (for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration", the rule_set_category is "Cloud Threats"). This is primarily set in rule-generated detections and alerts. type string severity description The severity of the result. enum UNKNOWN_SEVERITY INFORMATIONAL ERROR NONE LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Info severity. An error. No malicious result. Low-severity malicious result. Medium-severity malicious result. High-severity malicious result. Critical-severity malicious result. type string severityDetails description Vendor-specific severity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string summary description A short human-readable summary (e.g. "failed login occurred") type string threatFeedName description Vendor feed name for a threat indicator feed. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatId description Vendor-specific ID for a threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatIdNamespace description The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string threatName description A vendor-assigned classification common across multiple customers (for example, "W32/File-A", "Slammer"). This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatStatus description Current status of the threat This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_STATUS_UNSPECIFIED ACTIVE CLEARED FALSE_POSITIVE enumDescriptions Default threat status Active threat. Cleared threat. False positive. type string threatVerdict description GCTI threat verdict on the security result entity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_VERDICT_UNSPECIFIED UNDETECTED SUSPICIOUS MALICIOUS enumDescriptions Unspecified threat verdict level. Undetected threat verdict level. Suspicious threat verdict level. Malicious threat verdict level. type string urlBackToProduct description URL that takes the user to the source product console for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string variables additionalProperties $ref FindingVariable description A list of outcomes and match variables that represent the results of this security finding. This list represents a mapping of names of the requested outcomes or match variables, to their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). type object verdict $ref Verdict deprecated True description Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead. verdictInfo description Verdict information about the IoC from the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref VerdictInfo type array type object Server description Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash). id Server properties certificate $ref Certificate description Server certificate. ja3s description JA3 hash from the TLS ServerHello, as a hex-encoded string. type string type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object SignatureInfo description File signature information extracted from different tools. id SignatureInfo properties codesign $ref FileMetadataCodesign description Signature information extracted from the codesign utility. sigcheck $ref FileMetadataSignatureInfo description Signature information extracted from the sigcheck tool. type object SignerInfo description File metadata related to the signer information. id SignerInfo properties certIssuer description Company that issued the certificate. type string name description Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority. type string status description It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid."). type string validUsage description Indicates which situations the certificate is valid for (e.g. "Code Signing"). type string type object Smtp description SMTP info. See RFC 2821. id Smtp properties helo description The client's 'HELO'/'EHLO' string. type string isTls description If the connection switched to TLS. type boolean isWebmail description If the message was sent via a webmail client. type boolean mailFrom description The client's 'MAIL FROM' string. type string messagePath description The message's path (extracted from the headers). type string rcptTo description The client's 'RCPT TO' string(s). items type string type array serverResponse description The server's response(s) to the client. items type string type array type object SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems. id SoarAlertMetadata properties alertId description Alert ID in the source SIEM system. type string product description Name of the product the alert is coming from. type string sourceRule description Name of the rule triggering the alert in the source SIEM. type string sourceSystem description Name of the Source SIEM system. type string sourceSystemTicketId description Ticket id for the alert in the source system. type string sourceSystemUri description Url to the source SIEM system. type string vendor description Name of the vendor. type string type object Software description Information about a software package or application. id Software properties description description The description of the software. type string name description The name of the software. type string permissions description System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE" items $ref Permission type array vendorName description The name of the software vendor. type string version description The version of the software. type string type object Source description Deprecated. Information about the threat intelligence source. These fields are used to model Mandiant sources. id Source properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer name description Name of the IoC source. type string quality description Quality of the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total response count from this source. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer threatIntelligenceSources description Different threat intelligence sources from which IoC info was extracted. items $ref Source type array type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object StringSequence description StringSequence represents a sequence of string. id StringSequence properties stringVals description string sequence. items type string type array type object StringToInt64MapEntry id StringToInt64MapEntry properties key description Key field. type string value description Value field. format int64 type string type object StringValue id StringValue properties displayValue type string rawValue type string type object StringValues id StringValues properties values items $ref StringValue type array type object Subject description Subject data. id Subject properties commonName description CN: CommonName. type string countryName description C: Country name. type string locality description L: Locality. type string organization description O: Organization. type string organizationalUnit description OU: OrganizationalUnit. type string stateOrProvinceName description ST: StateOrProvinceName. type string type object Tactic description Tactic information related to an attack or threat. id Tactic properties id description Tactic ID (e.g. "TA0043"). type string name description Tactic Name (e.g. "Reconnaissance") type string type object Tags description Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenant_id based on certain customer-defined parameters. id Tags properties dataTapConfigName description A list of sink name values defined in DataTap configurations. items type string type array tenantId description A list of subtenant ids that this event belongs to. items format byte type string type array type object Technique description Technique information related to an attack or threat. id Technique properties id description Technique ID (e.g. "T1595"). type string name description Technique Name (e.g. "Active Scanning"). type string subtechniqueId description Subtechnique ID (e.g. "T1595.001"). type string subtechniqueName description Subtechnique Name (e.g. "Scanning IP Blocks"). type string type object TimeOff description System record for leave/time-off from a Human Capital Management (HCM) system. id TimeOff properties description description Description of the leave if available (e.g. 'Vacation'). type string interval $ref Interval description Interval duration of the leave. type object Tls description Transport Layer Security (TLS) information. id Tls properties cipher description Cipher used during the connection. type string client $ref Client description Certificate information for the client certificate. curve description Elliptical curve used for a given cipher. type string established description Indicates whether the TLS negotiation was successful. type boolean nextProtocol description Protocol to be used for tunnel. type string resumed description Indicates whether the TLS connection was resumed from a previous TLS negotiation. type boolean server $ref Server description Certificate information for the server certificate. version description TLS version. type string versionProtocol description Protocol. type string type object Tracker description URL Tracker. id Tracker properties id description Tracker ID, if available. type string timestamp description Tracker ingestion date. format google-datetime type string tracker description Tracker name. type string url description Tracker script URL. type string type object Tunnels description VPN tunnels. id Tunnels properties provider description The provider of the VPN tunnels being used. type string type description The type of the VPN tunnels. type string type object UDM description A Unified Data Model event. id UDM properties about description Represents entities referenced by the event that are not otherwise described in principal, src, target, intermediary or observer. For example, it could be used to track email file attachments, domains/URLs/IPs embedded within an email body, and DLLs that are loaded during a PROCESS_LAUNCH event. items $ref Noun type array additional additionalProperties description Properties of the object. type any description Any important vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model. type object extensions $ref Extensions description All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object intermediary description Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a proxy server or SMTP relay server. If an active event (that has a principal and possibly target) passes through any intermediaries, they're added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that 'principal', 'target', and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C). items $ref Noun type array metadata $ref Metadata description Event metadata such as timestamp, source product, etc. network $ref Network description All network details go here, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). observer $ref Noun description Represents an observer entity (for example, a packet sniffer or network-based vulnerability scanner), which is not a direct intermediary, but which observes and reports on the event in question. principal $ref Noun description Represents the acting entity that originates the activity described in the event. The principal must include at least one machine detail (hostname, MACs, IPs, port, product-specific identifiers like an EDR asset ID) or user detail (for example, username), and optionally include process details. It must NOT include any of the following fields: email, files, registry keys or values. securityResult description A list of security results. items $ref SecurityResult type array src $ref Noun description Represents a source entity being acted upon by the participant along with the device or process context for the source object (the machine where the source object resides). For example, if user U copies file A on machine X to file B on machine Y, both file A and machine X would be specified in the src portion of the UDM event. target $ref Noun description Represents a target entity being referenced by the event or an object on the target entity. For example, in a firewall connection from device A to device B, A is described as the principal and B is described as the target. For a process injection by process C into target process D, process C is described as the principal and process D is described as the target. type object UdmColumnList id UdmColumnList properties values items $ref UdmColumnValue type array type object UdmColumnType id UdmColumnType properties list $ref UdmColumnList value $ref UdmColumnValue type object UdmColumnValue id UdmColumnValue properties boolVal type boolean bytesVal format byte type string dateVal $ref Date doubleVal format double type number int64Val format int64 type string nullVal type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any type object stringVal type string timestampVal format google-datetime type string uint64Val format uint64 type string type object UdmEventInfo id UdmEventInfo properties alertNumber format int32 type integer annotations items enum ANNOTATION_UNSPECIFIED ANNOTATION_ALERT enumDescriptions type string type array chip $ref Chip deprecated True connectedComponentLabel description Optional. format byte type string datatableRowInfo items $ref SearchDataTableRowInfo type array detections items $ref Collection type array displayName deprecated True type string entity $ref BackstoryEntity event $ref UDM eventLogToken type string filterProperties $ref FilterProperties deprecated True outcomes items $ref UdmColumnType type array tenantId description Optional. type string uid format byte type string type object UdmEventList id UdmEventList properties columnNames $ref ColumnNames complete type boolean datatableInfo items $ref SearchDataTableInfo type array events items $ref UdmEventInfo type array progress format double type number tooManyEvents type boolean type object UdmFieldAggregation id UdmFieldAggregation properties aggregationType enum UNSPECIFIED_FIELD_AGGREGATION_TYPE UDM_FIELD_AGGREGATION_TYPE ENTITY_FIELD_AGGREGATION_TYPE enumDescriptions type string allValues items $ref UdmValueCount type array baselineEventCount format int32 type integer bottomValues items $ref UdmValueCount type array eventCount format int32 type integer fieldName type string tooManyValues type boolean topValues items $ref UdmValueCount type array valueCount format int32 type integer type object UdmFieldAggregations id UdmFieldAggregations properties complete type boolean fields items $ref UdmFieldAggregation type array groupByFields items $ref GroupAggregationByField type array type object UdmFieldValue id UdmFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string isNull type boolean stringValue type string timestampValue format google-datetime type string uint32Value format uint32 type integer uint64Value format uint64 type string type object UdmPrevalence id UdmPrevalence properties artifacts items $ref FieldAndValue type array prevalence format int32 type integer type object UdmPrevalenceBucket id UdmPrevalenceBucket properties prevalence items $ref UdmPrevalence type array type object UdmPrevalenceResponse id UdmPrevalenceResponse properties buckets items $ref UdmPrevalenceBucket type array partialPrevalence type boolean type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UdmValueCount id UdmValueCount properties baselineEventCount format int32 type integer eventCount format int32 type integer value $ref UdmFieldValue type object Uint64Sequence description Uint64Sequence represents a sequence of uint64s. id Uint64Sequence properties uint64Vals description uint64 sequence. items format uint64 type string type array type object Url description Url. id Url properties categories description Categorisation done by VirusTotal partners. items type string type array favicon $ref Favicon description Difference hash and MD5 hash of the URL's. htmlMeta additionalProperties description Properties of the object. type any description Meta tags (only for URLs downloading HTML). type object lastFinalUrl description If the original URL redirects, where does it end. type string lastHttpResponseCode description HTTP response code of the last response. format int32 type integer lastHttpResponseContentLength description Length in bytes of the content received. format int64 type string lastHttpResponseContentSha256 description URL response body's SHA256 hash. type string lastHttpResponseCookies additionalProperties description Properties of the object. type any description Website's cookies. type object lastHttpResponseHeaders additionalProperties description Properties of the object. type any description Headers and values of the last HTTP response. type object tags description Tags. items type string type array title description Webpage title. type string trackers description Trackers found in the URL in a historical manner. items $ref Tracker type array url description URL. type string type object User description Information about a user. id User properties accountExpirationTime description User account expiration timestamp. format google-datetime type string accountLockoutTime description User account lockout timestamp. format google-datetime type string accountType description Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/ enum ACCOUNT_TYPE_UNSPECIFIED DOMAIN_ACCOUNT_TYPE LOCAL_ACCOUNT_TYPE CLOUD_ACCOUNT_TYPE SERVICE_ACCOUNT_TYPE DEFAULT_ACCOUNT_TYPE enumDescriptions Default user account type. A human account part of some domain in directory services. A local machine account. A SaaS service account type (such as Slack or GitHub). A non-human account for data access. A system built in default account. type string attribute $ref Attribute description Generic entity metadata attributes of the user. companyName description User job company name. type string department description User job department items type string type array emailAddresses description Email addresses of the user. This field can be used as an entity indicator for user entities. items type string type array employeeId description Human capital management identifier. This field can be used as an entity indicator for user entities. type string firstName description First name of the user (e.g. "John"). type string firstSeenTime description The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string groupIdentifiers description Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar). items type string type array groupid deprecated True description The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. type string hireDate description User job employment hire date. format google-datetime type string lastBadPasswordAttemptTime description User last bad password attempt timestamp. format google-datetime type string lastLoginTime description User last login timestamp. format google-datetime type string lastName description Last name of the user (e.g. "Locke"). type string lastPasswordChangeTime description User last password change timestamp. format google-datetime type string managers description User job manager(s). items $ref User type array middleName description Middle name of the user. type string officeAddress $ref Location description User job office location. passwordExpirationTime description User password expiration timestamp. format google-datetime type string personalAddress $ref Location description Personal address of the user. phoneNumbers description Phone numbers for the user. items type string type array productObjectId description A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar). This field can be used as an entity indicator for user entities. type string roleDescription deprecated True description System role description for user. Deprecated: use attribute.roles. type string roleName deprecated True description System role name for user. Deprecated: use attribute.roles. type string terminationDate description User job employment termination date. format google-datetime type string timeOff description User time off leaves from active work. items $ref TimeOff type array title description User job title. type string userAuthenticationStatus description System authentication status for user. enum UNKNOWN_AUTHENTICATION_STATUS ACTIVE SUSPENDED NO_ACTIVE_CREDENTIALS DELETED enumDescriptions The default authentication status. The authentication method is in active state. The authentication method is in suspended/disabled state. The authentication method has no active credentials. The authentication method has been deleted. type string userDisplayName description The display name of the user (e.g. "John Locke"). type string userRole deprecated True description System role for user. Deprecated: use attribute.roles. enum UNKNOWN_ROLE ADMINISTRATOR SERVICE_ACCOUNT enumDeprecated False False True enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. Deprecated: not a role, instead set User.account_type. type string userid description The ID of the user. This field can be used as an entity indicator for user entities. type string windowsSid description The Microsoft Windows SID of the user. This field can be used as an entity indicator for user entities. type string type object UserAgentProto id UserAgentProto properties annotation items $ref Annotation type array browser description Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents. type string browserEngineVersion description Version of the rendering engine e.g. "8.01" for "Opera/8.01" type string browserVersion description Minor and lower versions unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string carrier description Mobile specific: name of mobile carrier type string device description (Usually) Mobile specific: name of hardware device, may or may not contain the full model name. e.g. iPhone, Palm750, SPH-M800. Reduced to "K" for Android devices with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string deviceVersion description (Usually) Mobile specific: version of hardware device Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string family description User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.. enum USER_DEFINED MSIE GECKO APPLEWEBKIT OPERA KHTML OTHER APPLE BLACKBERRY DOCOMO GOOGLE OPENWAVE POLARIS OBIGO TELECA MICROSOFT NOKIA NETFRONT SEMC SMIT KOREAN CLIENT_HINTS enumDescriptions Used to represent new families supported by user-defined parsers Desktop user agent families WebKit based browsers e.g. Safari e.g. Konqueror Mobile and non-browser user agent families UA's w/o enough data to fit into a family Apple apps e.g. YouTube on iPhone Google Earth, Sketchup, UpdateChecker etc... UP.Browser Windows Media Player, RSS platform etc... Sony Ericsson Mobile Communications SKT, LGT Constructed from UA-CH instead of UserAgent string. type string googleToolbarVersion description Version number of GoogleToolbar, if installed. Applies only to MSIE and Firefox at this time. type string javaConfiguration description Mobile specific: e.g. Configuration/CLDC-1.1 type string javaConfigurationVersion type string javaProfile description Mobile specific: e.g. Profile/MIDP-2.0 type string javaProfileVersion type string locale description Locale in which the browser is running as country code and optionally language pair. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string messaging description Mobile specific: e.g. MMP/2.0 type string messagingVersion type string os description Full name of the operating system e.g. "Darwin/9.7.0", "Android 1.5", "Windows 98" Version is reduced, and other data might also be missing, for reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string osVariant description Extra qualifier for the OS e.g. "(i386)", "Build/CUPCAKE", "PalmSource/Palm-D061" Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string platform description The platform describes the environment in which the browser or app runs. For desktop user agents, Platform is a string describing the OS family e.g. Windows, Macintosh, Linux. For mobile user agents, Platform either describes the OS family (if available) or the hardware maker. e.g. Linux, or HTC, LG, Palm. type string security description Security level reported by user agent, either U, I or N. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string subFamily description Sub-family identifies individual regexps when a family has more than 1. This is used to generate the right UA string from a protobuf. Examples in the AppleWebKit family: Chrome and Safari. Can also be an arbitrary identifier. type string type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Validity description Defines certificate's validity period. id Validity properties expiryTime description Expiry date. format google-datetime type string issueTime description Issue date. format google-datetime type string type object Verdict description Deprecated. Encapsulates the threat verdict provided by human analysts and ML models. These fields are used to model Mandiant sources. id Verdict properties analystVerdict $ref AnalystVerdict description Human analyst verdict provided by sources like Mandiant. neighbourInfluence description Describes the neighbour influence of the verdict. type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer verdict $ref ProviderMLVerdict description ML Verdict provided by sources like Mandiant. type object VerdictInfo description Describes the threat verdict provided by human analysts and machine learning models. These fields are used to model Mandiant sources. id VerdictInfo properties benignCount description Count of responses where this IoC was marked as benign. format int32 type integer categoryDetails description Tags related to the verdict. type string confidenceScore description Confidence score of the verdict. format int32 type integer globalCustomerCount description Global customer count over the last 30 days format int32 type integer globalHitsCount description Global hit count over the last 30 days. format int32 type integer iocStats description List of IoCStats from which the verdict was generated. items $ref IoCStats type array maliciousCount description Count of responses where this IoC was marked as malicious. format int32 type integer neighbourInfluence description Describes the near neighbor influence of the verdict. type string pwn description Whether one or more Mandiant incident response customers had this indicator in their environment. type boolean pwnFirstTaggedTime description The timestamp of the first time a pwn was associated to this entity. format google-datetime type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer sourceProvider description Source provider giving the machine learning verdict. type string verdictResponse description Details about the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp when the verdict was generated. format google-datetime type string verdictType description Type of verdict. enum VERDICT_TYPE_UNSPECIFIED PROVIDER_ML_VERDICT ANALYST_VERDICT enumDescriptions Verdict category not specified. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. Verdict provided by the human analyst. These fields are used to model Mandiant sources. type string type object Vulnerabilities description The Vulnerabilities extension captures details on observed/detected vulnerabilities. id Vulnerabilities properties vulnerabilities description A list of vulnerabilities. items $ref Vulnerability type array type object Vulnerability description A vulnerability. id Vulnerability properties about $ref Noun description If the vulnerability is about a specific noun (e.g. executable), then add it here. cveDescription description Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record type string cveId description Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id type string cvssBaseScore description CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting. format float type number cvssVector description Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator type string cvssVersion description Version of CVSS Vector/Score. type string description description Description of the vulnerability. type string firstFound description Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset. format google-datetime type string lastFound description Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset. format google-datetime type string name description Name of the vulnerability (e.g. "Unsupported OS Version detected"). type string scanEndTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable. format google-datetime type string scanStartTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable. format google-datetime type string severity description The severity of the vulnerability. enum UNKNOWN_SEVERITY LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Low severity. Medium severity. High severity. Critical severity. type string severityDetails description Vendor-specific severity type string vendor description Vendor of scan that discovered vulnerability. type string vendorKnowledgeBaseArticleId description Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase type string vendorVulnerabilityId description Vendor specific vulnerability id (e.g. Microsoft security bulletin id). type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object X509 description File certificate. id X509 properties algorithm description Certificate algorithm. type string certIssuer description Issuer of the certificate. type string name description Certificate name. type string serialNumber description Certificate serial number. type string thumbprint description Certificate thumbprint. type string type object old_value CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{region}/instances/{instance} readOnly True type string type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Manual description Entities are added manually. id Manual properties type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object
prod/assuredoss-	values_changed root['revision'] new_value 20250306 old_value 20250227
prod/assuredoss-v1alpha	values_changed root['revision'] new_value 20250306 old_value 20250227
prod/autofill-	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/autofill-v1	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/autopush-notifications-pa.sandbox-	dictionary_item_added root['schemas']['WalletGooglepayCommon__AddHealthCardTarget'] root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['fcmToken'] root['schemas']['GoogleInternalTapandpayV1PassesTemplates__AddContentData']['properties']['isPreviousAmount'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['deprecated'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['description'] root['schemas']['NotificationsFrontendDataCommon__SupportedFeatures']['properties']['standaloneInboxSupported'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystem'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystemVersion'] root['schemas']['WalletGooglepayCommon__NavigationTarget']['properties']['addHealthCard'] dictionary_item_removed root['schemas']['Sidekick__InlineVideo'] root['schemas']['Sidekick__SmallContentModule']['properties']['inlineVideo'] values_changed root['revision'] new_value 20250311 old_value 20250308 root['schemas']['WalletGooglepayCommon__NavigationTarget']['description'] new_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 75 old_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 74 iterable_item_added root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enum'][3] DIRECT_FCM_DELIVERY root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enumDescriptions'][3] Client supports receiving direct FCM delivery. This bypasses a lot of the Chime latencies. root['schemas']['SearchNotificationsClientCommon__InboxChimeData']['properties']['category']['enum'][56] GOOGLY_NOTIF root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][438] CONTENT_EXPLORATION_WEB root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][438] For exploring web content, as part of the Discover Exploration project. go/discover-exploration-dd. root['schemas']['Sidekick__SemanticProperties']['properties']['notificationCategory']['enum'][56] GOOGLY_NOTIF
prod/autopush-notifications-pa.sandbox-v1	dictionary_item_added root['schemas']['WalletGooglepayCommon__AddHealthCardTarget'] root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['fcmToken'] root['schemas']['GoogleInternalTapandpayV1PassesTemplates__AddContentData']['properties']['isPreviousAmount'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['deprecated'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['description'] root['schemas']['NotificationsFrontendDataCommon__SupportedFeatures']['properties']['standaloneInboxSupported'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystem'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystemVersion'] root['schemas']['WalletGooglepayCommon__NavigationTarget']['properties']['addHealthCard'] dictionary_item_removed root['schemas']['Sidekick__InlineVideo'] root['schemas']['Sidekick__SmallContentModule']['properties']['inlineVideo'] values_changed root['revision'] new_value 20250311 old_value 20250308 root['schemas']['WalletGooglepayCommon__NavigationTarget']['description'] new_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 75 old_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 74 iterable_item_added root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enum'][3] DIRECT_FCM_DELIVERY root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enumDescriptions'][3] Client supports receiving direct FCM delivery. This bypasses a lot of the Chime latencies. root['schemas']['SearchNotificationsClientCommon__InboxChimeData']['properties']['category']['enum'][56] GOOGLY_NOTIF root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][438] CONTENT_EXPLORATION_WEB root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][438] For exploring web content, as part of the Discover Exploration project. go/discover-exploration-dd. root['schemas']['Sidekick__SemanticProperties']['properties']['notificationCategory']['enum'][56] GOOGLY_NOTIF
prod/autopush-proddata-notifications-pa.sandbox-	dictionary_item_added root['schemas']['WalletGooglepayCommon__AddHealthCardTarget'] root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['fcmToken'] root['schemas']['GoogleInternalTapandpayV1PassesTemplates__AddContentData']['properties']['isPreviousAmount'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['deprecated'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['description'] root['schemas']['NotificationsFrontendDataCommon__SupportedFeatures']['properties']['standaloneInboxSupported'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystem'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystemVersion'] root['schemas']['WalletGooglepayCommon__NavigationTarget']['properties']['addHealthCard'] dictionary_item_removed root['schemas']['Sidekick__InlineVideo'] root['schemas']['Sidekick__SmallContentModule']['properties']['inlineVideo'] values_changed root['revision'] new_value 20250311 old_value 20250308 root['schemas']['WalletGooglepayCommon__NavigationTarget']['description'] new_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 75 old_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 74 iterable_item_added root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enum'][3] DIRECT_FCM_DELIVERY root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enumDescriptions'][3] Client supports receiving direct FCM delivery. This bypasses a lot of the Chime latencies. root['schemas']['SearchNotificationsClientCommon__InboxChimeData']['properties']['category']['enum'][56] GOOGLY_NOTIF root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][438] CONTENT_EXPLORATION_WEB root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][438] For exploring web content, as part of the Discover Exploration project. go/discover-exploration-dd. root['schemas']['Sidekick__SemanticProperties']['properties']['notificationCategory']['enum'][56] GOOGLY_NOTIF
prod/autopush-proddata-notifications-pa.sandbox-v1	dictionary_item_added root['schemas']['WalletGooglepayCommon__AddHealthCardTarget'] root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['fcmToken'] root['schemas']['GoogleInternalTapandpayV1PassesTemplates__AddContentData']['properties']['isPreviousAmount'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['deprecated'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['description'] root['schemas']['NotificationsFrontendDataCommon__SupportedFeatures']['properties']['standaloneInboxSupported'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystem'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystemVersion'] root['schemas']['WalletGooglepayCommon__NavigationTarget']['properties']['addHealthCard'] dictionary_item_removed root['schemas']['Sidekick__InlineVideo'] root['schemas']['Sidekick__SmallContentModule']['properties']['inlineVideo'] values_changed root['revision'] new_value 20250311 old_value 20250308 root['schemas']['WalletGooglepayCommon__NavigationTarget']['description'] new_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 75 old_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 74 iterable_item_added root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enum'][3] DIRECT_FCM_DELIVERY root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enumDescriptions'][3] Client supports receiving direct FCM delivery. This bypasses a lot of the Chime latencies. root['schemas']['SearchNotificationsClientCommon__InboxChimeData']['properties']['category']['enum'][56] GOOGLY_NOTIF root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][438] CONTENT_EXPLORATION_WEB root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][438] For exploring web content, as part of the Discover Exploration project. go/discover-exploration-dd. root['schemas']['Sidekick__SemanticProperties']['properties']['notificationCategory']['enum'][56] GOOGLY_NOTIF
prod/autopush-qual-playground-notifications-pa.sandbox-	dictionary_item_added root['schemas']['WalletGooglepayCommon__AddHealthCardTarget'] root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['fcmToken'] root['schemas']['GoogleInternalTapandpayV1PassesTemplates__AddContentData']['properties']['isPreviousAmount'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['deprecated'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['description'] root['schemas']['NotificationsFrontendDataCommon__SupportedFeatures']['properties']['standaloneInboxSupported'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystem'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystemVersion'] root['schemas']['WalletGooglepayCommon__NavigationTarget']['properties']['addHealthCard'] dictionary_item_removed root['schemas']['Sidekick__InlineVideo'] root['schemas']['Sidekick__SmallContentModule']['properties']['inlineVideo'] values_changed root['revision'] new_value 20250311 old_value 20250308 root['schemas']['WalletGooglepayCommon__NavigationTarget']['description'] new_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 75 old_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 74 iterable_item_added root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enum'][3] DIRECT_FCM_DELIVERY root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enumDescriptions'][3] Client supports receiving direct FCM delivery. This bypasses a lot of the Chime latencies. root['schemas']['SearchNotificationsClientCommon__InboxChimeData']['properties']['category']['enum'][56] GOOGLY_NOTIF root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][438] CONTENT_EXPLORATION_WEB root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][438] For exploring web content, as part of the Discover Exploration project. go/discover-exploration-dd. root['schemas']['Sidekick__SemanticProperties']['properties']['notificationCategory']['enum'][56] GOOGLY_NOTIF
prod/autopush-qual-playground-notifications-pa.sandbox-v1	dictionary_item_added root['schemas']['WalletGooglepayCommon__AddHealthCardTarget'] root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['fcmToken'] root['schemas']['GoogleInternalTapandpayV1PassesTemplates__AddContentData']['properties']['isPreviousAmount'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['deprecated'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['description'] root['schemas']['NotificationsFrontendDataCommon__SupportedFeatures']['properties']['standaloneInboxSupported'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystem'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystemVersion'] root['schemas']['WalletGooglepayCommon__NavigationTarget']['properties']['addHealthCard'] dictionary_item_removed root['schemas']['Sidekick__InlineVideo'] root['schemas']['Sidekick__SmallContentModule']['properties']['inlineVideo'] values_changed root['revision'] new_value 20250311 old_value 20250308 root['schemas']['WalletGooglepayCommon__NavigationTarget']['description'] new_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 75 old_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 74 iterable_item_added root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enum'][3] DIRECT_FCM_DELIVERY root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enumDescriptions'][3] Client supports receiving direct FCM delivery. This bypasses a lot of the Chime latencies. root['schemas']['SearchNotificationsClientCommon__InboxChimeData']['properties']['category']['enum'][56] GOOGLY_NOTIF root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][438] CONTENT_EXPLORATION_WEB root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][438] For exploring web content, as part of the Discover Exploration project. go/discover-exploration-dd. root['schemas']['Sidekick__SemanticProperties']['properties']['notificationCategory']['enum'][56] GOOGLY_NOTIF
prod/bigquery-sq-	values_changed root['revision'] new_value 20250302 old_value 20250225
prod/bigquery-sq-v3	values_changed root['revision'] new_value 20250302 old_value 20250225
prod/buildeventservice-	values_changed root['revision'] new_value 20250307 old_value 20250304
prod/buildeventservice-v1	values_changed root['revision'] new_value 20250307 old_value 20250304
prod/capacityplanner-	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/capacityplanner-v1alpha	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/capacityplanner-v1alpha1	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/carddav-	values_changed root['revision'] new_value 20250309 old_value 20250304
prod/carddav-v1	values_changed root['revision'] new_value 20250309 old_value 20250304
prod/carestudio-	values_changed root['revision'] new_value 20250307 old_value 20250228
prod/carestudio-v1	values_changed root['revision'] new_value 20250307 old_value 20250228
prod/chromedevicetoken-	values_changed root['revision'] new_value 20250309 old_value 20250304
prod/chromedevicetoken-v1	values_changed root['revision'] new_value 20250309 old_value 20250304
prod/cloudchannel-pa-	values_changed root['revision'] new_value 20250308 old_value 20250303
prod/cloudchannel-pa-v1	values_changed root['revision'] new_value 20250308 old_value 20250303
prod/cloudchannel-pa-v1alpha1	dictionary_item_added root['schemas']['GoogleCloudChannelV1alpha1CustomerDetails']['properties']['industry']['enumDeprecated'] root['schemas']['GoogleCloudChannelV1alpha1PartnerInfo']['properties']['partnerViewType'] values_changed root['revision'] new_value 20250308 old_value 20250303
prod/cloudchannel-pa-v2	values_changed root['revision'] new_value 20250308 old_value 20250303
prod/cloudcode-pa-	values_changed root['revision'] new_value 20250311 old_value 20250302
prod/cloudcode-pa-v1	values_changed root['revision'] new_value 20250311 old_value 20250302
prod/cloudcode-pa-v1internal	values_changed root['revision'] new_value 20250311 old_value 20250302
prod/cloudusersettings-pa-	values_changed root['revision'] new_value 20250227 old_value 20250220
prod/cloudusersettings-pa-v1alpha1	values_changed root['revision'] new_value 20250227 old_value 20250220
prod/commerceproducer-	values_changed root['revision'] new_value 20250305 old_value 20250226
prod/commerceproducer-v1alpha	values_changed root['revision'] new_value 20250305 old_value 20250226
prod/confidentialcomputing-	values_changed root['revision'] new_value 20250226 old_value 20250224
prod/confidentialcomputing-v1	values_changed root['revision'] new_value 20250226 old_value 20250224
prod/confidentialcomputing-v1alpha1	values_changed root['revision'] new_value 20250226 old_value 20250224
prod/confidentialcomputing-v1main	values_changed root['revision'] new_value 20250226 old_value 20250224
prod/content-actions-	values_changed root['revision'] new_value 20250310 old_value 20250307
prod/content-actions-v2	values_changed root['revision'] new_value 20250310 old_value 20250307
prod/content-actions-v2alpha	values_changed root['revision'] new_value 20250310 old_value 20250307
prod/content-actions-v3	values_changed root['revision'] new_value 20250310 old_value 20250307
prod/content-alkalilearn-pa-	values_changed root['revision'] new_value 20250308 old_value 20250303
prod/content-alkalilearn-pa-v1	dictionary_item_added root['schemas']['Card']['properties']['imageAltText'] root['schemas']['Feature']['properties']['altText'] root['schemas']['GuideHeader']['properties']['headerArtAltText'] root['schemas']['GuideHeader']['properties']['recommendationArtAltText'] root['schemas']['LessonHeader']['properties']['headerArtAltText'] root['schemas']['ProductHeader']['properties']['headerArtAltText'] root['schemas']['ProductHeader']['properties']['logoArtAltText'] root['schemas']['QuickTip']['properties']['artUriAltText'] root['schemas']['StepContent']['properties']['artUriAltText'] values_changed root['revision'] new_value 20250308 old_value 20250303
prod/content-alkalilearn-pa-v2	values_changed root['revision'] new_value 20250308 old_value 20250303
prod/content-autofill-	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/content-autofill-v1	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/content-bigquery-sq-	values_changed root['revision'] new_value 20250302 old_value 20250225
prod/content-bigquery-sq-v3	values_changed root['revision'] new_value 20250302 old_value 20250225
prod/content-cloudchannel-pa-	values_changed root['revision'] new_value 20250308 old_value 20250303
prod/content-cloudchannel-pa-v1	values_changed root['revision'] new_value 20250308 old_value 20250303
prod/content-cloudchannel-pa-v1alpha1	dictionary_item_added root['schemas']['GoogleCloudChannelV1alpha1CustomerDetails']['properties']['industry']['enumDeprecated'] root['schemas']['GoogleCloudChannelV1alpha1PartnerInfo']['properties']['partnerViewType'] values_changed root['revision'] new_value 20250308 old_value 20250303
prod/content-cloudchannel-pa-v2	values_changed root['revision'] new_value 20250308 old_value 20250303
prod/content-cloudusersettings-pa-	values_changed root['revision'] new_value 20250227 old_value 20250220
prod/content-cloudusersettings-pa-v1alpha1	values_changed root['revision'] new_value 20250227 old_value 20250220
prod/content-daily-cloudsearch-	values_changed root['revision'] new_value 20250311 old_value 20250308
prod/content-daily-cloudsearch-v1	values_changed root['revision'] new_value 20250311 old_value 20250308
prod/content-fit-	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/content-fit-v2beta1	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/content-quantum-	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/content-quantum-v1alpha1	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/content-resultstore-	values_changed root['revision'] new_value 20250307 old_value 20250304
prod/content-resultstore-v2	values_changed root['revision'] new_value 20250307 old_value 20250304
prod/content-sourcerepo-pa-	values_changed root['revision'] new_value 20250310 old_value 20250228
prod/content-sourcerepo-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250228
prod/content-tasks-pa-	dictionary_item_added root['schemas']['ListTasks']['properties']['excludeAssigned'] values_changed root['revision'] new_value 20250307 old_value 20250304 root['schemas']['ListTasks']['description'] new_value Query Tasks. By default returns uncompleted, visible tasks. NEXT_ID: 21 old_value Query Tasks. By default returns uncompleted, visible tasks. NEXT_ID: 20 root['schemas']['QueryRequest']['properties']['bypassInit']['description'] new_value This is set for pure read only queries so that we don't do the lazy initialization (directory creation) for disabled/deleted users old_value This is set for pure read only queries so that we don’t do the lazy initialization (directory creation) for disabled/deleted users
prod/content-tasks-pa-v1	dictionary_item_added root['schemas']['ListTasks']['properties']['excludeAssigned'] values_changed root['revision'] new_value 20250307 old_value 20250304 root['schemas']['ListTasks']['description'] new_value Query Tasks. By default returns uncompleted, visible tasks. NEXT_ID: 21 old_value Query Tasks. By default returns uncompleted, visible tasks. NEXT_ID: 20 root['schemas']['QueryRequest']['properties']['bypassInit']['description'] new_value This is set for pure read only queries so that we don't do the lazy initialization (directory creation) for disabled/deleted users old_value This is set for pure read only queries so that we don’t do the lazy initialization (directory creation) for disabled/deleted users
prod/contrails-	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/contrails-v1	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/corplearning-	values_changed root['revision'] new_value 20250309 old_value 20250307
prod/corplearning-v1	values_changed root['revision'] new_value 20250309 old_value 20250307
prod/daily-cloudsearch-	values_changed root['revision'] new_value 20250311 old_value 20250308
prod/daily-cloudsearch-v1	values_changed root['revision'] new_value 20250311 old_value 20250308
prod/daily-dynamicmail-pa.sandbox-	values_changed root['revision'] new_value 20250309 old_value 20250307
prod/daily-dynamicmail-pa.sandbox-v2	values_changed root['revision'] new_value 20250309 old_value 20250307
prod/databaseinsights-	values_changed root['revision'] new_value 20250306 old_value 20250228
prod/databaseinsights-v1	values_changed root['revision'] new_value 20250306 old_value 20250228
prod/datamanager-	values_changed root['description'] new_value A unified API for data partners, agencies and advertisers to send first-party data to multiple Google products. old_value API for data partners, agencies and sophisticated advertisers to send data to Google for ads and analytics use cases. root['resources']['audienceMembers']['methods']['ingest']['description'] new_value Uploads a list of AudienceMember resources to the provided Destination. old_value Ingests audience members for audience creation. root['resources']['audienceMembers']['methods']['remove']['description'] new_value Removes a list of AudienceMember resources from the provided Destination. old_value Remove audience members from a given audience. root['revision'] new_value 20250309 old_value 20250304 root['schemas']['AddressInfo']['description'] new_value Address information for the user. old_value Address information for a user. root['schemas']['AddressInfo']['properties']['familyName']['description'] new_value Required. Family (last) name of the user, all lowercase, with no punctuation, no leading or trailing whitespace, and hashed as SHA-256. old_value Required. Family name of the user, which is hashed as SHA-256 after normalized (lower case only and no punctuation). root['schemas']['AddressInfo']['properties']['givenName']['description'] new_value Required. Given (first) name of the user, all lowercase, with no punctuation, no leading or trailing whitespace, and hashed as SHA-256. old_value Required. Given name of the user, which is hashed as SHA-256 after normalized (lower case only and no punctuation). root['schemas']['AudienceMember']['description'] new_value The audience member to be operated on. old_value An audience member to be operated on. root['schemas']['AudienceMember']['properties']['mobileData']['description'] new_value Data identifying the user's mobile devices. old_value Data identifying the mobile device(s) of a user. root['schemas']['AudienceMember']['properties']['pairData']['description'] new_value [Publisher Advertiser Identity Reconciliation (PAIR) IDs](//support.google.com/admanager/answer/15067908). old_value Data related to Publisher Advertiser Identity Reconciliation IDs. root['schemas']['AudienceMember']['properties']['userData']['description'] new_value User-provided data that identifies the user. old_value Multiple pieces of user-provided data, used as the means of identifying the user. It is possible to provide multiple instances of the same type of data (e.g. email address). The more data provided, the more likely a match will be found. root['schemas']['Consent']['description'] new_value [Digital Markets Act (DMA)](//digital-markets-act.ec.europa.eu/index_en) consent settings for the user. old_value Consent for DMA compliance. root['schemas']['Consent']['properties']['adPersonalization']['description'] new_value Optional. Represents if the user consents to ad personalization. old_value Optional. This represents consent for ad personalization. root['schemas']['Consent']['properties']['adUserData']['description'] new_value Optional. Represents if the user consents to ad user data. old_value Optional. This represents consent for ad user data. root['schemas']['Destination']['description'] new_value The Google product you're sending data to. For example, a Google Ads account. old_value Represents destination where data is ingested. root['schemas']['Destination']['properties']['linkedAccount']['description'] new_value Optional. An account that the calling user's `login_account` has access to, through an established account link. For example, a data partner's `login_account` might have access to a client's `linked_account`. The partner might use this field to send data from the `linked_account` to another `operating_account`. old_value Optional. The account to which Login Account has established permission with using Account link. root['schemas']['Destination']['properties']['loginAccount']['description'] new_value Optional. The account used to make this API call. To add or remove data from the `operating_account`, this `login_account` must have write access to the `operating_account`. For example, a manager account of the `operating_account`, or an account with an established link to the `operating_account`. old_value Optional. The account to which the calling user has access to. root['schemas']['Destination']['properties']['operatingAccount']['description'] new_value Required. The account to send the data to or remove the data from. old_value Required. The Account to which the API call is targeted to. root['schemas']['Destination']['properties']['productDestinationId']['description'] new_value Optional. A specific location within the product to send the data to. For example, a specific Google Ads campaign or Google Analytics property. old_value Optional. The object within the product account to ingest into. This is optional when the ingestion is tied to the account (e.g. GA4 user properties). root['schemas']['EncryptionInfo']['properties']['gcpWrappedKeyInfo']['description'] new_value Google Cloud Platform wrapped key information. old_value GCP wrapped key information. root['schemas']['GcpWrappedKeyInfo']['description'] new_value Information about the Google Cloud Platform wrapped key. old_value Information about the GCP wrapped key. root['schemas']['GcpWrappedKeyInfo']['properties']['kekUri']['description'] new_value Required. Google Cloud Platform [Cloud Key Management Service resource ID](//cloud.google.com/kms/docs/getting-resource-ids). old_value Required. GCP Cloud KMS Resource Id. root['schemas']['GcpWrappedKeyInfo']['properties']['keyType']['description'] new_value Required. The type of algorithm used to encrypt the data. old_value Required. The Key type (encryption algorithm) used to encrypt the data. root['schemas']['GcpWrappedKeyInfo']['properties']['wipProvider']['description'] new_value Required. The [Workload Identity](//cloud.google.com/iam/docs/workload-identity-federation) pool provider required to use KEK. old_value Required. The Workload Identity Pool provider required to use KEK. root['schemas']['IngestAudienceMembersRequest']['description'] new_value Request to upload audience members to the provided destinations. Returns an IngestAudienceMembersResponse. old_value Request to ingest users. root['schemas']['IngestAudienceMembersRequest']['properties']['audienceMembers']['description'] new_value Required. The list of users to send to the specified destinations. old_value Required. The list of users to ingest, along with a pointer to the destination they should be ingested into. root['schemas']['IngestAudienceMembersRequest']['properties']['consent']['description'] new_value Optional. Request-level consent to apply to all users in the request. User-level consent overrides request-level consent, and can be specified in each AudienceMember. old_value Optional. Request level consent applied to all users ingested to this request. User level consent will override the request level consent if set. root['schemas']['IngestAudienceMembersRequest']['properties']['destinations']['description'] new_value Required. The list of destinations to send the audience members to. old_value Required. The list of possible ingestion destinations. root['schemas']['IngestAudienceMembersRequest']['properties']['encoding']['description'] new_value Optional. Required for UserData uploads. The encoding type of the user identifiers. For hashed user identifiers, this is the encoding type of the hashed string. For encrypted hashed user identifiers, this is the encoding type of the outer encrypted string, but not necessarily the inner hashed string, meaning the inner hashed string could be encoded in a different way than the outer encrypted string. For non `UserData` uploads, this field is ignored. old_value Optional. The encoding type of the user identifiers. For encrypted user identifiers, this only applies to the outer encoding. This field must be set for UserData uploads. For non UserData ingestion, this field is ignored. root['schemas']['IngestAudienceMembersRequest']['properties']['encryptionInfo']['description'] new_value Optional. Encryption information for UserData uploads. If not set, it's assumed that uploaded identifying information is hashed but not encrypted. For non `UserData` uploads, this field is ignored. old_value Optional. Encryption information for UserData uploads. For non UserData uploads, this field is ignored. For UserData uploads, if this field is not set, it is assumed that uploaded pii is hashed but not encrypted. root['schemas']['IngestAudienceMembersRequest']['properties']['validateOnly']['description'] new_value Optional. For testing purposes. If `true`, the request is validated but not executed. Only errors are returned, not results. old_value Optional. If true, the request is validated but not executed. Only errors are returned, not results. root['schemas']['IngestAudienceMembersResponse']['description'] new_value Response from the IngestAudienceMembersRequest. old_value Response to ingest users. root['schemas']['IngestAudienceMembersResponse']['properties']['requestId']['description'] new_value The auto-generated ID of the request. old_value The generated request id of the Ingestion Request. root['schemas']['MobileData']['description'] new_value Mobile IDs for the audience. At least one mobile ID is required. old_value Mobile data holding the mobile ids. At least one mobile id is required. root['schemas']['MobileData']['properties']['mobileIds']['description'] new_value Required. The list of mobile device IDs (advertising ID/IDFA). old_value Required. The list of Mobile device IDs (advertising ID/IDFA). root['schemas']['PairData']['description'] new_value [PAIR](//support.google.com/admanager/answer/15067908) IDs for the audience. At least one PAIR ID is required. old_value PAIR data holding the pair ids. At least one pair id is required. root['schemas']['PairData']['properties']['pairIds']['description'] new_value Required. Cleanroom-provided PII data, hashed with SHA256, and encrypted with an EC commutative cipher using publisher key for the [PAIR]((//support.google.com/admanager/answer/15067908)) user list. old_value Required. Cleanroom provided PII data hashed with SHA256 and encrypted with an EC commutative cipher using publisher key for Publisher Advertiser Identity Reconciliation user list. root['schemas']['ProductAccount']['description'] new_value Represents a specific account. old_value A product specific customer account. root['schemas']['ProductAccount']['properties']['accountId']['description'] new_value Required. The ID of the account. For example, your Google Ads account ID. old_value Required. The account id of the account. root['schemas']['ProductAccount']['properties']['product']['description'] new_value Required. The product the account belongs to. For example, `GOOGLE_ADS`. old_value Required. The product type of the account. root['schemas']['RemoveAudienceMembersRequest']['description'] new_value Request to remove users from an audience in the provided destinations. Returns a RemoveAudienceMembersResponse. old_value Request to remove users. root['schemas']['RemoveAudienceMembersRequest']['properties']['audienceMembers']['description'] new_value Required. The list of users to remove. old_value Required. The list of users to remove, along with a pointer to the destination they should be removed from. root['schemas']['RemoveAudienceMembersRequest']['properties']['destinations']['description'] new_value Required. The list of destinations to remove the users from. old_value Required. The list of possible destinations to remove data from. root['schemas']['RemoveAudienceMembersRequest']['properties']['encoding']['description'] new_value Optional. Required for UserData uploads. The encoding type of the user identifiers. Applies to only the outer encoding for encrypted user identifiers. For non `UserData` uploads, this field is ignored. old_value Optional. The encoding type of the user identifiers. For encrypted user identifiers, this only applies to the outer encoding. This field must be set for UserData. For non UserData, this field is ignored. root['schemas']['RemoveAudienceMembersRequest']['properties']['encryptionInfo']['description'] new_value Optional. Encryption information for UserData uploads. If not set, it's assumed that uploaded identifying information is hashed but not encrypted. For non `UserData` uploads, this field is ignored. old_value Optional. Encryption information for UserData. For non UserData, this field is ignored. For UserData, if this field is not set, it is assumed that pii is hashed but not encrypted. root['schemas']['RemoveAudienceMembersRequest']['properties']['validateOnly']['description'] new_value Optional. For testing purposes. If `true`, the request is validated but not executed. Only errors are returned, not results. old_value Optional. If true, the request is validated but not executed. Only errors are returned, not results. root['schemas']['RemoveAudienceMembersResponse']['description'] new_value Response from the RemoveAudienceMembersRequest. old_value Response to remove users. root['schemas']['RemoveAudienceMembersResponse']['properties']['requestId']['description'] new_value The auto-generated ID of the request. old_value The generated request id of the removal Request. root['schemas']['UserData']['description'] new_value Data that identifies the user. At least one identifier is required. old_value User data holding user identifiers. At least one identifier is required. root['schemas']['UserData']['properties']['userIdentifiers']['description'] new_value Required. The identifiers for the user. It's possible to provide multiple instances of the same type of data (for example, multiple email addresses). To increase the likelihood of a match, provide as many identifiers as possible. old_value Required. The list of user identifiers known for the user. root['schemas']['UserIdentifier']['description'] new_value A single identifier for the user. old_value User identifying information. root['schemas']['UserIdentifier']['properties']['address']['description'] new_value The known components of a user's address. Holds a grouping of identifiers that are matched all at once. old_value An address information object known for the user. This holds a grouping of identifiers that will be matched all at once. root['schemas']['GcpWrappedKeyInfo']['properties']['keyType']['enumDescriptions'][0] new_value Unspecified key type. Should never be used. old_value Unspecified Key type. Should never be used. root['schemas']['GcpWrappedKeyInfo']['properties']['keyType']['enumDescriptions'][1] new_value Algorithm XChaCha20-Poly1305 old_value XChaCha20-Poly1305
prod/datamanager-v1	values_changed root['description'] new_value A unified API for data partners, agencies and advertisers to send first-party data to multiple Google products. old_value API for data partners, agencies and sophisticated advertisers to send data to Google for ads and analytics use cases. root['resources']['audienceMembers']['methods']['ingest']['description'] new_value Uploads a list of AudienceMember resources to the provided Destination. old_value Ingests audience members for audience creation. root['resources']['audienceMembers']['methods']['remove']['description'] new_value Removes a list of AudienceMember resources from the provided Destination. old_value Remove audience members from a given audience. root['revision'] new_value 20250309 old_value 20250304 root['schemas']['AddressInfo']['description'] new_value Address information for the user. old_value Address information for a user. root['schemas']['AddressInfo']['properties']['familyName']['description'] new_value Required. Family (last) name of the user, all lowercase, with no punctuation, no leading or trailing whitespace, and hashed as SHA-256. old_value Required. Family name of the user, which is hashed as SHA-256 after normalized (lower case only and no punctuation). root['schemas']['AddressInfo']['properties']['givenName']['description'] new_value Required. Given (first) name of the user, all lowercase, with no punctuation, no leading or trailing whitespace, and hashed as SHA-256. old_value Required. Given name of the user, which is hashed as SHA-256 after normalized (lower case only and no punctuation). root['schemas']['AudienceMember']['description'] new_value The audience member to be operated on. old_value An audience member to be operated on. root['schemas']['AudienceMember']['properties']['mobileData']['description'] new_value Data identifying the user's mobile devices. old_value Data identifying the mobile device(s) of a user. root['schemas']['AudienceMember']['properties']['pairData']['description'] new_value [Publisher Advertiser Identity Reconciliation (PAIR) IDs](//support.google.com/admanager/answer/15067908). old_value Data related to Publisher Advertiser Identity Reconciliation IDs. root['schemas']['AudienceMember']['properties']['userData']['description'] new_value User-provided data that identifies the user. old_value Multiple pieces of user-provided data, used as the means of identifying the user. It is possible to provide multiple instances of the same type of data (e.g. email address). The more data provided, the more likely a match will be found. root['schemas']['Consent']['description'] new_value [Digital Markets Act (DMA)](//digital-markets-act.ec.europa.eu/index_en) consent settings for the user. old_value Consent for DMA compliance. root['schemas']['Consent']['properties']['adPersonalization']['description'] new_value Optional. Represents if the user consents to ad personalization. old_value Optional. This represents consent for ad personalization. root['schemas']['Consent']['properties']['adUserData']['description'] new_value Optional. Represents if the user consents to ad user data. old_value Optional. This represents consent for ad user data. root['schemas']['Destination']['description'] new_value The Google product you're sending data to. For example, a Google Ads account. old_value Represents destination where data is ingested. root['schemas']['Destination']['properties']['linkedAccount']['description'] new_value Optional. An account that the calling user's `login_account` has access to, through an established account link. For example, a data partner's `login_account` might have access to a client's `linked_account`. The partner might use this field to send data from the `linked_account` to another `operating_account`. old_value Optional. The account to which Login Account has established permission with using Account link. root['schemas']['Destination']['properties']['loginAccount']['description'] new_value Optional. The account used to make this API call. To add or remove data from the `operating_account`, this `login_account` must have write access to the `operating_account`. For example, a manager account of the `operating_account`, or an account with an established link to the `operating_account`. old_value Optional. The account to which the calling user has access to. root['schemas']['Destination']['properties']['operatingAccount']['description'] new_value Required. The account to send the data to or remove the data from. old_value Required. The Account to which the API call is targeted to. root['schemas']['Destination']['properties']['productDestinationId']['description'] new_value Optional. A specific location within the product to send the data to. For example, a specific Google Ads campaign or Google Analytics property. old_value Optional. The object within the product account to ingest into. This is optional when the ingestion is tied to the account (e.g. GA4 user properties). root['schemas']['EncryptionInfo']['properties']['gcpWrappedKeyInfo']['description'] new_value Google Cloud Platform wrapped key information. old_value GCP wrapped key information. root['schemas']['GcpWrappedKeyInfo']['description'] new_value Information about the Google Cloud Platform wrapped key. old_value Information about the GCP wrapped key. root['schemas']['GcpWrappedKeyInfo']['properties']['kekUri']['description'] new_value Required. Google Cloud Platform [Cloud Key Management Service resource ID](//cloud.google.com/kms/docs/getting-resource-ids). old_value Required. GCP Cloud KMS Resource Id. root['schemas']['GcpWrappedKeyInfo']['properties']['keyType']['description'] new_value Required. The type of algorithm used to encrypt the data. old_value Required. The Key type (encryption algorithm) used to encrypt the data. root['schemas']['GcpWrappedKeyInfo']['properties']['wipProvider']['description'] new_value Required. The [Workload Identity](//cloud.google.com/iam/docs/workload-identity-federation) pool provider required to use KEK. old_value Required. The Workload Identity Pool provider required to use KEK. root['schemas']['IngestAudienceMembersRequest']['description'] new_value Request to upload audience members to the provided destinations. Returns an IngestAudienceMembersResponse. old_value Request to ingest users. root['schemas']['IngestAudienceMembersRequest']['properties']['audienceMembers']['description'] new_value Required. The list of users to send to the specified destinations. old_value Required. The list of users to ingest, along with a pointer to the destination they should be ingested into. root['schemas']['IngestAudienceMembersRequest']['properties']['consent']['description'] new_value Optional. Request-level consent to apply to all users in the request. User-level consent overrides request-level consent, and can be specified in each AudienceMember. old_value Optional. Request level consent applied to all users ingested to this request. User level consent will override the request level consent if set. root['schemas']['IngestAudienceMembersRequest']['properties']['destinations']['description'] new_value Required. The list of destinations to send the audience members to. old_value Required. The list of possible ingestion destinations. root['schemas']['IngestAudienceMembersRequest']['properties']['encoding']['description'] new_value Optional. Required for UserData uploads. The encoding type of the user identifiers. For hashed user identifiers, this is the encoding type of the hashed string. For encrypted hashed user identifiers, this is the encoding type of the outer encrypted string, but not necessarily the inner hashed string, meaning the inner hashed string could be encoded in a different way than the outer encrypted string. For non `UserData` uploads, this field is ignored. old_value Optional. The encoding type of the user identifiers. For encrypted user identifiers, this only applies to the outer encoding. This field must be set for UserData uploads. For non UserData ingestion, this field is ignored. root['schemas']['IngestAudienceMembersRequest']['properties']['encryptionInfo']['description'] new_value Optional. Encryption information for UserData uploads. If not set, it's assumed that uploaded identifying information is hashed but not encrypted. For non `UserData` uploads, this field is ignored. old_value Optional. Encryption information for UserData uploads. For non UserData uploads, this field is ignored. For UserData uploads, if this field is not set, it is assumed that uploaded pii is hashed but not encrypted. root['schemas']['IngestAudienceMembersRequest']['properties']['validateOnly']['description'] new_value Optional. For testing purposes. If `true`, the request is validated but not executed. Only errors are returned, not results. old_value Optional. If true, the request is validated but not executed. Only errors are returned, not results. root['schemas']['IngestAudienceMembersResponse']['description'] new_value Response from the IngestAudienceMembersRequest. old_value Response to ingest users. root['schemas']['IngestAudienceMembersResponse']['properties']['requestId']['description'] new_value The auto-generated ID of the request. old_value The generated request id of the Ingestion Request. root['schemas']['MobileData']['description'] new_value Mobile IDs for the audience. At least one mobile ID is required. old_value Mobile data holding the mobile ids. At least one mobile id is required. root['schemas']['MobileData']['properties']['mobileIds']['description'] new_value Required. The list of mobile device IDs (advertising ID/IDFA). old_value Required. The list of Mobile device IDs (advertising ID/IDFA). root['schemas']['PairData']['description'] new_value [PAIR](//support.google.com/admanager/answer/15067908) IDs for the audience. At least one PAIR ID is required. old_value PAIR data holding the pair ids. At least one pair id is required. root['schemas']['PairData']['properties']['pairIds']['description'] new_value Required. Cleanroom-provided PII data, hashed with SHA256, and encrypted with an EC commutative cipher using publisher key for the [PAIR]((//support.google.com/admanager/answer/15067908)) user list. old_value Required. Cleanroom provided PII data hashed with SHA256 and encrypted with an EC commutative cipher using publisher key for Publisher Advertiser Identity Reconciliation user list. root['schemas']['ProductAccount']['description'] new_value Represents a specific account. old_value A product specific customer account. root['schemas']['ProductAccount']['properties']['accountId']['description'] new_value Required. The ID of the account. For example, your Google Ads account ID. old_value Required. The account id of the account. root['schemas']['ProductAccount']['properties']['product']['description'] new_value Required. The product the account belongs to. For example, `GOOGLE_ADS`. old_value Required. The product type of the account. root['schemas']['RemoveAudienceMembersRequest']['description'] new_value Request to remove users from an audience in the provided destinations. Returns a RemoveAudienceMembersResponse. old_value Request to remove users. root['schemas']['RemoveAudienceMembersRequest']['properties']['audienceMembers']['description'] new_value Required. The list of users to remove. old_value Required. The list of users to remove, along with a pointer to the destination they should be removed from. root['schemas']['RemoveAudienceMembersRequest']['properties']['destinations']['description'] new_value Required. The list of destinations to remove the users from. old_value Required. The list of possible destinations to remove data from. root['schemas']['RemoveAudienceMembersRequest']['properties']['encoding']['description'] new_value Optional. Required for UserData uploads. The encoding type of the user identifiers. Applies to only the outer encoding for encrypted user identifiers. For non `UserData` uploads, this field is ignored. old_value Optional. The encoding type of the user identifiers. For encrypted user identifiers, this only applies to the outer encoding. This field must be set for UserData. For non UserData, this field is ignored. root['schemas']['RemoveAudienceMembersRequest']['properties']['encryptionInfo']['description'] new_value Optional. Encryption information for UserData uploads. If not set, it's assumed that uploaded identifying information is hashed but not encrypted. For non `UserData` uploads, this field is ignored. old_value Optional. Encryption information for UserData. For non UserData, this field is ignored. For UserData, if this field is not set, it is assumed that pii is hashed but not encrypted. root['schemas']['RemoveAudienceMembersRequest']['properties']['validateOnly']['description'] new_value Optional. For testing purposes. If `true`, the request is validated but not executed. Only errors are returned, not results. old_value Optional. If true, the request is validated but not executed. Only errors are returned, not results. root['schemas']['RemoveAudienceMembersResponse']['description'] new_value Response from the RemoveAudienceMembersRequest. old_value Response to remove users. root['schemas']['RemoveAudienceMembersResponse']['properties']['requestId']['description'] new_value The auto-generated ID of the request. old_value The generated request id of the removal Request. root['schemas']['UserData']['description'] new_value Data that identifies the user. At least one identifier is required. old_value User data holding user identifiers. At least one identifier is required. root['schemas']['UserData']['properties']['userIdentifiers']['description'] new_value Required. The identifiers for the user. It's possible to provide multiple instances of the same type of data (for example, multiple email addresses). To increase the likelihood of a match, provide as many identifiers as possible. old_value Required. The list of user identifiers known for the user. root['schemas']['UserIdentifier']['description'] new_value A single identifier for the user. old_value User identifying information. root['schemas']['UserIdentifier']['properties']['address']['description'] new_value The known components of a user's address. Holds a grouping of identifiers that are matched all at once. old_value An address information object known for the user. This holds a grouping of identifiers that will be matched all at once. root['schemas']['GcpWrappedKeyInfo']['properties']['keyType']['enumDescriptions'][0] new_value Unspecified key type. Should never be used. old_value Unspecified Key type. Should never be used. root['schemas']['GcpWrappedKeyInfo']['properties']['keyType']['enumDescriptions'][1] new_value Algorithm XChaCha20-Poly1305 old_value XChaCha20-Poly1305
prod/developerscontentsearch-pa-	values_changed root['revision'] new_value 20250309 old_value 20250306
prod/developerscontentsearch-pa-v1	values_changed root['revision'] new_value 20250309 old_value 20250306
prod/embeddedassistant-	values_changed root['revision'] new_value 20250310 old_value 20250306
prod/embeddedassistant-v1	values_changed root['revision'] new_value 20250310 old_value 20250306
prod/embeddedassistant-v1alpha2	values_changed root['revision'] new_value 20250310 old_value 20250306
prod/embeddedassistant-v1beta1	values_changed root['revision'] new_value 20250310 old_value 20250306
prod/emmapplecodevice-	values_changed root['revision'] new_value 20250309 old_value 20250304
prod/eu-enterpriseknowledgegraph-	values_changed root['revision'] new_value 20250228 old_value 20250221
prod/eu-enterpriseknowledgegraph-v1	values_changed root['revision'] new_value 20250228 old_value 20250221
prod/eu-rbmopenmaap-	values_changed root['revision'] new_value 20250310 old_value 20250306
prod/eu-rbmopenmaap-v1	values_changed root['revision'] new_value 20250310 old_value 20250306
prod/europe-west3-chronicle-	values_changed root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['get']['parameters']['name']['description'] new_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{region}/instances/{instance} root['revision'] new_value 20250310 old_value 20250227 root['schemas'] new_value AIOverview description AI generated overview for the search results. id AIOverview properties aiSummary description AI summary for the search results. Markdown formatted. type string complete description Whether AI overview generation is complete. type boolean suggestions description Suggested actions to continue the investigation in chat. items $ref Action type array type object Action description Action represents an action that can be performed in the host UI. id Action properties actionType description Output only. Type of action. enum ACTION_TYPE_UNSPECIFIED FOLLOW_UP NAVIGATION EXECUTION enumDescriptions The action type is unspecified. The action is a follow up action. The action is a navigation action. The action is an execution action. readOnly True type string displayText description Output only. The text that'll be displayed to the user if this is rendered in the UI as a suggested action. readOnly True type string execution $ref Execution description Metadata for execution action. followUp $ref FollowUp description Metadata for follow up action. navigation $ref Navigation description Metadata for navigation action. useCaseId description Output only. The use case ID of the action. It's used internally to identify in which context the action is used. readOnly True type string type object AlertFieldAggregation id AlertFieldAggregation properties alertCount format int32 type integer allValues items $ref AlertFieldValueCount type array baselineAlertCount format int32 type integer bottomValues items $ref AlertFieldValueCount type array fieldName type string tooManyValues type boolean topValues items $ref AlertFieldValueCount type array valueCount format int32 type integer type object AlertFieldAggregations id AlertFieldAggregations properties fields items $ref AlertFieldAggregation type array type object AlertFieldValue id AlertFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string stringValue type string uint32Value format uint32 type integer uint64Value format uint64 type string type object AlertFieldValueCount id AlertFieldValueCount properties alertCount format int32 type integer baselineAlertCount format int32 type integer value $ref AlertFieldValue type object AnalystVerdict description Verdict provided by the human analyst. These fields are used to model Mandiant sources. id AnalystVerdict properties confidenceScore description Confidence score of the verdict. format int32 type integer verdictResponse description Details of the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp at which the verdict was generated. format google-datetime type string type object AnalyticsMetadata description Stores information about an analytics metric used in a rule. id AnalyticsMetadata properties analytic description Name of the analytic. type string type object Annotation description Extra parameters that don't fit anywhere else, captured as key/value. For example "VendorID/42" in BlackBerry user agents. The following keys are modified with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference): * "Chrome" (see `browser_version`) * "ChromiumBrowser" (unavailable) * "ChromeWebview" (unavailable) * "OS_VERSION" (see `os`) * "Rest" (unavailable) * "misc" (see `device`) id Annotation properties key type string value type string type object Artifact description Information about an artifact. The artifact can only be an IP. id Artifact properties anonymous description Whether the VPN tunnels are configured for anonymous browsing or not. type boolean artifactClient $ref ArtifactClient description Entity or software accessing or utilizing network resources. asOwner description Owner of the Autonomous System to which the IP address belongs. type string asn description Autonomous System Number to which the IP address belongs. format int64 type string firstSeenTime description First seen timestamp of the IP in the customer's environment. format google-datetime type string ip description IP address of the artifact. This field can be used as an entity indicator for an external destination IP entity. type string jarm description The JARM hash for the IP address. (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a). type string lastHttpsCertificate $ref SSLCertificate description SSL certificate information about the IP address. lastHttpsCertificateDate description Most recent date for the certificate in VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the IP address in the customer's environment. format google-datetime type string location $ref Location description Location of the Artifact's IP address. network $ref Network description Network information related to the Artifact's IP address. prevalence $ref Prevalence description The prevalence of the artifact within the customer's environment. regionalInternetRegistry description RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC). type string risks description This field lists potential risks associated with the network activity. items type string type array tags description Identification attributes items type string type array tunnels description VPN tunnels. items $ref Tunnels type array whois description WHOIS information as returned from the pertinent WHOIS server. type string whoisDate description Date of the last update of the WHOIS record in VirusTotal. format google-datetime type string type object ArtifactClient description Entity or software accessing or utilizing network resources. id ArtifactClient properties behaviors description The behaviors of the client accessing the network. items type string type array proxies description The type of proxies used by the client. items type string type array type object Asset description Information about a compute asset such as a workstation, laptop, phone, virtual desktop, or VM. id Asset properties assetId description The asset ID. Value must contain the ':' character. For example, cs:abcdd23434. This field can be used as an entity indicator for asset entities. type string attribute $ref Attribute description Generic entity metadata attributes of the asset. category description The category of the asset (e.g. "End User Asset", "Workstation", "Server"). type string creationTime deprecated True description Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. format google-datetime type string deploymentStatus description The deployment status of the asset for device lifecycle purposes. enum DEPLOYMENT_STATUS_UNSPECIFIED ACTIVE PENDING_DECOMISSION DECOMISSIONED enumDescriptions Unspecified deployment status. Asset is active, functional and deployed. Asset is pending decommission and no longer deployed. Asset is decommissioned. type string firstDiscoverTime description Time the asset was first discovered (by asset management/discoverability software). format google-datetime type string firstSeenTime description The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string hardware description The asset hardware specifications. items $ref Hardware type array hostname description Asset hostname or domain name field. This field can be used as an entity indicator for asset entities. type string ip description A list of IP addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array labels deprecated True description Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata. items $ref Label type array lastBootTime description Time the asset was last boot started. format google-datetime type string lastDiscoverTime description Time the asset was last discovered (by asset management/discoverability software). format google-datetime type string location $ref Location description Location of the asset. mac description List of MAC addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array natIp description List of NAT IP addresses associated with an asset. items type string type array networkDomain description The network domain of the asset (e.g. "corp.acme.com") type string platformSoftware $ref PlatformSoftware description The asset operating system platform software. productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID or similar). This field can be used as an entity indicator for asset entities. type string software description The asset software details. items $ref Software type array systemLastUpdateTime description Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a VM), use Attribute.last_update_time. format google-datetime type string type description The type of the asset (e.g. workstation or laptop or server). enum ROLE_UNSPECIFIED WORKSTATION LAPTOP IOT NETWORK_ATTACHED_STORAGE PRINTER SCANNER SERVER TAPE_LIBRARY MOBILE enumDescriptions Unspecified asset role. A workstation or desktop. A laptop computer. An IOT asset. A network attached storage device. A printer. A scanner. A server. A tape library device. A mobile device such as a mobile phone or PDA. type string vulnerabilities description Vulnerabilities discovered on asset. items $ref Vulnerability type array type object Association description Associations represents different metadata about malware and threat actors involved with an IoC. id Association properties alias description Different aliases of the threat actor given by different sources. items $ref AssociationAlias type array associatedActors description List of associated threat actors for a malware. Not applicable for threat actors. items $ref Association type array countryCode description Country from which the threat actor/ malware is originated. items type string type array description description Human readable description about the association. type string firstReferenceTime description First time the threat actor was referenced or seen. format google-datetime type string id description Unique association id generated by mandiant. type string industriesAffected description List of industries the threat actor affects. items type string type array lastReferenceTime description Last time the threat actor was referenced or seen. format google-datetime type string name description Name of the threat actor/malware. type string regionCode $ref Location description Name of the country, the threat is originating from. role description Role of the malware. Not applicable for threat actor. type string sourceCountry deprecated True description Name of the country the threat originated from. type string sponsorRegion $ref Location description Sponsor region of the threat actor. tags description Tags. items type string type array targetedRegions description Targeted regions. items $ref Location type array type description Signifies the type of association. enum ASSOCIATION_TYPE_UNSPECIFIED THREAT_ACTOR MALWARE enumDescriptions The default Association Type. Association type Threat actor. Association type Malware. type string type object AssociationAlias description Association Alias used to represent Mandiant Threat Intelligence. id AssociationAlias properties company description Name of the provider who gave the association's name. type string name description Name of the alias. type string type object AttackDetails description MITRE ATT&CK details. id AttackDetails properties tactics description Tactics employed. items $ref Tactic type array techniques description Techniques employed. items $ref Technique type array version description ATT&CK version (e.g. 12.1). type string type object Attribute description Attribute is a container for generic entity attributes including common attributes across core entities (such as, user or asset). For example, Cloud is a generic entity attribute since it can apply to an asset (for example, a VM) or a user (for example, an identity service account). id Attribute properties cloud $ref Cloud description Cloud metadata attributes such as project ID, account ID, or organizational hierarchy. creationTime description Time the resource or entity was created or provisioned. format google-datetime type string labels description Set of labels for the entity. Should only be used for product labels (for example, Google Cloud resource labels or Azure AD sensitivity labels. Should not be used for arbitrary key-value mappings. items $ref Label type array lastUpdateTime description Time the resource or entity was last updated. format google-datetime type string permissions description System permissions for IAM entity (human principal, service account, group). items $ref Permission type array roles description System IAM roles to be assumed by resources to use the role's permissions for access control. items $ref Role type array type object Authentication description The Authentication extension captures details specific to authentication events. General guidelines for authentication events: * Details about the source of the authentication event (for example, client IP or hostname), should be captured in principal. The principal may be empty if we have no details about the source of the login. * Details about the target of the authentication event (for example, details about the machine that is being logged into or logged out of) should be captured in target. * Some authentication events may involve a third-party. For example, a user logs into a cloud service (for example, Chronicle) via their company's SSO (the event is logged by their SSO solution). In this case, the principal captures information about the user's device, the target captures details about the cloud service they logged into, and the intermediary captures details about the SSO solution. id Authentication properties authDetails description The vendor defined details of the authentication. type string mechanism description The authentication mechanism. items enum MECHANISM_UNSPECIFIED USERNAME_PASSWORD OTP HARDWARE_KEY LOCAL REMOTE REMOTE_INTERACTIVE MECHANISM_OTHER BADGE_READER NETWORK BATCH SERVICE UNLOCK NETWORK_CLEAR_TEXT NEW_CREDENTIALS INTERACTIVE CACHED_INTERACTIVE CACHED_REMOTE_INTERACTIVE CACHED_UNLOCK BIOMETRIC WEARABLE enumDescriptions The default mechanism. Username + password authentication. OTP authentication. Hardware key authentication. Local authentication. Remote authentication. RDP, Terminal Services, or VNC. Some other mechanism that is not defined here. Badge reader authentication Network authentication. Batch authentication. Service authentication Direct human-interactive unlock authentication. Network clear text authentication. Authentication with new credentials. Interactive authentication. Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Biometric device such as a fingerprint reader. Wearable such as an Apple Watch. type string type array type description The type of authentication. enum AUTHTYPE_UNSPECIFIED MACHINE SSO VPN PHYSICAL TACACS enumDescriptions The default type. A machine authentication. An SSO authentication. A VPN authentication. A Physical authentication (e.g. "Badge reader"). A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+). type string type object AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. id AuthorityKeyId properties keyid description Key hexdump. type string serialNumber description Serial number hexdump. type string type object BackstoryEntity description An Entity provides additional context about an item in a UDM event. For example, a PROCESS_LAUNCH event describes that user 'abc@example.corp' launched process 'shady.exe'. The event does not include information that user 'abc@example.com' is a recently terminated employee who administers a server storing finance data. Information stored in one or more Entities can add this additional context. id BackstoryEntity properties additional additionalProperties description Properties of the object. type any description Important entity data that cannot be adequately represented within the formal sections of the Entity. type object entity $ref Noun description Noun in the UDM event that this entity represents. metadata $ref EntityMetadata description Entity metadata such as timestamp, product, etc. metric $ref Metric description Stores statistical metrics about the entity. Used if metadata.entity_type is METRIC. relations description One or more relationships between the entity (a) and other entities, including the relationship type and related entity. items $ref Relation type array riskScore $ref EntityRisk description Stores information related to the entity's risk score. type object BackstoryFile description Information about a file. id BackstoryFile properties ahash deprecated True description Deprecated. Use authentihash instead. type string authentihash description Authentihash of the file. type string capabilitiesTags description Capabilities tags. items type string type array createTime description Timestamp when the file was created. format google-datetime type string embeddedDomains description Embedded domains found in the file. items type string type array embeddedIps description Embedded IP addresses found in the file. items type string type array embeddedUrls description Embedded urls found in the file. items type string type array exifInfo $ref ExifInfo description Exif metadata from different file formats extracted by exiftool. fileMetadata $ref FileMetadata deprecated True description Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File. fileType description FileType field. enum FILE_TYPE_UNSPECIFIED FILE_TYPE_PE_EXE FILE_TYPE_PE_DLL FILE_TYPE_MSI FILE_TYPE_NE_EXE FILE_TYPE_NE_DLL FILE_TYPE_DOS_EXE FILE_TYPE_DOS_COM FILE_TYPE_COFF FILE_TYPE_ELF FILE_TYPE_LINUX_KERNEL FILE_TYPE_RPM FILE_TYPE_LINUX FILE_TYPE_MACH_O FILE_TYPE_JAVA_BYTECODE FILE_TYPE_DMG FILE_TYPE_DEB FILE_TYPE_PKG FILE_TYPE_PYC FILE_TYPE_LNK FILE_TYPE_DESKTOP_ENTRY FILE_TYPE_JPEG FILE_TYPE_TIFF FILE_TYPE_GIF FILE_TYPE_PNG FILE_TYPE_BMP FILE_TYPE_GIMP FILE_TYPE_IN_DESIGN FILE_TYPE_PSD FILE_TYPE_TARGA FILE_TYPE_XWD FILE_TYPE_DIB FILE_TYPE_JNG FILE_TYPE_ICO FILE_TYPE_FPX FILE_TYPE_EPS FILE_TYPE_SVG FILE_TYPE_EMF FILE_TYPE_WEBP FILE_TYPE_DWG FILE_TYPE_DXF FILE_TYPE_THREEDS FILE_TYPE_OGG FILE_TYPE_FLC FILE_TYPE_FLI FILE_TYPE_MP3 FILE_TYPE_FLAC FILE_TYPE_WAV FILE_TYPE_MIDI FILE_TYPE_AVI FILE_TYPE_MPEG FILE_TYPE_QUICKTIME FILE_TYPE_ASF FILE_TYPE_DIVX FILE_TYPE_FLV FILE_TYPE_WMA FILE_TYPE_WMV FILE_TYPE_RM FILE_TYPE_MOV FILE_TYPE_MP4 FILE_TYPE_T3GP FILE_TYPE_WEBM FILE_TYPE_MKV FILE_TYPE_PDF FILE_TYPE_PS FILE_TYPE_DOC FILE_TYPE_DOCX FILE_TYPE_PPT FILE_TYPE_PPTX FILE_TYPE_XLS FILE_TYPE_XLSX FILE_TYPE_RTF FILE_TYPE_PPSX FILE_TYPE_ODP FILE_TYPE_ODS FILE_TYPE_ODT FILE_TYPE_HWP FILE_TYPE_GUL FILE_TYPE_ODF FILE_TYPE_ODG FILE_TYPE_ONE_NOTE FILE_TYPE_OOXML FILE_TYPE_SLK FILE_TYPE_EBOOK FILE_TYPE_LATEX FILE_TYPE_TTF FILE_TYPE_EOT FILE_TYPE_WOFF FILE_TYPE_CHM FILE_TYPE_ZIP FILE_TYPE_GZIP FILE_TYPE_BZIP FILE_TYPE_RZIP FILE_TYPE_DZIP FILE_TYPE_SEVENZIP FILE_TYPE_CAB FILE_TYPE_JAR FILE_TYPE_RAR FILE_TYPE_MSCOMPRESS FILE_TYPE_ACE FILE_TYPE_ARC FILE_TYPE_ARJ FILE_TYPE_ASD FILE_TYPE_BLACKHOLE FILE_TYPE_KGB FILE_TYPE_ZLIB FILE_TYPE_TAR FILE_TYPE_ZST FILE_TYPE_LZFSE FILE_TYPE_PYTHON_WHL FILE_TYPE_PYTHON_PKG FILE_TYPE_MSIX FILE_TYPE_TEXT FILE_TYPE_SCRIPT FILE_TYPE_PHP FILE_TYPE_PYTHON FILE_TYPE_PERL FILE_TYPE_RUBY FILE_TYPE_C FILE_TYPE_CPP FILE_TYPE_JAVA FILE_TYPE_SHELLSCRIPT FILE_TYPE_PASCAL FILE_TYPE_AWK FILE_TYPE_DYALOG FILE_TYPE_FORTRAN FILE_TYPE_JAVASCRIPT FILE_TYPE_POWERSHELL FILE_TYPE_VBA FILE_TYPE_M4 FILE_TYPE_OBJETIVEC FILE_TYPE_JMOD FILE_TYPE_MAKEFILE FILE_TYPE_INI FILE_TYPE_CLJ FILE_TYPE_PDB FILE_TYPE_SQL FILE_TYPE_NEKO FILE_TYPE_WER FILE_TYPE_GOLANG FILE_TYPE_M3U FILE_TYPE_BAT FILE_TYPE_MSC FILE_TYPE_RDP FILE_TYPE_SYMBIAN FILE_TYPE_PALMOS FILE_TYPE_WINCE FILE_TYPE_ANDROID FILE_TYPE_IPHONE FILE_TYPE_HTML FILE_TYPE_XML FILE_TYPE_SWF FILE_TYPE_FLA FILE_TYPE_COOKIE FILE_TYPE_TORRENT FILE_TYPE_EMAIL_TYPE FILE_TYPE_OUTLOOK FILE_TYPE_SGML FILE_TYPE_JSON FILE_TYPE_CSV FILE_TYPE_HTA FILE_TYPE_INTERNET_SHORTCUT FILE_TYPE_CAP FILE_TYPE_ISOIMAGE FILE_TYPE_SQUASHFS FILE_TYPE_VHD FILE_TYPE_APPLE FILE_TYPE_MACINTOSH FILE_TYPE_APPLESINGLE FILE_TYPE_APPLEDOUBLE FILE_TYPE_MACINTOSH_HFS FILE_TYPE_APPLE_PLIST FILE_TYPE_MACINTOSH_LIB FILE_TYPE_APPLESCRIPT FILE_TYPE_APPLESCRIPT_COMPILED FILE_TYPE_CRX FILE_TYPE_XPI FILE_TYPE_ROM FILE_TYPE_IPS FILE_TYPE_PEM FILE_TYPE_PGP FILE_TYPE_CRT enumDescriptions File type is UNSPECIFIED. File type is PE_EXE. Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL. File type is MSI. File type is NE_EXE. File type is NE_DLL. File type is DOS_EXE. File type is DOS_COM. File type is COFF. File type is ELF. File type is LINUX_KERNEL. File type is RPM. File type is LINUX. File type is MACH_O. File type is JAVA_BYTECODE. File type is DMG. File type is DEB. File type is PKG. File type is PYC. File type is LNK. File type is DESKTOP_ENTRY. File type is JPEG. File type is TIFF. File type is GIF. File type is PNG. File type is BMP. File type is GIMP. File type is Adobe InDesign. File type is PSD. Adobe Photoshop. File type is TARGA. File type is XWD. File type is DIB. File type is JNG. File type is ICO. File type is FPX. File type is EPS. File type is SVG. File type is EMF. File type is WEBP. File type is DWG. File type is DXF. File type is 3DS. File type is OGG. File type is FLC. File type is FLI. File type is MP3. File type is FLAC. File type is WAV. File type is MIDI. File type is AVI. File type is MPEG. File type is QUICKTIME. File type is ASF. File type is DIVX. File type is FLV. File type is WMA. File type is WMV. File type is RM. RealMedia type. File type is MOV. File type is MP4. File type is T3GP. File type is WEBM. File type is MKV. File type is PDF. File type is PS. File type is DOC. File type is DOCX. File type is PPT. File type is PPTX. File type is XLS. File type is XLSX. File type is RTF. File type is PPSX. File type is ODP. File type is ODS. File type is ODT. File type is HWP. File type is GUL. File type is ODF. File type is ODG. File type is ONE_NOTE. File type is OOXML. File type is SLK. File type is EBOOK. File type is LATEX. File type is TTF. File type is EOT. File type is WOFF. File type is CHM. File type is ZIP. File type is GZIP. File type is BZIP. File type is RZIP. File type is DZIP. File type is SEVENZIP. File type is CAB. File type is JAR. File type is RAR. File type is MSCOMPRESS. File type is ACE. File type is ARC. File type is ARJ. File type is ASD. File type is BLACKHOLE. File type is KGB. File type is ZLIB. File type is TAR. File type is ZST. File type is LZFSE. File type is PYTHON_WHL. File type is PYTHON_PKG. File type is MSIX, new Windows app package format. File type is TEXT. File type is SCRIPT. File type is PHP. File type is PYTHON. File type is PERL. File type is RUBY. File type is C. File type is CPP. File type is JAVA. File type is SHELLSCRIPT. File type is PASCAL. File type is AWK. File type is DYALOG. File type is FORTRAN. File type is JAVASCRIPT. File type is POWERSHELL. File type is VBA. File type is M4. File type is OBJETIVEC. File type is JMOD. File type is MAKEFILE. File type is INI. File type is CLJ. File type is PDB. File type is SQL. File type is NEKO. File type is WER. File type is GOLANG. File type is M3U. File type is BAT, Windows .bat/.cmd (old files are tagged as SHELLSCRIPT). File type is MSC, Microsoft Management Console (MMC). File type is RDP, Microsoft Remote Desktop Protocol (RDP) file. File type is SYMBIAN. File type is PALMOS. File type is WINCE. File type is ANDROID. File type is IPHONE. File type is HTML. File type is XML. File type is SWF. File type is FLA. File type is COOKIE. File type is TORRENT. File type is EMAIL_TYPE. File type is OUTLOOK. File type is SGML. File type is JSON. File type is CSV. File type is HTA (HTML Application). File type is MSHTML .url. File type is CAP. File type is ISOIMAGE. File type is SQUASHFS. File type is VHD. File type is APPLE. File type is MACINTOSH. File type is APPLESINGLE. File type is APPLEDOUBLE. File type is MACINTOSH_HFS. File type is APPLE_PLIST. File type is MACINTOSH_LIB. File type is APPLESCRIPT. File type is APPLESCRIPT_COMPILED . File type is CRX. File type is XPI. File type is ROM. File type is IPS. File type is PEM. File type is PGP. File type is CRT. type string firstSeenTime description Timestamp the file was first seen in the customer's environment. format google-datetime type string firstSubmissionTime description First submission time of the file. format google-datetime type string fullPath description The full path identifying the location of the file on the system. This field can be used as an entity indicator for file entities. type string lastAccessTime description Timestamp when the file was accessed. format google-datetime type string lastAnalysisTime description Timestamp the file was last analysed. format google-datetime type string lastModificationTime description Timestamp when the file was last updated. format google-datetime type string lastSeenTime description Timestamp the file was last seen in the customer's environment. format google-datetime type string lastSubmissionTime description Last submission time of the file. format google-datetime type string mainIcon $ref Favicon description Icon's relevant hashes. md5 description The MD5 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string mimeType description The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script". type string names description Names fields. items type string type array ntfs $ref NtfsFileMetadata description NTFS metadata. pdfInfo $ref PDFInfo description Information about the PDF file structure. peFile $ref FileMetadataPE description Metadata about the Portable Executable (PE) file. prevalence $ref Prevalence description Prevalence of the file hash in the customer's environment. securityResult $ref SecurityResult description Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata. sha1 description The SHA1 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string sha256 description The SHA256 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string signatureInfo $ref SignatureInfo description File signature information extracted from different tools. size description The size of the file in bytes. format uint64 type string ssdeep description Ssdeep of the file type string statDev description The file system identifier to which the object belongs. format uint64 type string statFlags description User defined flags for file. format uint32 type integer statInode description The file identifier. Unique identifier of object within a file system. format uint64 type string statMode description The mode of the file. A bit string indicating the permissions and privileges of the file. format uint64 type string statNlink description Number of links to file. format uint64 type string symhash description SymHash of the file. Used for Mach-O (e.g. MacOS) binaries, to identify similar files based on their symbol table. type string tags description Tags for the file. items type string type array vhash description Vhash of the file. type string type object BoolSequence description BoolSequence represents a sequence of bools. id BoolSequence properties boolVals description bool sequence. items type boolean type array type object BytesSequence description BytesSequence represents a sequence of bytes. id BytesSequence properties bytesVals description bytes sequence. items format byte type string type array type object CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CertSignature description Certificate's signature and algorithm. id CertSignature properties signature description Signature. type string signatureAlgorithm description Algorithm. type string type object Certificate description Certificate information id Certificate properties issuer description Issuer of the certificate. type string md5 description The MD5 hash of the certificate, as a hex-encoded string. type string notAfter description Indicates when the certificate is no longer valid. format google-datetime type string notBefore description Indicates when the certificate is first valid. format google-datetime type string serial description Certificate serial number. type string sha1 description The SHA1 hash of the certificate, as a hex-encoded string. type string sha256 description The SHA256 hash of the certificate, as a hex-encoded string. type string subject description Subject of the certificate. type string version description Certificate version. type string type object Chip id Chip properties text type string type enum UNSPECIFIED ALERT NETWORK_CONNECTION EDR UNPARSED_RAW_LOG LOGIN_EVENT EMAIL_EVENT GENERIC TELEMETRY enumDescriptions type string type object Client description Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash). id Client properties certificate $ref Certificate description Client certificate. ja3 description JA3 hash from the TLS ClientHello, as a hex-encoded string. type string serverName description Host name of the server, that the client is connecting to. type string supportedCiphers description Ciphers supported by the client during client hello. items type string type array type object Cloud description Metadata related to the cloud environment. id Cloud properties availabilityZone description The cloud environment availability zone (different from region which is location.name). type string environment description The Cloud environment. enum UNSPECIFIED_CLOUD_ENVIRONMENT GOOGLE_CLOUD_PLATFORM AMAZON_WEB_SERVICES MICROSOFT_AZURE enumDescriptions Default. Google Cloud Platform. Amazon Web Services. Microsoft Azure. type string project $ref Resource deprecated True description The cloud environment project information. Deprecated: Use Resource.resource_ancestors vpc $ref Resource deprecated True description The cloud environment VPC. Deprecated. type object Collection description Collection represents a container of objects (such as events, entity context metadata, detection finding metadata) and state (such as investigation details). BEGIN GOOGLE-INTERNAL See go/udm:collections for additional details. END GOOGLE-INTERNAL An example use case for Collection is to model a detection and investigation from detection finding metadata to investigative state collected in the course of the investigation. For more complex investigation and response workflows a Collection could represent an incident consisting of multiple child findings or incidents. This can be expanded on to model remediation elements of a full detection and response workflow. NEXT TAG: 20 id Collection properties caseName description The resource name of the Case that this collection belongs to. Example: projects/{project id}/locations/{region}/chronicle/cases/{internal_case_id} type string collectionElements description Constituent elements of the collection. Each element shares an association that groups it together and is a component of the overall collection. For example, a detection collection may have several constituent elements that each share a correlation association that together represent a particular pattern or behavior. items $ref Element type array createdTime description Time the collection was created. format google-datetime type string dataAccessScope description The resource name of the DataAccessScope of this collection. BEGIN GOOGLE-INTERNAL We may change this name based on the final resource design of the scope. END GOOGLE-INTERNAL type string detection description Detection metadata for findings that represent detections, can include rule details, machine learning model metadata, and indicators implicated in the detection (using the .about field). items $ref SecurityResult type array detectionTime description Timestamp within the time_window related to the time of the collection_elements. For Rule Detections, this timestamp is the end of the the time_window for multi-event rules or the time of the event for single event rules. For late-arriving events that trigger new alerts, the detection_time will be the event time of the event. format google-datetime type string feedbackHistory description The history of feedback submitted by analysts for this finding, in descending order by timestamp. This field is limited to the most recent 1000 feedback events. The primary feedback will also be included in this list. items $ref Feedback type array feedbackSummary $ref Feedback description The current primary analyst feedback. This does not include the history of feedback given, which may be supplied in `feedback`. id description Unique ID for the collection. The ID is specific to the type of collection. For example, with rule detections this is the detection ID. type string idNamespace description The ID namespace used for the Collection. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string investigation $ref Investigation description Consolidated investigation details (categorization, status, etc) typically for collections that begin as detection findings and then evolve with analyst action and feedback into investigations around the detection output. lastUpdatedTime description Time the collection was last updated. format google-datetime type string responsePlatformInfo $ref ResponsePlatformInfo description Alert related info of this same alert in customer's SOAR platform. soarAlert description A boolean field indicating that the alert is present in SOAR. type boolean soarAlertMetadata $ref SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems via SOAR. tags description Tags set by UC/DSML/RE for the Finding during creation. items type string type array timeWindow $ref Interval description Time interval that the collection represents. type description What the collection represents. enum COLLECTION_TYPE_UNSPECIFIED TELEMETRY_ALERT GCTI_FINDING UPPERCASE_ALERT RULE_DETECTION MACHINE_INTELLIGENCE_ALERT SOAR_ALERT enumDescriptions An unspecified collection type. An alert reported in customer telemetry. A finding from the Uppercase team. A detection found by applying a rule. An alert generated by Chronicle machine learning models. An alert coming from other SIEMs via Chronicle SOAR. type string type object ColumnNames id ColumnNames properties names items type string type array type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DNSRecord description DNS record. id DNSRecord properties expire description Expire. format google-duration type string minimum description Minimum. format google-duration type string priority description Priority. format int64 type string refresh description Refresh. format google-duration type string retry description Retry. format int64 type string rname description Rname. type string serial description Serial. format int64 type string ttl description Time to live. format google-duration type string type description Type. type string value description Value. type string type object DataAccessIngestionLabel id DataAccessIngestionLabel properties key description The key. type string value description The value. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessLabels id DataAccessLabels properties allowScopedAccess description Are the labels ready for scoped access type boolean customLabels description All the complex labels (UDM search syntax based). items type string type array ingestionKvLabels description All the ingestion labels (key/value pairs). items $ref DataAccessIngestionLabel type array ingestionLabels deprecated True description All the ingestion labels. items type string type array logTypes description All the LogType labels. items type string type array namespaces description All the namespaces. items type string type array type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Date description Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values. * A month and day, with a zero year (for example, an anniversary). * A year on its own, with a zero month and a zero day. * A year and month, with a zero day (for example, a credit card expiration date). Related types: * google.type.TimeOfDay * google.type.DateTime * google.protobuf.Timestamp id Date properties day description Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. format int32 type integer month description Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. format int32 type integer year description Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. format int32 type integer type object Detections id Detections properties baselineAlertsCount format int32 type integer complete type boolean detectionFieldAggregations $ref AlertFieldAggregations detections items $ref Collection type array filteredAlertsCount format int32 type integer tooManyDetections type boolean validSnapshotQuery type boolean type object Dhcp description DHCP information. id Dhcp properties chaddr description Client hardware address (chaddr). type string ciaddr description Client IP address (ciaddr). type string clientHostname description Client hostname. See RFC2132, section 3.14. type string clientIdentifier description Client identifier. See RFC2132, section 9.14. Note: Make sure to update the client_identifier_string field as well if you update this field. format byte type string clientIdentifierString description Client identifier as string. See RFC2132, section 9.14. This field holds the string value of the client_identifier. type string file description Boot image filename. type string flags description Flags. format uint32 type integer giaddr description Relay agent IP address (giaddr). type string hlen description Hardware address length. format uint32 type integer hops description Hardware ops. format uint32 type integer htype description Hardware address type. format uint32 type integer leaseTimeSeconds description Lease time in seconds. See RFC2132, section 9.2. format uint32 type integer opcode description The BOOTP op code. enum UNKNOWN_OPCODE BOOTREQUEST BOOTREPLY enumDescriptions Default opcode. Request. Reply. type string options description List of DHCP options. items $ref Option type array requestedAddress description Requested IP address. See RFC2132, section 9.1. type string seconds description Seconds elapsed since client began address acquisition/renewal process. format uint32 type integer siaddr description IP address of the next bootstrap server. type string sname description Server name that the client wishes to boot from. type string transactionId description Transaction ID. format uint32 type integer type description DHCP message type. enum UNKNOWN_MESSAGE_TYPE DISCOVER OFFER REQUEST DECLINE ACK NAK RELEASE INFORM WIN_DELETED WIN_EXPIRED enumDescriptions Default message type. DHCPDISCOVER. DHCPOFFER. DHCPREQUEST. DHCPDECLINE. DHCPACK. DHCPNAK. DHCPRELEASE. DHCPINFORM. Microsoft Windows DHCP "lease deleted". Microsoft Windows DHCP "lease expired". type string yiaddr description Your IP address (yiaddr). type string type object Dns description DNS information. id Dns properties additional description A list of additional domain name servers that can be used to verify the answer to the domain. items $ref ResourceRecord type array answers description A list of answers to the domain name query. items $ref ResourceRecord type array authoritative description Other DNS header flags. See RFC1035, section 4.1.1. type boolean authority description A list of domain name servers which verified the answers to the domain name queries. items $ref ResourceRecord type array id description DNS query id. format uint32 type integer opcode description The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS). format uint32 type integer questions description A list of domain protocol message questions. items $ref Question type array recursionAvailable description Whether a recursive DNS lookup is available. type boolean recursionDesired description Whether a recursive DNS lookup is desired. type boolean response description Set to true if the event is a DNS response. See QR field from RFC1035. type boolean responseCode description Response code. See RCODE from RFC1035. format uint32 type integer truncated description Whether the DNS response was truncated. type boolean type object Domain description Information about a domain. id Domain properties admin $ref User description Parsed contact information for the administrative contact for the domain. auditUpdateTime description Audit updated time. format google-datetime type string billing $ref User description Parsed contact information for the billing contact of the domain. categories description Categories assign to the domain as retrieved from VirusTotal. items type string type array contactEmail description Contact email address. type string creationTime description Domain creation time. format google-datetime type string expirationTime description Expiration time. format google-datetime type string favicon $ref Favicon description Includes difference hash and MD5 hash of the domain's favicon. firstSeenTime description First seen timestamp of the domain in the customer's environment. format google-datetime type string ianaRegistrarId description IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml format int32 type integer jarm description Domain's JARM hash. type string lastDnsRecords description Domain's DNS records from the last scan. items $ref DNSRecord type array lastDnsRecordsTime description Date when the DNS records list was retrieved by VirusTotal. format google-datetime type string lastHttpsCertificate $ref SSLCertificate description SSL certificate object retrieved last time the domain was analyzed. lastHttpsCertificateTime description When the certificate was retrieved by VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the domain in the customer's environment. format google-datetime type string name description The domain name. This field can be used as an entity indicator for Domain entities. type string nameServer description Repeated list of name servers. items type string type array popularityRanks description Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc items $ref PopularityRank type array prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. privateRegistration description Indicates whether the domain appears to be using a private registration service to mask the owner's contact information. type boolean registrant $ref User description Parsed contact information for the registrant of the domain. registrar description Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM". type string registryDataRawText description Registry Data raw text. format byte type string status description Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values type string tags description List of representative attributes. items type string type array tech $ref User description Parsed contact information for the technical contact for the domain updateTime description Last updated time. format google-datetime type string whoisRecordRawText description WHOIS raw text. format byte type string whoisServer description Whois server name. type string whoisTime description Date of the last update of the WHOIS record. format google-datetime type string zone $ref User description Parsed contact information for the zone. type object DoubleSequence description DoubleSequence represents a sequence of doubles. id DoubleSequence properties doubleVals description double sequence. items format double type number type array type object EC description EC public key information. id EC properties oid description Curve name. type string pub description Public key hexdump. type string type object Element description NEXT TAG: 5 id Element properties association $ref SecurityResult description Metadata that provides the relevant association for the references in the element. For a detection, this can be the correlated aspect of the references that contributed to the overall detection. For example, may include sub-rule condition, machine learning model metadata, and/or indicators implicated in this component of the detection (using the .about field). label description A name that labels the entire references group. type string references description References to model primatives including events and entities that share a common association. Even though a reference can have both UDM and entity, a collection of references (of a single element) will only have one type of message in it (either UDM / Entity). items $ref Reference type array referencesSampled description Copied from the detection event_sample.too_many_event_samples field. If true, the number of references will be capped at the sample limit (set at rule service). This is applicable to both UDM references and Entity references. type boolean type object Email description Email info. id Email properties bcc description A list of 'bcc' addresses. items type string type array bounceAddress description The envelope from address. https://en.wikipedia.org/wiki/Bounce_address type string cc description A list of 'cc' addresses. items type string type array from description The 'from' address. type string mailId description The mail (or message) ID. type string replyTo description The 'reply to' address. type string subject description The subject line(s) of the email. items type string type array to description A list of 'to' addresses. items type string type array type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityChangedCountTimelineBucket id EntityChangedCountTimelineBucket properties entityChangedInfo items $ref EntityChangedInfo type array totalChangedEntitiesCount format int32 type integer type object EntityChangedInfo id EntityChangedInfo properties artifacts $ref FieldAndValue entityCount format int32 type integer type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityMetadata description Information about the Entity and the product where the entity was created. Next Tag: 17 id EntityMetadata properties collectedTimestamp description GMT timestamp when the entity information was collected by the vendor's local collection infrastructure. format google-datetime type string creationTimestamp description GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected. format google-datetime type string description description Human-readable description of the entity. type string entityType description Entity type. If an entity has multiple possible types, this specifies the most specific type. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string eventMetadata $ref Metadata description Metadata field from the event. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object feed description Vendor feed name for a threat indicator feed. type string interval $ref Interval description Valid existence time range for the version of the entity represented by this entity data. productEntityId description A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar). type string productName description Product name that produced the entity information. type string productVersion description Version of the product that produced the entity information. type string sourceLabels description Entity source metadata labels. items $ref Label type array sourceType description The source of the entity. enum SOURCE_TYPE_UNSPECIFIED ENTITY_CONTEXT DERIVED_CONTEXT GLOBAL_CONTEXT enumDescriptions Default source type Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT) Entities derived from customer data such as prevalence, artifact first/last seen, or asset/user first seen stats. Global contextual entities such as WHOIS or Safe Browsing. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Structured fields extracted from the log. type object threat description Metadata provided by a threat intelligence feed that identified the entity as malicious. items $ref SecurityResult type array vendorName description Vendor name of the product that produced the entity information. type string type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object EntityRisk description Stores information related to the risk score of an entity. Next ID: 15 id EntityRisk properties DEPRECATEDRiskScore deprecated True description Deprecated risk score. format int32 type integer detailUri description Link to the Google Security Operations UI with information about the entity risk score. If the SecOps instance has multiple frontend paths configured, this will be a relative path that can be used to construct the full URL. type string detectionsCount description Number of detections that make up the risk score within the time window. format int32 type integer firstDetectionTime description Timestamp of the first detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastDetectionTime description Timestamp of the last detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastResetTime description Timestamp for UEBA risk score reset based deduplication. Used specifically for risk based meta rules. format google-datetime type string normalizedRiskScore description Normalized risk score for the entity. This value is between 0-1000. format int32 type integer rawRiskDelta $ref RiskDelta description Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window. riskDelta $ref RiskDelta description Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window. riskScore description Raw risk score for the entity. format float type number riskVersion description Version of the risk score calculation algorithm. type string riskWindow $ref Interval description Time window used when computing the risk score for an entity, for example 24 hours or 7 days. riskWindowHasNewDetections description Whether there are new detections for the risk window. type boolean riskWindowSize description Risk window duration for the entity. format google-duration type string type object ErrorMessage id ErrorMessage properties errorText type string type enum UNDEFINED_ERROR_TYPE INVALID_QUERY_TYPE INVALID_FIELD_PATH_TYPE UNCLOSED_BRACKET_TYPE BACKEND_ERROR_TYPE UNCLOSED_QUOTES_TYPE QUERY_TOO_LARGE_TYPE enumDescriptions type string type object EventCountTimeline id EventCountTimeline properties buckets items $ref EventCountTimelineBucket type array sizeOfBucketMs format int64 type string type object EventCountTimelineBucket id EventCountTimelineBucket properties alertCount format int32 type integer baselineAlertCount format int32 type integer baselineEventCount format int32 type integer baselineTimedEntityCount format int32 type integer entityChangedCount $ref EntityChangedCountTimelineBucket eventCount format int32 type integer filteredTimedEntityCount format int32 type integer type object Execution description Execution can be used to store metadata required for what action the UI should execute. id Execution properties metadata additionalProperties type string description Output only. The payload to use when executing the action. readOnly True type object type object ExifInfo description Exif information. id ExifInfo properties company description company name. type string compilationTime description Compilation time. format google-datetime type string entryPoint description entry point. format int64 type string fileDescription description description of a file. type string originalFile description original file name. type string product description product name. type string type object Extension description Certificate's extensions. id Extension properties authorityKeyId $ref AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. ca description Whether the subject acts as a certificate authority (CA) or not. type boolean caInfoAccess description Authority information access locations are URLs that are added to a certificate in its authority information access extension. type string certTemplateNameDc description BMP data value "DomainController". See MS Q291010. type string certificatePolicies description Different certificate policies will relate to different applications which may use the certified key. type string crlDistributionPoints description CRL distribution points to which a certificate user should refer to ascertain if the certificate has been revoked. type string extendedKeyUsage description One or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field. type string keyUsage description The purpose for which the certified public key is used. type string netscapeCertComment description Used to include free-form text comments inside certificates. type string netscapeCertificate description Identify whether the certificate subject is an SSL client, an SSL server, or a CA. type boolean oldAuthorityKeyId description Whether the certificate has an old authority key identifier extension. type boolean peLogotype description Whether the certificate includes a logotype. type boolean subjectAlternativeName description Contains one or more alternative names, using any of a variety of name forms, for the entity that is bound by the CA to the certified public key. type string subjectKeyId description Identifies the public key being certified. type string type object Extensions description Extensions to a UDM event. id Extensions properties auth $ref Authentication description An authentication extension. entityRisk $ref EntityRisk description An entity risk change extension. vulns $ref Vulnerabilities description A vulnerability extension. type object Favicon description Difference hash and MD5 hash of the domain's favicon. id Favicon properties dhash description Difference hash. type string rawMd5 description Favicon's MD5 hash. type string type object Feedback id Feedback properties comment description Optional. type string confidenceScore format int32 type integer createdTime format google-datetime type string disregarded type boolean idpUserId type string priority description Optional. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string priorityDisplay description Optional. type string reason description Optional. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore format int32 type integer rootCause description Optional. type string severity format int32 type integer severityDisplay description Optional. type string status description Optional. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object FieldAndValue id FieldAndValue properties entityNamespace type string fieldPath type string kvalueType enum UNKNOWN COLLECTOR_ID EVENT_SHARD ASSET_IP_ADDRESS MAC HOSTNAME PRODUCT_SPECIFIC_ID NAMESPACE DOMAIN_NAME RESOLVED_IP_ADDRESS STEMMED_DOMAIN_NAME PROCESS_ID FULL_COMMAND_LINE FILE_NAME FILE_PATH HASH_MD5 HASH_SHA256 HASH_SHA1 RAW_PID PARENT_PROCESS_ID EMAIL USERNAME WINDOWS_SID EMPLOYEE_ID PRODUCT_OBJECT_ID USER_DISPLAY_NAME CLOUD_RESOURCE_NAME REGISTRY_KEY REGISTRY_VALUE_DATA REGISTRY_VALUE_NAME enumDescriptions type string value type string type object FileMetadata description Metadata about a file. Place metadata about different file types here, for example data from the Microsoft Windows VersionInfo block or digital signer details. Use a different sub-message per file type. id FileMetadata properties pe $ref PeFileMetadata deprecated True description Metadata for Microsoft Windows PE files. Deprecate PeFileMetadata in favor of single File proto. type object FileMetadataCodesign description File metadata from the codesign utility. id FileMetadataCodesign properties compilationTime description Code sign timestamp format google-datetime type string format description Code sign format. type string id description Code sign identifier. type string teamId description The assigned team identifier of the developer who signed the application. type string type object FileMetadataImports description File metadata imports. id FileMetadataImports properties functions description Function field. items type string type array library description Library field. type string type object FileMetadataPE description Metadata about the Portable Executable (PE) file. id FileMetadataPE properties compilationExiftoolTime description info.exiftool.TimeStamp. format google-datetime type string compilationTime description info.pe-timestamp. format google-datetime type string entryPoint description info.pe-entry-point. format int64 type string entryPointExiftool description info.exiftool.EntryPoint. format int64 type string imphash description Imphash of the file. type string imports description FilemetadataImports fields. items $ref FileMetadataImports type array resource description FilemetadataPeResourceInfo fields. items $ref FileMetadataPeResourceInfo type array resourcesLanguageCount deprecated True description Deprecated: use resources_language_count_str. items $ref StringToInt64MapEntry type array resourcesLanguageCountStr description Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10 items $ref Label type array resourcesTypeCount deprecated True description Deprecated: use resources_type_count_str. items $ref StringToInt64MapEntry type array resourcesTypeCountStr description Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5 items $ref Label type array section description FilemetadataSection fields. items $ref FileMetadataSection type array signatureInfo $ref FileMetadataSignatureInfo deprecated True description FilemetadataSignatureInfo field. deprecated, user File.signature_info instead. type object FileMetadataPeResourceInfo description File metadata for PE resource. id FileMetadataPeResourceInfo properties entropy description Entropy of the resource. format double type number fileType description File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum. type string filetypeMagic description Type of resource content, as identified by the magic Python module. type string languageCode description Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US | type string sha256Hex description SHA256_hex field.. type string type object FileMetadataSection description File metadata section. id FileMetadataSection properties entropy description Entropy of the section. format double type number md5Hex description MD5 hex of the file. type string name description Name of the section. type string rawSizeBytes description Raw file size in bytes. format int64 type string virtualSizeBytes description Virtual file size in bytes. format int64 type string type object FileMetadataSignatureInfo description Signature information. id FileMetadataSignatureInfo properties signer deprecated True description Deprecated: use signers field. items type string type array signers description File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority. items $ref SignerInfo type array verificationMessage description Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found. type string verified description True if verification_message == "Signed" type boolean x509 description List of certificates. items $ref X509 type array type object FilterProperties id FilterProperties properties hidden type boolean stringProperties additionalProperties $ref StringValues type object type object FindingVariable description A structure that holds the value and associated metadata for values extracted while producing a Finding. id FindingVariable properties boolSeq $ref BoolSequence description The value in boolsequence format. boolVal description The value in boolean format. type boolean bytesSeq $ref BytesSequence description The value in bytessequence format. bytesVal description The value in bytes format. format byte type string doubleSeq $ref DoubleSequence description The value in doublesequence format. doubleVal description The value in double format. format double type number int64Seq $ref Int64Sequence description The value in int64sequence format. int64Val description The value in int64 format. format int64 type string nullVal description Whether the value is null. type boolean sourcePath description The UDM field path for the field which this value was derived from. Example: `principal.user.username` type string stringSeq $ref StringSequence description The value in stringsequence format. stringVal description The value in string format. Enum values are returned as strings. type string type description The type of the variable. enum TYPE_UNSPECIFIED MATCH OUTCOME enumDescriptions An unspecified variable type. A variable coming from the match conditions. A variable representing significant data that was found in the detection logic. type string uint64Seq $ref Uint64Sequence description The value in uint64sequence format. uint64Val description The value in uint64 format. format uint64 type string value description The value in string form. type string type object FollowUp description FollowUp can be used to store metadata required to send a follow up message by the UI. id FollowUp properties followUp description Output only. The text to use as input when generating the follow up message. readOnly True type string type object Ftp description FTP info. id Ftp properties command description The FTP command. type string type object FunctionResponse id FunctionResponse properties rows items $ref FunctionResponseRow type array tooManyRows type boolean type object FunctionResponseRow id FunctionResponseRow properties values items $ref UdmFieldValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description LINT.IfChange(stats_data) Stats results when the query is for statistics NEXT TAG = 6; id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats properties dataQueryExpression description Expression that represent the subset of the requested query used to filter data. The expression will be used to enable features such as drill-down from stats results to UDM events. In that case, the new query will be composed by this expression and the expression related to a stats result. type string results description Result rows that are queried. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData type array sortOrder description Indicates the columns used for sorting and the order in which they are sorted. If no ORDER section is specified in the query, this will be empty. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort type array tooManyResults description If true, there are too many results to return and some have been omitted. type boolean totalResults description The total number of results returned. format int32 type integer type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData description Represents a single column in the set of columns returned as the stats query result. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData properties column description Used to store column names. type string filterExpression description Expression used to compose a query for filtering/drill-downs related to the data in this column. type string filterable description To identify if the column can be used for filtering/drill-downs. type boolean values description To store store column data. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort description Contains the column name and which direction the column is sorted (ascending or descenging). id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort properties descending description Whether the column is sorted in descending order (ascending by default); type boolean name description Name of the column. type string type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType description Singular vs list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType properties list $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description List of values in a column e.g. IPs value $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Single value in a column. type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description Store list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList properties values description List of values in one cell of the column. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Value of the column based on data type id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue properties boolVal description Boolean value. type boolean bytesVal description Bytes value. format byte type string dateVal $ref Date description Date values. doubleVal description Double value. format double type number int64Val description Integer value (signed). format int64 type string nullVal description True if the value is NULL. type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any description For any proto values that are not any of the above. type object stringVal description String value. Enum values are returned as strings. type string timestampVal description Timestamp values. format google-datetime type string uint64Val description Un-signed integer value. format uint64 type string type object Group description Information about an organizational group. id Group properties attribute $ref Attribute description Generic entity metadata attributes of the group. creationTime deprecated True description Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata. format google-datetime type string emailAddresses description Email addresses of the group. items type string type array groupDisplayName description Group display name. e.g. "Finance". type string productObjectId description Product globally unique user object identifier, such as an LDAP Object Identifier. type string windowsSid description Microsoft Windows SID of the group. type string type object GroupAggregationByField id GroupAggregationByField properties baselineEventCount format int32 type integer eventCount format int32 type integer fieldName type string fieldValue $ref UdmFieldValue fields items $ref UdmFieldAggregation type array valueCount format int32 type integer type object Hardware description Hardware specification details for a resource, including both physical and virtual hardware. id Hardware properties cpuClockSpeed description Clock speed of the hardware CPU in MHz. format uint64 type string cpuMaxClockSpeed description Maximum possible clock speed of the hardware CPU in MHz. format uint64 type string cpuModel description Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5"). type string cpuNumberCores description Number of CPU cores. format uint64 type string cpuPlatform description Platform of the hardware CPU (e.g. "Intel Broadwell"). type string manufacturer description Hardware manufacturer. type string model description Hardware model. type string ram description Amount of the hardware ramdom access memory (RAM) in Mb. format uint64 type string serialNumber description Hardware serial number. type string type object Http description Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target". id Http properties method description The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE"). type string parsedUserAgent $ref UserAgentProto description The parsed user_agent string. referralUrl description The URL for the HTTP referer. type string responseCode description The response status code, for example 200, 302, 404, or 500. format int32 type integer userAgent description The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent. type string type object Id description Identifier to identify a UDM object like a UDM event, Entity, Collection. The full identifier for persistence is created by setting the 32 most significant bits as the Id.Namespace enum and the rest according to go/udm:ids. This is a convenience wrapper to define the id space enum values and provide an easy interface for RPCs, most persistence use cases should use a denormalized form. See go/udm:ids for background and details. id Id properties id description Full raw ID. format byte type string namespace description Namespace the id belongs to. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string stringId description Some ids are stored as strings that are not able to be translated to bytes, so store these separately. Ex. detection id of the form de_aaaaaaaa-aaaa... type string type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{location}/instances/{instance} readOnly True type string type object InstanceUdmSearchResponse id InstanceUdmSearchResponse properties baselineEventsCount format int32 type integer complete type boolean detections $ref Detections filteredEventsCount format int32 type integer instanceId type string prevalence $ref UdmPrevalenceResponse progress format double type number runtimeErrors $ref RuntimeError timeline $ref EventCountTimeline tooManyEvents type boolean type object Int64Sequence description Int64Sequence represents a sequence of int64s. id Int64Sequence properties int64Vals description int64 sequence. items format int64 type string type array type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object Investigation description Represents the aggregated state of an investigation such as categorization, severity, and status. Can be expanded to include analyst assignment details and more. id Investigation properties comments description Comment added by the Analyst. items type string type array priority description Priority of the Alert or Finding set by analyst. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string reason description Reason for closing the Case or Alert. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation description Describes whether a finding was useful or not-useful. enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore description Risk score for a finding set by an analyst. format uint32 type integer rootCause description Root cause of the Alert or Finding set by analyst. type string severityScore description Severity score for a finding set by an analyst. format uint32 type integer status description Describes the workflow status of a finding. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict description Describes reason a finding investigation was resolved. enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object IoCStats description Information about the threat intelligence source. These fields are used to model Mandiant sources. id IoCStats properties benignCount description Count of responses where the IoC was identified as benign. format int32 type integer firstLevelSource description Name of first level IoC source, for example Mandiant or a third-party. type string iocStatsType description Describes the source of the IoCStat. enum UNSPECIFIED_IOC_STATS_TYPE MANDIANT_SOURCES THIRD_PARTY_SOURCES THREAT_INTELLIGENCE_IOC_STATS enumDescriptions IoCStat source is unidentified. IoCStat is from a Mandiant Source. IoCStat is from a third-party source. IoCStat is from a threat intelligence feed. type string maliciousCount description Count of responses where the IoC was identified as malicious. format int32 type integer quality description Level of confidence in the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total number of response from the source. format int32 type integer secondLevelSource description Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph. type string sourceCount description Number of sources from which information was extracted. format int32 type integer type object Label description Key value labels. id Label properties key description The key. type string rbacEnabled description Indicates whether this label can be used for Data RBAC type boolean source description Where the label is derived from. type string value description The value. type string type object LatLng description An object that represents a latitude/longitude pair. This is expressed as a pair of doubles to represent degrees latitude and degrees longitude. Unless specified otherwise, this object must conform to the WGS84 standard. Values must be within normalized ranges. id LatLng properties latitude description The latitude in degrees. It must be in the range [-90.0, +90.0]. format double type number longitude description The longitude in degrees. It must be in the range [-180.0, +180.0]. format double type number type object LegacyFederatedUdmSearchViewResponse description Response to a Federated UDM Search query. This will be used by StreamSearchOperation RPC to return the results of a federated search operation. id LegacyFederatedUdmSearchViewResponse properties activityTimeline $ref EventCountTimeline description Timeline of event counts broken into hourly/daily buckets to identify activity. aiOverview $ref AIOverview description LINT.ThenChange( //depot/google3/google/cloud/chronicle/v1main/dashboard_query.proto:data_sources, //depot/google3/googlex/security/malachite/proto/udm_search.proto:data_sources ) AI generated overview for the search results. Only populated if the AI features are enabled for the customer and generate_ai_overview is set to true in the request. baselineEventsCount description The number of events in the baseline query. format int32 type integer complete description Streaming for this response is done. There will be no additional updates. type boolean dataSources description Datasource of the query and results in case of a statistics query items enum SEARCH_DATA_SOURCE_UNSPECIFIED SEARCH_UDM SEARCH_ENTITY SEARCH_RULE_DETECTIONS SEARCH_RULESETS enumDescriptions Unspecified data source. Events Entities To be used for detections data source. To be used for ruleset with detections datasource. type string type array detectionFieldAggregations $ref AlertFieldAggregations description List of detection fields with aggregated values. This enabled filtering in the Alerts panel for federated search. events $ref UdmEventList description List of UDM events. NOTE: After complete is set to true, the `UdmEventList` message will be omitted from the response. The latest message should be used as reference. If the `UdmEventList` message is returned again, then it should replace the previous value. fieldAggregations $ref UdmFieldAggregations description List of UDM fields with aggregated values. filteredEventsCount description The number of events in the snapshot that match the snapshot_query. This is <= `baseline_events_count`. If the snapshot query is empty this will be equivalent to `baseline_events_count`. format int32 type integer groupedFieldAggregations $ref UdmFieldAggregations description List of grouped fields with aggregated values. instanceAggregations $ref UdmFieldAggregations description Instance aggregations for the search results. Provides information on the number of events per instance for the aggregations panel in the UI. This allows users to easily drill-down into the individual instances. instanceUdmSearchResponses description All the instance specific UDM search responses. items $ref InstanceUdmSearchResponse type array operation description The name of the operation resource representing the UDM Search operation. This can be passed to `StreamSearchOperation` to fetch stored results or stream the results of an in-progress operation. The metadata type of the operation is `UdmSearchMetadata`. The response type is `LegacyFetchUdmSearchViewResponse`. Format: projects/{project}/locations/{location}/instances/{instance}/operations/{operation} type string progress description Progress of the query represented as a double between 0 and 1. format double type number queryValidationErrors description Parse error for the baseline_query and/or the snapshot_query. items $ref ErrorMessage type array runtimeErrors description Runtime errors. items $ref RuntimeError type array stats $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description Stats results when the query is for statistics statsFunctionParameterValidationErrorMessage description If the request's stats_function_parameter` is invalid, this field will contain the detailed error message. type string statsFunctionResponse $ref FunctionResponse description Result for statistical function. timeline $ref EventCountTimeline description Timeline of event counts broken into buckets. This populates the trend-over-time chart in the UI. tooLargeResponse description If true, the response to be returned to the UI is too large and some events have been omitted. type boolean tooManyEvents description If true, there are too many events to return and some have been omitted. type boolean validBaselineQuery description Indicates whether the request baseline_query is a valid structured query or not. If not, `query_validation_errors` will include the parse error. type boolean validSnapshotQuery description Indicates whether the request baseline and snapshot queries are valid. If not, `query_validation_errors` will include the parse error. type boolean type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Location description Information about a location. id Location properties city description The city. type string countryOrRegion description The country or region. type string deskName description Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D"). type string floorName description Floor name, number or a combination of the two for a building. (e.g. "1-A"). type string name description Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2"). type string regionCoordinates $ref LatLng description Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. regionLatitude deprecated True description Deprecated: use region_coordinates. format float type number regionLongitude deprecated True description Deprecated: use region_coordinates. format float type number state description The state. type string type object Manual description Entities are added manually. id Manual properties type object Measure description Describes the precomputed measure. id Measure properties aggregateFunction description Function used to calculate the aggregated measure. enum AGGREGATE_FUNCTION_UNSPECIFIED MIN MAX COUNT SUM AVG STDDEV enumDescriptions Default value. Minimum. Maximum. Count. Sum. Average. Standard Deviation. type string value description Value of the aggregated measure. format double type number type object Metadata description General information associated with a UDM event. id Metadata properties baseLabels $ref DataAccessLabels description Data access labels on the base event. collectedTimestamp description The GMT timestamp when the event was collected by the vendor's local collection infrastructure. format google-datetime type string description description A human-readable unparsable description of the event. type string enrichmentLabels $ref DataAccessLabels description Data access labels from all the contextual events used to enrich the base event. enrichmentState description The enrichment state. enum ENRICHMENT_STATE_UNSPECIFIED ENRICHED UNENRICHED enumDescriptions Unspecified. The event has been enriched by Chronicle. The event has not been enriched by Chronicle. type string eventTimestamp description The GMT timestamp when the event was generated. format google-datetime type string eventType description The event type. If an event has multiple possible types, this specifies the most specific type. enum EVENTTYPE_UNSPECIFIED PROCESS_UNCATEGORIZED PROCESS_LAUNCH PROCESS_INJECTION PROCESS_PRIVILEGE_ESCALATION PROCESS_TERMINATION PROCESS_OPEN PROCESS_MODULE_LOAD REGISTRY_UNCATEGORIZED REGISTRY_CREATION REGISTRY_MODIFICATION REGISTRY_DELETION SETTING_UNCATEGORIZED SETTING_CREATION SETTING_MODIFICATION SETTING_DELETION MUTEX_UNCATEGORIZED MUTEX_CREATION FILE_UNCATEGORIZED FILE_CREATION FILE_DELETION FILE_MODIFICATION FILE_READ FILE_COPY FILE_OPEN FILE_MOVE FILE_SYNC USER_UNCATEGORIZED USER_LOGIN USER_LOGOUT USER_CREATION USER_CHANGE_PASSWORD USER_CHANGE_PERMISSIONS USER_STATS USER_BADGE_IN USER_DELETION USER_RESOURCE_CREATION USER_RESOURCE_UPDATE_CONTENT USER_RESOURCE_UPDATE_PERMISSIONS USER_COMMUNICATION USER_RESOURCE_ACCESS USER_RESOURCE_DELETION GROUP_UNCATEGORIZED GROUP_CREATION GROUP_DELETION GROUP_MODIFICATION EMAIL_UNCATEGORIZED EMAIL_TRANSACTION EMAIL_URL_CLICK NETWORK_UNCATEGORIZED NETWORK_FLOW NETWORK_CONNECTION NETWORK_FTP NETWORK_DHCP NETWORK_DNS NETWORK_HTTP NETWORK_SMTP STATUS_UNCATEGORIZED STATUS_HEARTBEAT STATUS_STARTUP STATUS_SHUTDOWN STATUS_UPDATE SCAN_UNCATEGORIZED SCAN_FILE SCAN_PROCESS_BEHAVIORS SCAN_PROCESS SCAN_HOST SCAN_VULN_HOST SCAN_VULN_NETWORK SCAN_NETWORK SCHEDULED_TASK_UNCATEGORIZED SCHEDULED_TASK_CREATION SCHEDULED_TASK_DELETION SCHEDULED_TASK_ENABLE SCHEDULED_TASK_DISABLE SCHEDULED_TASK_MODIFICATION SYSTEM_AUDIT_LOG_UNCATEGORIZED SYSTEM_AUDIT_LOG_WIPE SERVICE_UNSPECIFIED SERVICE_CREATION SERVICE_DELETION SERVICE_START SERVICE_STOP SERVICE_MODIFICATION GENERIC_EVENT RESOURCE_CREATION RESOURCE_DELETION RESOURCE_PERMISSIONS_CHANGE RESOURCE_READ RESOURCE_WRITTEN DEVICE_FIRMWARE_UPDATE DEVICE_CONFIG_UPDATE DEVICE_PROGRAM_UPLOAD DEVICE_PROGRAM_DOWNLOAD ANALYST_UPDATE_VERDICT ANALYST_UPDATE_REPUTATION ANALYST_UPDATE_SEVERITY_SCORE ANALYST_UPDATE_STATUS ANALYST_ADD_COMMENT ANALYST_UPDATE_PRIORITY ANALYST_UPDATE_ROOT_CAUSE ANALYST_UPDATE_REASON ANALYST_UPDATE_RISK_SCORE ENTITY_RISK_CHANGE enumDeprecated False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False enumDescriptions Default event type Activity related to a process which does not match any other event types. Process launch. Process injecting into another process. Process privilege escalation. Process termination. Process being opened. Process loading a module. Registry event which does not match any of the other event types. Registry creation. Registry modification. Registry deletion. Settings-related event which does not match any of the other event types. Setting creation. Setting modification. Setting deletion. Any mutex event other than creation. Mutex creation. File event which does not match any of the other event types. File created. File deleted. File modified. File read. File copied. Used for file copies, for example, to a thumb drive. File opened. File moved or renamed. File synced (for example, Google Drive, Dropbox, backup). User activity which does not match any of the other event types. User login. User logout. User creation. User password change event. Change in user permissions. Deprecated. Used to update user info for an LDAP dump. User physically badging into a location. User deletion. User creating a virtual resource. This is equivalent to RESOURCE_CREATION. User updating content of a virtual resource. This is equivalent to RESOURCE_WRITTEN. User updating permissions of a virtual resource. This is equivalent to RESOURCE_PERMISSIONS_CHANGE. User initiating communication through a medium (for example, video). User accessing a virtual resource. This is equivalent to RESOURCE_READ. User deleting a virtual resource. This is equivalent to RESOURCE_DELETION. A group activity that does not fall into one of the other event types. A group creation. A group deletion. A group modification. Email messages An email transaction. Deprecated: use NETWORK_HTTP instead. An email URL click event. A network event that does not fit into one of the other event types. Aggregated flow stats like netflow. Network connection details like from a FW. FTP telemetry. DHCP payload. DNS payload. HTTP telemetry. SMTP telemetry. A status message that does not fit into one of the other event types. Heartbeat indicating product is alive. An agent startup. An agent shutdown. A software or fingerprint update. Scan item that does not fit into one of the other event types. A file scan. Scan process behaviors. Please use SCAN_PROCESS instead. Scan process. Scan results from scanning an entire host device for threats/sensitive documents. Vulnerability scan logs about host vulnerabilities (e.g., out of date software) and network vulnerabilities (e.g., unprotected service detected via a network scan). Vulnerability scan logs about network vulnerabilities. Scan network for suspicious activity Scheduled task event that does not fall into one of the other event types. Scheduled task creation. Scheduled task deletion. Scheduled task being enabled. Scheduled task being disabled. Scheduled task being modified. A system audit log event that is not a wipe. A system audit log wipe. Service event that does not fit into one of the other event types. A service creation. A service deletion. A service start. A service stop. A service modification. Operating system events that are not described by any of the other event types. Might include uncategorized Microsoft Windows event logs. The resource was created/provisioned. This is equivalent to USER_RESOURCE_CREATION. The resource was deleted/deprovisioned. This is equivalent to USER_RESOURCE_DELETION. The resource had it's permissions or ACLs updated. This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS. The resource was read. This is equivalent to USER_RESOURCE_ACCESS. The resource was written to. This is equivalent to USER_RESOURCE_UPDATE_CONTENT. Firmware update. Configuration update. A program or application uploaded to a device. A program or application downloaded to a device. Analyst update about the Verdict (such as true positive, false positive, or disregard) of a finding. Analyst update about the Reputation (such as useful or not useful) of a finding. Analyst update about the Severity score (0-100) of a finding. Analyst update about the finding status. Analyst addition of a comment for a finding. Analyst update about the priority (such as low, medium, or high) for a finding. Analyst update about the root cause for a finding. Analyst update about the reason (such as malicious or not malicious) for a finding. Analyst update about the risk score (0-100) of a finding. An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. type string id description ID of the UDM event. Can be used for raw and normalized event retrieval. format byte type string ingestedTimestamp description The GMT timestamp when the event was ingested (received) by Chronicle. format google-datetime type string ingestionLabels description User-configured ingestion metadata labels. items $ref Label type array logType description The string value of log type. type string productDeploymentId description The deployment identifier assigned by the vendor for a product deployment. type string productEventType description A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start"). type string productLogId description A vendor-specific event identifier to uniquely identify the event (e.g. a GUID). type string productName description The name of the product. type string productVersion description The version of the product. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Flattened fields extracted from the log. type object tags $ref Tags description Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser. urlBackToProduct description A URL that takes the user to the source product console for this event. type string vendorName description The name of the product vendor. type string type object Metric description Stores precomputed aggregated analytic data for an entity. id Metric properties dimensions description All group by clauses used to calculate the metric. items enum DIMENSION_UNSPECIFIED PRINCIPAL_DEVICE TARGET_USER TARGET_DEVICE PRINCIPAL_USER TARGET_IP PRINCIPAL_FILE_HASH PRINCIPAL_COUNTRY SECURITY_CATEGORY NETWORK_ASN CLIENT_CERTIFICATE_HASH DNS_QUERY_TYPE DNS_DOMAIN HTTP_USER_AGENT EVENT_TYPE PRODUCT_NAME PRODUCT_EVENT_TYPE PARENT_FOLDER_PATH TARGET_RESOURCE_NAME PRINCIPAL_APPLICATION TARGET_APPLICATION EMAIL_TO_ADDRESS EMAIL_FROM_ADDRESS MAIL_ID PRINCIPAL_IP SECURITY_ACTION SECURITY_RULE_ID TARGET_NETWORK_ORGANIZATION_NAME PRINCIPAL_NETWORK_ORGANIZATION_NAME PRINCIPAL_PROCESS_FILE_PATH PRINCIPAL_PROCESS_FILE_HASH SECURITY_RESULT_RULE_NAME TARGET_RESOURCE_LABEL_KEY VENDOR_NAME TARGET_RESOURCE_TYPE TARGET_LOCATION_NAME enumDescriptions Default Principal Device Target User Target Device Principal User Target IP Principal File Hash Principal Country Security Category Network ASN Client Certificate Hash DNS Query Type DNS Domain HTTP User Agent Event Type Product Name Product Event Type Parent Folder Path Target resource Name Principal Application. Target Application. Email To Address. Email From Address. Mail Id. Principal IP. Security Action. Security Rule Id. Target Network Organization name. Principal Network Organization name. Principal Process File Path. Principal Process File SHA256 Hash. Security Result rule name. Target Resource label key. Vendor name. Target Resource type. Target Location name. type string type array exportWindow description Export window for which the metric was exported. format int64 type string firstSeen description Timestamp of the first time the entity was seen in the environment. format google-datetime type string lastSeen description Time stamp of the last time last time the entity was seen in the environment. format google-datetime type string metricName description Name of the analytic. enum METRIC_NAME_UNSPECIFIED NETWORK_BYTES_INBOUND NETWORK_BYTES_OUTBOUND NETWORK_BYTES_TOTAL AUTH_ATTEMPTS_SUCCESS AUTH_ATTEMPTS_FAIL AUTH_ATTEMPTS_TOTAL DNS_BYTES_OUTBOUND NETWORK_FLOWS_INBOUND NETWORK_FLOWS_OUTBOUND NETWORK_FLOWS_TOTAL DNS_QUERIES_SUCCESS DNS_QUERIES_FAIL DNS_QUERIES_TOTAL FILE_EXECUTIONS_SUCCESS FILE_EXECUTIONS_FAIL FILE_EXECUTIONS_TOTAL HTTP_QUERIES_SUCCESS HTTP_QUERIES_FAIL HTTP_QUERIES_TOTAL WORKSPACE_EMAILS_SENT_TOTAL WORKSPACE_TOTAL_DOWNLOAD_ACTIONS WORKSPACE_TOTAL_CHANGE_ACTIONS WORKSPACE_AUTH_ATTEMPTS_TOTAL WORKSPACE_NETWORK_BYTES_OUTBOUND WORKSPACE_NETWORK_BYTES_TOTAL ALERT_EVENT_NAME_COUNT RESOURCE_CREATION_TOTAL RESOURCE_CREATION_SUCCESS RESOURCE_READ_SUCCESS RESOURCE_READ_FAIL RESOURCE_DELETION_SUCCESS enumDescriptions Default Total received network bytes. Total network sent bytes. Total network sent bytes and received bytes. Successful authentication attempts. Failed authentication attempts. Total authentication attempts. Total number of sent bytes for DNS events. Total number of events having non-null received bytes. Total number of events having non-null sent bytes. Total events having non-null sent or received bytes. DNS query success count - Number of events with response_code = 0. Number of events with response_code != 0. Total number of DNS queries made. Number of successfule file executions. Number of failed file executions. Total number file executions. Number of successful HTTP queries. Number of failed HTTP queries. Total number of HTTP queries. Total number of emails sent in Google Workspace. Total number of download actions in Google Workspace. Total number of change actions in Google Workspace. Total number of authentication attempts in Google Workspace. Number of outbound network bytes (total sent) in Google Workspace. Total number of network bytes (both sent and received) in Google Workspace. Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH. First-time analytic tracking successful resource creations. Volume-based analytic tracking successful resource creations. Volume-based analytic tracking successful resource reads. Volume-based analytic tracking failed resource reads. Volume-based analytic tracking successful resource deletions. type string sumMeasure $ref Measure description Sum of all precomputed measures for the given metric. totalEvents description Total number of events used to calculate the given precomputed metric. format int64 type string type object Navigation description Navigation can be used to store the metadata required to navigate the user to a new URL. id Navigation properties targetUri description Output only. The URI to redirect the user to. readOnly True type string type object Network description A network event. id Network properties applicationProtocol description The application protocol. enum UNKNOWN_APPLICATION_PROTOCOL AFP APPC AMQP ATOM BEEP BITCOIN BIT_TORRENT CFDP CIP COAP COTP DCERPC DDS DEVICE_NET DHCP DICOM DNP3 DNS E_DONKEY ENRP FAST_TRACK FINGER FREENET FTAM GOOSE GOPHER GRPC HL7 H323 HTTP HTTPS IEC104 IRCP KADEMLIA KRB5 LDAP LPD MIME MMS MODBUS MQTT NETCONF NFS NIS NNTP NTCIP NTP OSCAR PNRP PTP QUIC RDP RELP RIP RLOGIN RPC RTMP RTP RTPS RTSP SAP SDP SIP SLP SMB SMTP SNMP SNTP SSH SSMS STYX SV TCAP TDS TOR TSP VTP WHOIS WEB_DAV X400 X500 XMPP enumDescriptions The default application protocol. Apple Filing Protocol. Advanced Program-to-Program Communication. Advanced Message Queuing Protocol. Publishing Protocol. Block Extensible Exchange Protocol. Crypto currency protocol. Peer-to-peer file sharing. Coherent File Distribution Protocol. Common Industrial Protocol. Constrained Application Protocol. Connection Oriented Transport Protocol. DCE/RPC. Data Distribution Service. Automation industry protocol. DHCP. Digital Imaging and Communications in Medicine Protocol. Distributed Network Protocol 3 (DNP3) DNS. Classic file sharing protocol. Endpoint Handlespace Redundancy Protocol. Filesharing peer-to-peer protocol. User Information Protocol. Censorship resistant peer-to-peer network. File Transfer Access and Management. GOOSE Protocol. Gopher protocol. gRPC Remote Procedure Call. Health Level Seven. Packet-based multimedia communications system. HTTP. HTTPS. IEC 60870-5-104 (IEC 104) Protocol. Internet Relay Chat Protocol. Peer-to-peer hashtables. Kerberos 5. Lightweight Directory Access Protocol. Line Printer Daemon Protocol. Multipurpose Internet Mail Extensions and Secure MIME. Multimedia Messaging Service. Serial communications protocol. Message Queuing Telemetry Transport. Network Configuration. Network File System. Network Information Service. Network News Transfer Protocol. National Transportation Communications for Intelligent Transportation System. Network Time Protocol. AOL Instant Messenger Protocol. Peer Name Resolution Protocol. Precision Time Protocol. QUIC. Remote Desktop Protocol. Reliable Event Logging Protocol. Routing Information Protocol. Remote Login in UNIX Systems. Remote Procedure Call. Real Time Messaging Protocol. Real-time Transport Protocol. Real Time Publish Subscribe. Real Time Streaming Protocol. Session Announcement Protocol. Session Description Protocol. Session Initiation Protocol. Service Location Protocol. Server Message Block. Simple Mail Transfer Protocol. Simple Network Management Protocol. Simple Network Time Protocol. Secure Shell. Secure SMS Messaging Protocol. Styx/9P - Plan 9 from Bell Labs distributed file system protocol. Sampled Values Protocol. Transaction Capabilities Application Part. Tabular Data Stream. Anonymity network. Time Stamp Protocol. Virtual Terminal Protocol. Remote Directory Access Protocol. Web Distributed Authoring and Versioning. Message Handling Service Protocol. Directory Access Protocol (DAP). Extensible Messaging and Presence Protocol. type string applicationProtocolVersion description The version of the application protocol. e.g. "1.1, 2.0" type string asn description Autonomous system number. type string carrierName description Carrier identification. type string communityId description Community ID network flow value. type string dhcp $ref Dhcp description DHCP info. direction description The direction of network traffic. enum UNKNOWN_DIRECTION INBOUND OUTBOUND BROADCAST enumDescriptions The default direction. An inbound request. An outbound request. A broadcast. type string dns $ref Dns description DNS info. dnsDomain description DNS domain name. type string email $ref Email description Email info for the sender/recipient. ftp $ref Ftp description FTP info. http $ref Http description HTTP info. ipProtocol description The IP protocol. enum UNKNOWN_IP_PROTOCOL ICMP IGMP TCP UDP IP6IN4 GRE ESP ICMP6 EIGRP ETHERIP PIM VRRP SCTP enumDescriptions The default protocol. ICMP. IGMP TCP. UDP. IPv6 Encapsulation Generic Routing Encapsulation Encapsulating Security Payload ICMPv6 Enhanced Interior Gateway Routing Ethernet-within-IP Encapsulation Protocol Independent Multicast Virtual Router Redundancy Protocol Stream Control Transmission Protocol type string ipSubnetRange description Associated human-readable IP subnet range (e.g. 10.1.2.0/24). type string organizationName description Organization name (e.g Google). type string parentSessionId description The ID of the parent network session. type string receivedBytes description The number of bytes received. format uint64 type string receivedPackets description The number of packets received. format int64 type string sentBytes description The number of bytes sent. format uint64 type string sentPackets description The number of packets sent. format int64 type string sessionDuration description The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer. format google-duration type string sessionId description The ID of the network session. type string smtp $ref Smtp description SMTP info. Store fields specific to SMTP not covered by Email. tls $ref Tls description TLS info. type object Noun description The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event. id Noun properties administrativeDomain description Domain which the device belongs to (for example, the Microsoft Windows domain). type string application description The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle". type string artifact $ref Artifact description Information about an artifact. asset $ref Asset description Information about the asset. assetId description The asset ID. This field can be used as an entity indicator for asset entities. type string cloud $ref Cloud deprecated True description Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud). domain $ref Domain description Information about the domain. email description Email address. Only filled in for security_result.about type string file $ref BackstoryFile description Information about the file. group $ref Group description Information about the group. hostname description Client hostname or domain name field. Hostname also doubles as the domain for remote entities. This field can be used as an entity indicator for asset entities. type string investigation $ref Investigation description Analyst feedback/investigation for alerts. ip description A list of IP addresses associated with a network connection. This field can be used as an entity indicator for asset entities. items type string type array ipGeoArtifact description Enriched geographic information corresponding to an IP address. Specifically, location and network data. items $ref Artifact type array ipLocation deprecated True description Deprecated: use ip_geo_artifact.location instead. items $ref Location type array labels deprecated True description Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels). items $ref Label type array location $ref Location description Physical location. For cloud environments, set the region in location.name. mac description List of MAC addresses associated with a device. This field can be used as an entity indicator for asset entities. items type string type array namespace description Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition. This field can be used along with an asset indicator to identify an asset. type string natIp description A list of NAT translated IP addresses associated with a network connection. items type string type array natPort description NAT external network port number when a specific network connection is described within an event. format int32 type integer network $ref Network description Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). objectReference $ref Id description Finding to which the Analyst updated the feedback. platform description Platform. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description Platform patch level. For example, "Build 17134.48" type string platformVersion description Platform version. For example, "Microsoft Windows 1803". type string port description Source or destination network port number when a specific network connection is described within an event. format int32 type integer process $ref Process description Information about the process. processAncestors description Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery. items $ref Process type array registry $ref Registry description Registry information. resource $ref Resource description Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun. resourceAncestors description Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource). items $ref Resource type array securityResult description A list of security results. items $ref SecurityResult type array url description The URL. type string urlMetadata $ref Url description Information about the URL. user $ref User description Information about the user. userManagementChain description Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery. items $ref User type array type object NtfsFileMetadata description NTFS-specific file metadata. id NtfsFileMetadata properties changeTime description NTFS MFT entry changed timestamp. format google-datetime type string filenameAccessTime description NTFS $FILE_NAME attribute accessed timestamp. format google-datetime type string filenameChangeTime description NTFS $FILE_NAME attribute changed timestamp. format google-datetime type string filenameCreateTime description NTFS $FILE_NAME attribute created timestamp. format google-datetime type string filenameModifyTime description NTFS $FILE_NAME attribute modified timestamp. format google-datetime type string type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object Option description DHCP options. id Option properties code description Code. See RFC1533. format uint32 type integer data description Data. format byte type string type object PDFInfo description Information about the PDF file structure. See https://developers.virustotal.com/reference/pdf_info id PDFInfo properties acroform description Number of /AcroForm tags found in the PDF. format int64 type string autoaction description Number of /AA tags found in the PDF. format int64 type string embeddedFile description Number of /EmbeddedFile tags found in the PDF. format int64 type string encrypted description Whether the document is encrypted or not. This is defined by the /Encrypt tag. format int64 type string endobjCount description Number of object definitions (endobj keyword). format int64 type string endstreamCount description Number of defined stream objects (stream keyword). format int64 type string flash description Number of /RichMedia tags found in the PDF. format int64 type string header description PDF version. type string javascript description Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios. format int64 type string jbig2Compression description Number of /JBIG2Decode tags found in the PDF. format int64 type string js description Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios. format int64 type string launchActionCount description Number of /Launch tags found in the PDF file. format int64 type string objCount description Number of objects definitions (obj keyword). format int64 type string objectStreamCount description Number of object streams. format int64 type string openaction description Number of /OpenAction tags found in the PDF. format int64 type string pageCount description Number of pages in the PDF. format int64 type string startxref description Number of startxref keywords in the PDF. format int64 type string streamCount description Number of defined stream objects (stream keyword). format int64 type string suspiciousColors description Number of colors expressed with more than 3 bytes (CVE-2009-3459). format int64 type string trailer description Number of trailer keywords in the PDF. format int64 type string xfa description Number of \XFA tags found in the PDF. format int64 type string xref description Number of xref keywords in the PDF. format int64 type string type object PeFileMetadata description Metadata about a Microsoft Windows Portable Executable. id PeFileMetadata properties importHash description Hash of PE imports. type string type object Permission description System permission for resource access and modification. id Permission properties description description Description of the permission (e.g. 'Ability to update detect rules'). type string name description Name of the permission (e.g. chronicle.analyst.updateRule). type string type description Type of the permission. enum UNKNOWN_PERMISSION_TYPE ADMIN_WRITE ADMIN_READ DATA_WRITE DATA_READ enumDescriptions Default permission type. Administrator write permission. Administrator read permission. Data resource access write permission. Data resource access read permission. type string type object PlatformSoftware description Platform software information about an operating system. id PlatformSoftware properties platform description The platform operating system. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description The platform software patch level ( e.g. "Build 17134.48", "SP1"). type string platformVersion description The platform software version ( e.g. "Microsoft Windows 1803"). type string type object PopularityRank description Domain's position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo. id PopularityRank properties giver description Name of the rank serial number hexdump. type string ingestionTime description Timestamp when the rank was ingested. format google-datetime type string rank description Rank position. format int64 type string type object Prevalence description The prevalence of a resource within the customer's environment. This measures how common it is for assets to access the resource. id Prevalence properties dayCount description The number of days over which rolling_max is calculated. format int32 type integer dayMax description The max prevalence score in a day interval window. format int32 type integer dayMaxSubDomains description The max prevalence score in a day interval window across sub-domains. This field is only valid for domains. format int32 type integer rollingMax description The maximum number of assets per day accessing the resource over the trailing day_count days. format int32 type integer rollingMaxSubDomains description The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains. format int32 type integer type object Process description Information about a process. id Process properties accessMask description A bit mask representing the level of access. format uint64 type string commandLine description The command line command that created the process. This field can be used as an entity indicator for process entities. type string commandLineHistory description The command line history of the process. items type string type array egid description The effective group ID of the process. type string euid description The effective user ID of the process. type string file $ref BackstoryFile description Information about the file in use by the process. integrityLevelRid description The Microsoft Windows integrity level relative ID (RID) of the process. format uint64 type string parentPid deprecated True description The ID of the parent process. Deprecated: use parent_process.pid instead. type string parentProcess $ref Process description Information about the parent process. pgid description The identifier that points to the process group ID leader. type string pid description The process ID. This field can be used as an entity indicator for process entities. type string productSpecificParentProcessId deprecated True description A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. type string productSpecificProcessId description A product specific process id. type string rgid description The real group ID of the process. type string ruid description The real user ID of the process. type string sessionLeaderPid description The process ID of the session leader process. type string tokenElevationType description The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled. enum UNKNOWN TYPE_1 TYPE_2 TYPE_3 enumDescriptions An undetermined token type. A full token with no privileges removed or groups disabled. An elevated token with no privileges removed or groups disabled. Used when running as administrator. A limited token with administrative privileges removed and administrative groups disabled. type string tty description The teletype terminal which the command was executed within. type string type object ProviderMLVerdict description Deprecated. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. id ProviderMLVerdict properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer confidenceScore description Confidence score of the verdict. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer mandiantSources description List of mandiant sources from which the verdict was generated. items $ref Source type array sourceProvider description Source provider giving the ML verdict. type string thirdPartySources description List of third-party sources from which the verdict was generated. items $ref Source type array type object PublicKey description Subject public key info. id PublicKey properties algorithm description Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the certificate. type string rsa $ref RSA description RSA public key information. type object Question description DNS Questions. See RFC1035, section 4.1.2. id Question properties class description The code specifying the class of the query. format uint32 type integer name description The domain name. type string prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. type description The code specifying the type of the query. format uint32 type integer type object RSA description RSA public key information. id RSA properties exponent description Key exponent hexdump. type string keySize description Key size. format int64 type string modulus description Key modulus hexdump. type string type object Reference description Reference to model primatives including event and entity. As support is added for fast retrieval of objects by identifiers, this will be expanded to include ID references rather than full object copies. BEGIN GOOGLE-INTERNAL See go/udm:ids for additional details. END GOOGLE-INTERNAL id Reference properties entity $ref BackstoryEntity description Entity being referenced. End one-of event $ref UDM description Only one of event or entity will be populated for a single reference. Start one-of Event being referenced. id $ref Id description Id being referenced. This field will also be populated for both event and entity with the event id. For detections, only this field will be populated. type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Registry description Information about a registry key or value. id Registry properties registryKey description Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...). type string registryValueData description Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp). type string registryValueName description Name of the registry value associated with an application or system component (e.g. TEMP). type string registryValueType description Type of the registry value. enum TYPE_UNSPECIFIED NONE SZ EXPAND_SZ BINARY DWORD DWORD_LITTLE_ENDIAN DWORD_BIG_ENDIAN LINK MULTI_SZ RESOURCE_LIST QWORD QWORD_LITTLE_ENDIAN enumDescriptions Default registry value type used when the type is unknown. The registry value is not set and only the key exists. A null-terminated string. A null-terminated string that contains unexpanded references to environment variables Binary data in any form. A 32-bit number. A 32-bit number in little-endian format. A 32-bit number in big-endian format. A null-terminated Unicode string that contains the target path of a symbolic link. A sequence of null-terminated strings, terminated by an empty string A device driver resource list. A 64-bit number. A 64-bit number in little-endian format. type string type object Relation description Defines the relationship between the entity (a) and another entity (b). id Relation properties direction description Directionality of relationship between primary entity (a) and the related entity (b). enum DIRECTIONALITY_UNSPECIFIED BIDIRECTIONAL UNIDIRECTIONAL enumDescriptions Default value. Modeled in both directions. Primary entity (a) to related entity (b) and related entity (b) to primary entity (a). Modeled in a single direction. Primary entity (a) to related entity (b). type string entity $ref Noun description Entity (b) that the primary entity (a) is related to. entityLabel description Label to identify the Noun of the relation. enum ENTITY_LABEL_UNSPECIFIED PRINCIPAL TARGET OBSERVER SRC NETWORK SECURITY_RESULT INTERMEDIARY enumDescriptions Default value. The Noun represents a principal type object. The Noun represents a target type object. The Noun represents an observer type object. The Noun represents src type object. The Noun represents a network type object. The Noun represents a SecurityResult object. The Noun represents an intermediary type object. type string entityType description Type of the related entity (b) in this relationship. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string relationship description Type of relationship. enum RELATIONSHIP_UNSPECIFIED OWNS ADMINISTERS MEMBER EXECUTES DOWNLOADED_FROM CONTACTS enumDescriptions Default value Related entity is owned by the primary entity (e.g. user owns device asset). Related entity is administered by the primary entity (e.g. user administers a group). Primary entity is a member of the related entity (e.g. user is a member of a group). Primary entity may have executed the related entity. Primary entity may have been downloaded from the related entity. Primary entity contacts the related entity. type string uid description UID of the relationship. format byte type string type object Resource description Information about a resource such as a task, Cloud Storage bucket, database, disk, logical policy, or something similar. id Resource properties attribute $ref Attribute description Generic entity metadata attributes of the resource. id deprecated True description Deprecated: Use resource.name or resource.product_object_id. type string name description The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. type string parent deprecated True description The parent of the resource. For a database table, the parent is the database. For a storage object, the bucket name. Deprecated: use resource_ancestors.name. type string productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) This field can be used as an entity indicator for a Resource entity. type string resourceSubtype description Resource sub-type (e.g. "BigQuery", "Bigtable"). type string resourceType description Resource type. enum UNSPECIFIED MUTEX TASK PIPE DEVICE FIREWALL_RULE MAILBOX_FOLDER VPC_NETWORK VIRTUAL_MACHINE STORAGE_BUCKET STORAGE_OBJECT DATABASE TABLE CLOUD_PROJECT CLOUD_ORGANIZATION SERVICE_ACCOUNT ACCESS_POLICY CLUSTER SETTING DATASET BACKEND_SERVICE POD CONTAINER FUNCTION RUNTIME IP_ADDRESS DISK VOLUME IMAGE SNAPSHOT REPOSITORY CREDENTIAL LOAD_BALANCER GATEWAY SUBNET USER enumDescriptions Default type. Mutex. Task. Named pipe. Device. Firewall rule. Mailbox folder. VPC Network. Virtual machine. Storage bucket. Storage object. Database. Data table. Cloud project. Cloud organization. Service account. Access policy. Cluster. Settings. Dataset. Endpoint that receive traffic from a load balancer or proxy. Pod, which is a collection of containers. Often used in Kubernetes. Container. Cloud function. Runtime. IP address. Disk. Volume. Machine image. Snapshot. Repository. Credential, e.g. access keys, ssh keys, tokens, certificates. Load balancer. Gateway. Subnet. User. type string type deprecated True description Deprecated: use resource_type instead. type string type object ResourceRecord description DNS Resource Records. See RFC1035, section 4.1.3. id ResourceRecord properties binaryData description The raw bytes of any non-UTF8 strings that might be included as part of a DNS response. format byte type string class description The code specifying the class of the resource record. format uint32 type integer data description The payload or response to the DNS question for all responses encoded in UTF-8 format type string name description The name of the owner of the resource record. type string ttl description The time interval for which the resource record can be cached before the source of the information should again be queried. format uint32 type integer type description The code specifying the type of the resource record. format uint32 type integer type object ResponsePlatformInfo description Related info of an Alert in customer's SOAR platform. id ResponsePlatformInfo properties alertId description Id of the alert in SOAR product. type string responsePlatformType description Type of SOAR product. enum RESPONSE_PLATFORM_TYPE_UNSPECIFIED RESPONSE_PLATFORM_TYPE_SIEMPLIFY enumDescriptions Response platform not specified. Siemplify type string type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object RiskDelta description Describes the difference in risk score between two points in time. id RiskDelta properties previousRangeEndTime description End time of the previous time window. format google-datetime type string previousRiskScore description Risk score from previous risk window format int32 type integer riskScoreDelta description Difference in the normalized risk score from the previous recorded value. format int32 type integer riskScoreNumericDelta description Numeric change between current and previous risk score format int32 type integer type object Role description System role for resource access and modification. id Role properties description description System role description for user. type string name description System role name for user. type string type description System role type for well known roles. enum TYPE_UNSPECIFIED ADMINISTRATOR SERVICE_ACCOUNT enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object RuntimeError id RuntimeError properties errorText type string timeRange $ref Interval type object SSLCertificate description SSL certificate. id SSLCertificate properties certExtensions additionalProperties description Properties of the object. type any description Certificate's extensions. type object certSignature $ref CertSignature description Certificate's signature and algorithm. ec $ref EC description EC public key information. extension $ref Extension deprecated True description (DEPRECATED) certificate's extension. firstSeenTime description Date the certificate was first retrieved by VirusTotal. format google-datetime type string issuer $ref Subject description Certificate's issuer data. publicKey $ref PublicKey description Public key information. serialNumber description Certificate's serial number hexdump. type string signatureAlgorithm description Algorithm used for the signature (for example, "sha1RSA"). type string size description Certificate content length. format int64 type string subject $ref Subject description Certificate's subject data. thumbprint description Certificate's content SHA1 hash. type string thumbprintSha256 description Certificate's content SHA256 hash. type string validity $ref Validity description Certificate's validity period. version description Certificate version (typically "V1", "V2" or "V3"). type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object SearchDataTableColumnInfo id SearchDataTableColumnInfo properties isDefault type boolean originalColumn type string type object SearchDataTableInfo id SearchDataTableInfo properties columnInfo items $ref SearchDataTableColumnInfo type array dataTable type string type object SearchDataTableRow id SearchDataTableRow properties column type string value type string type object SearchDataTableRowInfo id SearchDataTableRowInfo properties dataTable type string rows items $ref SearchDataTableRow type array type object SecurityResult description Security related metadata for the event. A security result might be something like "virus detected and quarantined," "malicious connection blocked," or "sensitive data included in document foo.doc." Each security result, of which there may be more than one, may either pertain to the whole event, or to a specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (such as process, user, IP, domain, URL, IP, or email address) in the about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty. id SecurityResult properties about $ref Noun description If the security result is about a specific entity (Noun), add it here. This field is not populated when the SecurityResult appears in a finding (a detection or alert). action description Actions taken for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_ACTION ALLOW BLOCK ALLOW_WITH_MODIFICATION QUARANTINE FAIL CHALLENGE enumDescriptions The default action. Allowed. Blocked. Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded). Put somewhere for later analysis (does NOT imply block). Failed (e.g. the event was allowed but failed). Challenged (e.g. the user was challenged by a Captcha, 2FA). type string type array actionDetails description The detail of the action taken as provided by the vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string alertState description The alerting types of this security result. This is primarily set for rule-generated detections and alerts. enum UNSPECIFIED NOT_ALERTING ALERTING enumDescriptions The security result type is not known. The security result is not an alert. The security result is an alert. type string analyticsMetadata description Stores metadata about each risk analytic metric the rule uses. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref AnalyticsMetadata type array associations description Associations related to the threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref Association type array attackDetails $ref AttackDetails description MITRE ATT&CK details. This field is not populated when the SecurityResult appears in a finding (a detection or alert). campaigns description Campaigns using this IOC threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array category description The security category. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_CATEGORY SOFTWARE_MALICIOUS SOFTWARE_SUSPICIOUS SOFTWARE_PUA NETWORK_MALICIOUS NETWORK_SUSPICIOUS NETWORK_CATEGORIZED_CONTENT NETWORK_DENIAL_OF_SERVICE NETWORK_RECON NETWORK_COMMAND_AND_CONTROL ACL_VIOLATION AUTH_VIOLATION EXPLOIT DATA_EXFILTRATION DATA_AT_REST DATA_DESTRUCTION TOR_EXIT_NODE MAIL_SPAM MAIL_PHISHING MAIL_SPOOFING POLICY_VIOLATION SOCIAL_ENGINEERING PHISHING enumDescriptions The default category. Malware, spyware, rootkit. Below the conviction threshold; probably bad. Potentially Unwanted App (such as adware). Includes C&C or network exploit. Suspicious activity, such as potential reverse tunnel. Non-security related: URL has category like gambling or porn. DoS, DDoS. Port scan detected by an IDS, probing of web app. If we know this is a C&C channel. Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc. Authentication failed (e.g. bad password or bad 2-factor authentication). Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits. DLP: Sensitive data transmission, copy to thumb drive. DLP: Sensitive data found at rest in a scan. Attempt to destroy/delete data. TOR Exit Nodes. Spam email, message, etc. Phishing email, chat messages, etc. Spoofed source email address, etc. Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action). Threats which manipulate to break normal security procedures. Phishing pages, pops, https phishing etc. type string type array categoryDetails description For vendor-specific categories. For web categorization, put type in here such as "gambling" or "porn". This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array confidence description The confidence level of the result as estimated by the product. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string confidenceDetails description Additional detail with regards to the confidence of a security event as estimated by the product vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string confidenceScore description The confidence score of the security result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format float type number description description A human-readable description (e.g. "user password was wrong"). This can be more detailed than the summary. type string detectionDepth description The depth of the detection chain. Applies only to composite detections. format int64 type string detectionFields description An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (the security result matched variables). This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array firstDiscoveredTime description First time the IoC threat was discovered in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastDiscoveredTime description Last time the IoC was seen in the provider data. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastUpdatedTime description Last time the IoC threat was updated in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string outcomes description A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to a stringified version of their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array priority description The priority of the result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_PRIORITY LOW_PRIORITY MEDIUM_PRIORITY HIGH_PRIORITY enumDescriptions Default priority level. Low priority. Medium priority. High priority. type string priorityDetails description Vendor-specific information about the security result priority. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string reports description Reports that reference this IOC threat. These are the report IDs. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array riskScore description The risk score of the security result. format float type number ruleAuthor description Author of the security rule. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string ruleId description A vendor-specific ID for a rule, varying by observer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe"). type string ruleLabels description A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John"). This is primarily set in rule-generated detections and alerts. items $ref Label type array ruleName description Name of the security rule (e.g. "BlockInboundToOracle"). type string ruleSet description The curated detection's rule set identifier. (for example, "windows-threats") This is primarily set in rule-generated detections and alerts. type string ruleSetDisplayName description The curated detections rule set display name. This is primarily set in rule-generated detections and alerts. type string ruleType description The type of security rule. type string ruleVersion description Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed. type string rulesetCategoryDisplayName description The curated detection rule set category display name. (for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration", the rule_set_category is "Cloud Threats"). This is primarily set in rule-generated detections and alerts. type string severity description The severity of the result. enum UNKNOWN_SEVERITY INFORMATIONAL ERROR NONE LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Info severity. An error. No malicious result. Low-severity malicious result. Medium-severity malicious result. High-severity malicious result. Critical-severity malicious result. type string severityDetails description Vendor-specific severity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string summary description A short human-readable summary (e.g. "failed login occurred") type string threatFeedName description Vendor feed name for a threat indicator feed. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatId description Vendor-specific ID for a threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatIdNamespace description The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string threatName description A vendor-assigned classification common across multiple customers (for example, "W32/File-A", "Slammer"). This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatStatus description Current status of the threat This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_STATUS_UNSPECIFIED ACTIVE CLEARED FALSE_POSITIVE enumDescriptions Default threat status Active threat. Cleared threat. False positive. type string threatVerdict description GCTI threat verdict on the security result entity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_VERDICT_UNSPECIFIED UNDETECTED SUSPICIOUS MALICIOUS enumDescriptions Unspecified threat verdict level. Undetected threat verdict level. Suspicious threat verdict level. Malicious threat verdict level. type string urlBackToProduct description URL that takes the user to the source product console for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string variables additionalProperties $ref FindingVariable description A list of outcomes and match variables that represent the results of this security finding. This list represents a mapping of names of the requested outcomes or match variables, to their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). type object verdict $ref Verdict deprecated True description Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead. verdictInfo description Verdict information about the IoC from the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref VerdictInfo type array type object Server description Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash). id Server properties certificate $ref Certificate description Server certificate. ja3s description JA3 hash from the TLS ServerHello, as a hex-encoded string. type string type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object SignatureInfo description File signature information extracted from different tools. id SignatureInfo properties codesign $ref FileMetadataCodesign description Signature information extracted from the codesign utility. sigcheck $ref FileMetadataSignatureInfo description Signature information extracted from the sigcheck tool. type object SignerInfo description File metadata related to the signer information. id SignerInfo properties certIssuer description Company that issued the certificate. type string name description Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority. type string status description It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid."). type string validUsage description Indicates which situations the certificate is valid for (e.g. "Code Signing"). type string type object Smtp description SMTP info. See RFC 2821. id Smtp properties helo description The client's 'HELO'/'EHLO' string. type string isTls description If the connection switched to TLS. type boolean isWebmail description If the message was sent via a webmail client. type boolean mailFrom description The client's 'MAIL FROM' string. type string messagePath description The message's path (extracted from the headers). type string rcptTo description The client's 'RCPT TO' string(s). items type string type array serverResponse description The server's response(s) to the client. items type string type array type object SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems. id SoarAlertMetadata properties alertId description Alert ID in the source SIEM system. type string product description Name of the product the alert is coming from. type string sourceRule description Name of the rule triggering the alert in the source SIEM. type string sourceSystem description Name of the Source SIEM system. type string sourceSystemTicketId description Ticket id for the alert in the source system. type string sourceSystemUri description Url to the source SIEM system. type string vendor description Name of the vendor. type string type object Software description Information about a software package or application. id Software properties description description The description of the software. type string name description The name of the software. type string permissions description System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE" items $ref Permission type array vendorName description The name of the software vendor. type string version description The version of the software. type string type object Source description Deprecated. Information about the threat intelligence source. These fields are used to model Mandiant sources. id Source properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer name description Name of the IoC source. type string quality description Quality of the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total response count from this source. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer threatIntelligenceSources description Different threat intelligence sources from which IoC info was extracted. items $ref Source type array type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object StringSequence description StringSequence represents a sequence of string. id StringSequence properties stringVals description string sequence. items type string type array type object StringToInt64MapEntry id StringToInt64MapEntry properties key description Key field. type string value description Value field. format int64 type string type object StringValue id StringValue properties displayValue type string rawValue type string type object StringValues id StringValues properties values items $ref StringValue type array type object Subject description Subject data. id Subject properties commonName description CN: CommonName. type string countryName description C: Country name. type string locality description L: Locality. type string organization description O: Organization. type string organizationalUnit description OU: OrganizationalUnit. type string stateOrProvinceName description ST: StateOrProvinceName. type string type object Tactic description Tactic information related to an attack or threat. id Tactic properties id description Tactic ID (e.g. "TA0043"). type string name description Tactic Name (e.g. "Reconnaissance") type string type object Tags description Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenant_id based on certain customer-defined parameters. id Tags properties dataTapConfigName description A list of sink name values defined in DataTap configurations. items type string type array tenantId description A list of subtenant ids that this event belongs to. items format byte type string type array type object Technique description Technique information related to an attack or threat. id Technique properties id description Technique ID (e.g. "T1595"). type string name description Technique Name (e.g. "Active Scanning"). type string subtechniqueId description Subtechnique ID (e.g. "T1595.001"). type string subtechniqueName description Subtechnique Name (e.g. "Scanning IP Blocks"). type string type object TimeOff description System record for leave/time-off from a Human Capital Management (HCM) system. id TimeOff properties description description Description of the leave if available (e.g. 'Vacation'). type string interval $ref Interval description Interval duration of the leave. type object Tls description Transport Layer Security (TLS) information. id Tls properties cipher description Cipher used during the connection. type string client $ref Client description Certificate information for the client certificate. curve description Elliptical curve used for a given cipher. type string established description Indicates whether the TLS negotiation was successful. type boolean nextProtocol description Protocol to be used for tunnel. type string resumed description Indicates whether the TLS connection was resumed from a previous TLS negotiation. type boolean server $ref Server description Certificate information for the server certificate. version description TLS version. type string versionProtocol description Protocol. type string type object Tracker description URL Tracker. id Tracker properties id description Tracker ID, if available. type string timestamp description Tracker ingestion date. format google-datetime type string tracker description Tracker name. type string url description Tracker script URL. type string type object Tunnels description VPN tunnels. id Tunnels properties provider description The provider of the VPN tunnels being used. type string type description The type of the VPN tunnels. type string type object UDM description A Unified Data Model event. id UDM properties about description Represents entities referenced by the event that are not otherwise described in principal, src, target, intermediary or observer. For example, it could be used to track email file attachments, domains/URLs/IPs embedded within an email body, and DLLs that are loaded during a PROCESS_LAUNCH event. items $ref Noun type array additional additionalProperties description Properties of the object. type any description Any important vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model. type object extensions $ref Extensions description All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object intermediary description Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a proxy server or SMTP relay server. If an active event (that has a principal and possibly target) passes through any intermediaries, they're added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that 'principal', 'target', and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C). items $ref Noun type array metadata $ref Metadata description Event metadata such as timestamp, source product, etc. network $ref Network description All network details go here, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). observer $ref Noun description Represents an observer entity (for example, a packet sniffer or network-based vulnerability scanner), which is not a direct intermediary, but which observes and reports on the event in question. principal $ref Noun description Represents the acting entity that originates the activity described in the event. The principal must include at least one machine detail (hostname, MACs, IPs, port, product-specific identifiers like an EDR asset ID) or user detail (for example, username), and optionally include process details. It must NOT include any of the following fields: email, files, registry keys or values. securityResult description A list of security results. items $ref SecurityResult type array src $ref Noun description Represents a source entity being acted upon by the participant along with the device or process context for the source object (the machine where the source object resides). For example, if user U copies file A on machine X to file B on machine Y, both file A and machine X would be specified in the src portion of the UDM event. target $ref Noun description Represents a target entity being referenced by the event or an object on the target entity. For example, in a firewall connection from device A to device B, A is described as the principal and B is described as the target. For a process injection by process C into target process D, process C is described as the principal and process D is described as the target. type object UdmColumnList id UdmColumnList properties values items $ref UdmColumnValue type array type object UdmColumnType id UdmColumnType properties list $ref UdmColumnList value $ref UdmColumnValue type object UdmColumnValue id UdmColumnValue properties boolVal type boolean bytesVal format byte type string dateVal $ref Date doubleVal format double type number int64Val format int64 type string nullVal type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any type object stringVal type string timestampVal format google-datetime type string uint64Val format uint64 type string type object UdmEventInfo id UdmEventInfo properties alertNumber format int32 type integer annotations items enum ANNOTATION_UNSPECIFIED ANNOTATION_ALERT enumDescriptions type string type array chip $ref Chip deprecated True connectedComponentLabel description Optional. format byte type string datatableRowInfo items $ref SearchDataTableRowInfo type array detections items $ref Collection type array displayName deprecated True type string entity $ref BackstoryEntity event $ref UDM eventLogToken type string filterProperties $ref FilterProperties deprecated True outcomes items $ref UdmColumnType type array tenantId description Optional. type string uid format byte type string type object UdmEventList id UdmEventList properties columnNames $ref ColumnNames complete type boolean datatableInfo items $ref SearchDataTableInfo type array events items $ref UdmEventInfo type array progress format double type number tooManyEvents type boolean type object UdmFieldAggregation id UdmFieldAggregation properties aggregationType enum UNSPECIFIED_FIELD_AGGREGATION_TYPE UDM_FIELD_AGGREGATION_TYPE ENTITY_FIELD_AGGREGATION_TYPE enumDescriptions type string allValues items $ref UdmValueCount type array baselineEventCount format int32 type integer bottomValues items $ref UdmValueCount type array eventCount format int32 type integer fieldName type string tooManyValues type boolean topValues items $ref UdmValueCount type array valueCount format int32 type integer type object UdmFieldAggregations id UdmFieldAggregations properties complete type boolean fields items $ref UdmFieldAggregation type array groupByFields items $ref GroupAggregationByField type array type object UdmFieldValue id UdmFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string isNull type boolean stringValue type string timestampValue format google-datetime type string uint32Value format uint32 type integer uint64Value format uint64 type string type object UdmPrevalence id UdmPrevalence properties artifacts items $ref FieldAndValue type array prevalence format int32 type integer type object UdmPrevalenceBucket id UdmPrevalenceBucket properties prevalence items $ref UdmPrevalence type array type object UdmPrevalenceResponse id UdmPrevalenceResponse properties buckets items $ref UdmPrevalenceBucket type array partialPrevalence type boolean type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UdmValueCount id UdmValueCount properties baselineEventCount format int32 type integer eventCount format int32 type integer value $ref UdmFieldValue type object Uint64Sequence description Uint64Sequence represents a sequence of uint64s. id Uint64Sequence properties uint64Vals description uint64 sequence. items format uint64 type string type array type object Url description Url. id Url properties categories description Categorisation done by VirusTotal partners. items type string type array favicon $ref Favicon description Difference hash and MD5 hash of the URL's. htmlMeta additionalProperties description Properties of the object. type any description Meta tags (only for URLs downloading HTML). type object lastFinalUrl description If the original URL redirects, where does it end. type string lastHttpResponseCode description HTTP response code of the last response. format int32 type integer lastHttpResponseContentLength description Length in bytes of the content received. format int64 type string lastHttpResponseContentSha256 description URL response body's SHA256 hash. type string lastHttpResponseCookies additionalProperties description Properties of the object. type any description Website's cookies. type object lastHttpResponseHeaders additionalProperties description Properties of the object. type any description Headers and values of the last HTTP response. type object tags description Tags. items type string type array title description Webpage title. type string trackers description Trackers found in the URL in a historical manner. items $ref Tracker type array url description URL. type string type object User description Information about a user. id User properties accountExpirationTime description User account expiration timestamp. format google-datetime type string accountLockoutTime description User account lockout timestamp. format google-datetime type string accountType description Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/ enum ACCOUNT_TYPE_UNSPECIFIED DOMAIN_ACCOUNT_TYPE LOCAL_ACCOUNT_TYPE CLOUD_ACCOUNT_TYPE SERVICE_ACCOUNT_TYPE DEFAULT_ACCOUNT_TYPE enumDescriptions Default user account type. A human account part of some domain in directory services. A local machine account. A SaaS service account type (such as Slack or GitHub). A non-human account for data access. A system built in default account. type string attribute $ref Attribute description Generic entity metadata attributes of the user. companyName description User job company name. type string department description User job department items type string type array emailAddresses description Email addresses of the user. This field can be used as an entity indicator for user entities. items type string type array employeeId description Human capital management identifier. This field can be used as an entity indicator for user entities. type string firstName description First name of the user (e.g. "John"). type string firstSeenTime description The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string groupIdentifiers description Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar). items type string type array groupid deprecated True description The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. type string hireDate description User job employment hire date. format google-datetime type string lastBadPasswordAttemptTime description User last bad password attempt timestamp. format google-datetime type string lastLoginTime description User last login timestamp. format google-datetime type string lastName description Last name of the user (e.g. "Locke"). type string lastPasswordChangeTime description User last password change timestamp. format google-datetime type string managers description User job manager(s). items $ref User type array middleName description Middle name of the user. type string officeAddress $ref Location description User job office location. passwordExpirationTime description User password expiration timestamp. format google-datetime type string personalAddress $ref Location description Personal address of the user. phoneNumbers description Phone numbers for the user. items type string type array productObjectId description A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar). This field can be used as an entity indicator for user entities. type string roleDescription deprecated True description System role description for user. Deprecated: use attribute.roles. type string roleName deprecated True description System role name for user. Deprecated: use attribute.roles. type string terminationDate description User job employment termination date. format google-datetime type string timeOff description User time off leaves from active work. items $ref TimeOff type array title description User job title. type string userAuthenticationStatus description System authentication status for user. enum UNKNOWN_AUTHENTICATION_STATUS ACTIVE SUSPENDED NO_ACTIVE_CREDENTIALS DELETED enumDescriptions The default authentication status. The authentication method is in active state. The authentication method is in suspended/disabled state. The authentication method has no active credentials. The authentication method has been deleted. type string userDisplayName description The display name of the user (e.g. "John Locke"). type string userRole deprecated True description System role for user. Deprecated: use attribute.roles. enum UNKNOWN_ROLE ADMINISTRATOR SERVICE_ACCOUNT enumDeprecated False False True enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. Deprecated: not a role, instead set User.account_type. type string userid description The ID of the user. This field can be used as an entity indicator for user entities. type string windowsSid description The Microsoft Windows SID of the user. This field can be used as an entity indicator for user entities. type string type object UserAgentProto id UserAgentProto properties annotation items $ref Annotation type array browser description Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents. type string browserEngineVersion description Version of the rendering engine e.g. "8.01" for "Opera/8.01" type string browserVersion description Minor and lower versions unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string carrier description Mobile specific: name of mobile carrier type string device description (Usually) Mobile specific: name of hardware device, may or may not contain the full model name. e.g. iPhone, Palm750, SPH-M800. Reduced to "K" for Android devices with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string deviceVersion description (Usually) Mobile specific: version of hardware device Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string family description User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.. enum USER_DEFINED MSIE GECKO APPLEWEBKIT OPERA KHTML OTHER APPLE BLACKBERRY DOCOMO GOOGLE OPENWAVE POLARIS OBIGO TELECA MICROSOFT NOKIA NETFRONT SEMC SMIT KOREAN CLIENT_HINTS enumDescriptions Used to represent new families supported by user-defined parsers Desktop user agent families WebKit based browsers e.g. Safari e.g. Konqueror Mobile and non-browser user agent families UA's w/o enough data to fit into a family Apple apps e.g. YouTube on iPhone Google Earth, Sketchup, UpdateChecker etc... UP.Browser Windows Media Player, RSS platform etc... Sony Ericsson Mobile Communications SKT, LGT Constructed from UA-CH instead of UserAgent string. type string googleToolbarVersion description Version number of GoogleToolbar, if installed. Applies only to MSIE and Firefox at this time. type string javaConfiguration description Mobile specific: e.g. Configuration/CLDC-1.1 type string javaConfigurationVersion type string javaProfile description Mobile specific: e.g. Profile/MIDP-2.0 type string javaProfileVersion type string locale description Locale in which the browser is running as country code and optionally language pair. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string messaging description Mobile specific: e.g. MMP/2.0 type string messagingVersion type string os description Full name of the operating system e.g. "Darwin/9.7.0", "Android 1.5", "Windows 98" Version is reduced, and other data might also be missing, for reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string osVariant description Extra qualifier for the OS e.g. "(i386)", "Build/CUPCAKE", "PalmSource/Palm-D061" Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string platform description The platform describes the environment in which the browser or app runs. For desktop user agents, Platform is a string describing the OS family e.g. Windows, Macintosh, Linux. For mobile user agents, Platform either describes the OS family (if available) or the hardware maker. e.g. Linux, or HTC, LG, Palm. type string security description Security level reported by user agent, either U, I or N. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string subFamily description Sub-family identifies individual regexps when a family has more than 1. This is used to generate the right UA string from a protobuf. Examples in the AppleWebKit family: Chrome and Safari. Can also be an arbitrary identifier. type string type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Validity description Defines certificate's validity period. id Validity properties expiryTime description Expiry date. format google-datetime type string issueTime description Issue date. format google-datetime type string type object Verdict description Deprecated. Encapsulates the threat verdict provided by human analysts and ML models. These fields are used to model Mandiant sources. id Verdict properties analystVerdict $ref AnalystVerdict description Human analyst verdict provided by sources like Mandiant. neighbourInfluence description Describes the neighbour influence of the verdict. type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer verdict $ref ProviderMLVerdict description ML Verdict provided by sources like Mandiant. type object VerdictInfo description Describes the threat verdict provided by human analysts and machine learning models. These fields are used to model Mandiant sources. id VerdictInfo properties benignCount description Count of responses where this IoC was marked as benign. format int32 type integer categoryDetails description Tags related to the verdict. type string confidenceScore description Confidence score of the verdict. format int32 type integer globalCustomerCount description Global customer count over the last 30 days format int32 type integer globalHitsCount description Global hit count over the last 30 days. format int32 type integer iocStats description List of IoCStats from which the verdict was generated. items $ref IoCStats type array maliciousCount description Count of responses where this IoC was marked as malicious. format int32 type integer neighbourInfluence description Describes the near neighbor influence of the verdict. type string pwn description Whether one or more Mandiant incident response customers had this indicator in their environment. type boolean pwnFirstTaggedTime description The timestamp of the first time a pwn was associated to this entity. format google-datetime type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer sourceProvider description Source provider giving the machine learning verdict. type string verdictResponse description Details about the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp when the verdict was generated. format google-datetime type string verdictType description Type of verdict. enum VERDICT_TYPE_UNSPECIFIED PROVIDER_ML_VERDICT ANALYST_VERDICT enumDescriptions Verdict category not specified. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. Verdict provided by the human analyst. These fields are used to model Mandiant sources. type string type object Vulnerabilities description The Vulnerabilities extension captures details on observed/detected vulnerabilities. id Vulnerabilities properties vulnerabilities description A list of vulnerabilities. items $ref Vulnerability type array type object Vulnerability description A vulnerability. id Vulnerability properties about $ref Noun description If the vulnerability is about a specific noun (e.g. executable), then add it here. cveDescription description Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record type string cveId description Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id type string cvssBaseScore description CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting. format float type number cvssVector description Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator type string cvssVersion description Version of CVSS Vector/Score. type string description description Description of the vulnerability. type string firstFound description Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset. format google-datetime type string lastFound description Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset. format google-datetime type string name description Name of the vulnerability (e.g. "Unsupported OS Version detected"). type string scanEndTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable. format google-datetime type string scanStartTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable. format google-datetime type string severity description The severity of the vulnerability. enum UNKNOWN_SEVERITY LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Low severity. Medium severity. High severity. Critical severity. type string severityDetails description Vendor-specific severity type string vendor description Vendor of scan that discovered vulnerability. type string vendorKnowledgeBaseArticleId description Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase type string vendorVulnerabilityId description Vendor specific vulnerability id (e.g. Microsoft security bulletin id). type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object X509 description File certificate. id X509 properties algorithm description Certificate algorithm. type string certIssuer description Issuer of the certificate. type string name description Certificate name. type string serialNumber description Certificate serial number. type string thumbprint description Certificate thumbprint. type string type object old_value CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{region}/instances/{instance} readOnly True type string type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Manual description Entities are added manually. id Manual properties type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object
prod/europe-west3-chronicle-v1alpha	dictionary_item_added root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['delete'] root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['undelete'] root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['legacy']['methods']['legacyCreateOrUpdateCase'] root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['legacy']['methods']['legacyCreateSoarAlert'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue'] root['schemas']['GoogleCloudStorageEventDrivenSettings'] root['schemas']['InstanceUdmSearchResponse'] root['schemas']['LegacyCreateOrUpdateCaseRequest'] root['schemas']['LegacyCreateSoarAlertRequest'] root['schemas']['LegacyFederatedUdmSearchViewResponse'] root['schemas']['LegacySoarAlert'] root['schemas']['SQSV2AccessKeySecretAuth'] root['schemas']['SoarEvent'] root['schemas']['UndeleteInstanceRequest'] root['schemas']['BackstoryFile']['properties']['symhash'] root['schemas']['ColumnMetadata']['properties']['latitude'] root['schemas']['ColumnMetadata']['properties']['longitude'] root['schemas']['EntityRisk']['properties']['riskWindowHasNewDetections'] root['schemas']['Extensions']['properties']['entityRisk'] root['schemas']['FeedDetails']['properties']['googleCloudStorageEventDrivenSettings'] root['schemas']['Instance']['properties']['customerCode'] root['schemas']['Instance']['properties']['deleteTime'] root['schemas']['Instance']['properties']['purgeTime'] root['schemas']['Instance']['properties']['wipeoutStatus'] root['schemas']['SQSAuthV2']['properties']['sqsV2AccessKeySecretAuth'] dictionary_item_removed root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['findings'] root['schemas']['FetchSimilarFindingsResponse'] root['schemas']['OmniflowAmazonS3Settings'] root['schemas']['OmniflowAmazonSQSSettings'] root['schemas']['OmniflowGoogleCloudStorageSettings'] root['schemas']['OmniflowS3Auth'] root['schemas']['FeedDetails']['properties']['omniflowAmazonS3Settings'] root['schemas']['FeedDetails']['properties']['omniflowAmazonSqsSettings'] root['schemas']['FeedDetails']['properties']['omniflowGcsSettings'] root['schemas']['FeedDetails']['properties']['feedSourceType']['enumDeprecated'] root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enumDeprecated'] root['schemas']['PackLogType']['properties']['recommendedSourceType']['enumDeprecated'] values_changed root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['generateCollectionAgentAuth']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to generate a collection agent auth json file for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to generate a collection agent auth json file for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['generateSoarAuthJwt']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['generateWorkspaceConnectionToken']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to create workspace token for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to create workspace token for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['get']['parameters']['name']['description'] new_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['report']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['legacy']['methods']['legacyBatchGetCases']['parameters']['instance']['description'] new_value Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}/legacy old_value Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}/legacy root['revision'] new_value 20250310 old_value 20250227 root['schemas']['EntityRisk']['description'] new_value Stores information related to the risk score of an entity. Next ID: 15 old_value Stores information related to the risk score of an entity. Next ID: 14 root['schemas']['EntityRisk']['properties']['riskWindowSize']['description'] new_value Risk window duration for the entity. old_value Risk window duration for the Entity. root['schemas']['Instance']['properties']['name']['description'] new_value Output only. The resource name of this instance. Format: projects/{project}/locations/{location}/instances/{instance} old_value Output only. The resource name of this instance. Format: projects/{project}/locations/{region}/instances/{instance} root['schemas']['SQSAuthV2']['properties']['additionalS3AccessKeySecretAuth']['description'] new_value Required. Deprecated. If the S3 objects referred to by the SQS queue require different auth info other than the SQS auth, that can be specified here. Additional S3AccessKeySecret. Required. old_value Required. If the S3 objects referred to by the SQS queue require different auth info other than the SQS auth, that can be specified here. Additional S3AccessKeySecret. Required. root['schemas']['StatusProto']['properties']['canonicalCode']['description'] new_value copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional int32 canonical_code = 6; old_value The canonical error code (see codes.proto) that most closely corresponds to this status. This may be missing, and in the common case of the generic space, it definitely will be. copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional int32 canonical_code = 6; root['schemas']['StatusProto']['properties']['space']['description'] new_value copybara:strip_begin(b/383363683) Space to which this status belongs copybara:strip_end_and_replace optional string space = 2; // Space to which this status belongs old_value The following are usually only present when code != 0 Space to which this status belongs copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional string space = 2; iterable_item_added root['schemas']['AnalyticValue']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['AnalyticValue']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['EnrichmentDisablementTarget']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['EnrichmentDisablementTarget']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['EventTypesSuggestion']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['EventTypesSuggestion']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][19] GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN root['schemas']['FeedDetails']['properties']['feedSourceType']['enumDescriptions'][19] Google Cloud Storage Feed backed by Omniflow STS driven by pubsub events. root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][19] GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enumDescriptions'][19] Google Cloud Storage Feed backed by Omniflow STS driven by pubsub events. root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][1412] BLOCKDAEMON_METOMIC root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2124] JIT root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2125] PROCORE root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2126] HP_INC_MFP root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2127] MERU_CONTENTKEEPER_PROXY root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2128] KPMG_JAPAN_HR root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2129] FORD_ADFS_IDP root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2130] FORD_BLUE_DNS root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2131] TSA_VMS root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2132] ALLIANZ_CPAM root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2133] HKBK_ASE1_DIGITALGUARDIAN_NDLP root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2134] PANORAYS root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2135] BBVA_BAEMPRE root['schemas']['Metadata']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['Metadata']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][19] GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN root['schemas']['PackLogType']['properties']['recommendedSourceType']['enumDescriptions'][19] Google Cloud Storage Feed backed by Omniflow STS driven by pubsub events. root['schemas']['RawLog']['properties']['type']['enum'][1412] BLOCKDAEMON_METOMIC root['schemas']['RawLog']['properties']['type']['enum'][2124] JIT root['schemas']['RawLog']['properties']['type']['enum'][2125] PROCORE root['schemas']['RawLog']['properties']['type']['enum'][2126] HP_INC_MFP root['schemas']['RawLog']['properties']['type']['enum'][2127] MERU_CONTENTKEEPER_PROXY root['schemas']['RawLog']['properties']['type']['enum'][2128] KPMG_JAPAN_HR root['schemas']['RawLog']['properties']['type']['enum'][2129] FORD_ADFS_IDP root['schemas']['RawLog']['properties']['type']['enum'][2130] FORD_BLUE_DNS root['schemas']['RawLog']['properties']['type']['enum'][2131] TSA_VMS root['schemas']['RawLog']['properties']['type']['enum'][2132] ALLIANZ_CPAM root['schemas']['RawLog']['properties']['type']['enum'][2133] HKBK_ASE1_DIGITALGUARDIAN_NDLP root['schemas']['RawLog']['properties']['type']['enum'][2134] PANORAYS root['schemas']['RawLog']['properties']['type']['enum'][2135] BBVA_BAEMPRE root['schemas']['RawLogEventInformation']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['RawLogEventInformation']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['SIEventData']['properties']['rawLogType']['enum'][1412] BLOCKDAEMON_METOMIC root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2124] JIT root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2125] PROCORE root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2126] HP_INC_MFP root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2127] MERU_CONTENTKEEPER_PROXY root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2128] KPMG_JAPAN_HR root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2129] FORD_ADFS_IDP root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2130] FORD_BLUE_DNS root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2131] TSA_VMS root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2132] ALLIANZ_CPAM root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2133] HKBK_ASE1_DIGITALGUARDIAN_NDLP root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2134] PANORAYS root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2135] BBVA_BAEMPRE iterable_item_removed root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][14] OMNIFLOW_GOOGLE_CLOUD_STORAGE root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][15] OMNIFLOW_AMAZON_S3 root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][16] OMNIFLOW_AMAZON_SQS root['schemas']['FeedDetails']['properties']['feedSourceType']['enumDescriptions'][14] root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][14] OMNIFLOW_GOOGLE_CLOUD_STORAGE root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][15] OMNIFLOW_AMAZON_S3 root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][16] OMNIFLOW_AMAZON_SQS root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enumDescriptions'][14] root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][14] OMNIFLOW_GOOGLE_CLOUD_STORAGE root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][15] OMNIFLOW_AMAZON_S3 root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][16] OMNIFLOW_AMAZON_SQS root['schemas']['PackLogType']['properties']['recommendedSourceType']['enumDescriptions'][14]
prod/europe-west3-chronicle-v1beta	values_changed root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['get']['parameters']['name']['description'] new_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{region}/instances/{instance} root['revision'] new_value 20250310 old_value 20250227 root['schemas'] new_value AIOverview description AI generated overview for the search results. id AIOverview properties aiSummary description AI summary for the search results. Markdown formatted. type string complete description Whether AI overview generation is complete. type boolean suggestions description Suggested actions to continue the investigation in chat. items $ref Action type array type object Action description Action represents an action that can be performed in the host UI. id Action properties actionType description Output only. Type of action. enum ACTION_TYPE_UNSPECIFIED FOLLOW_UP NAVIGATION EXECUTION enumDescriptions The action type is unspecified. The action is a follow up action. The action is a navigation action. The action is an execution action. readOnly True type string displayText description Output only. The text that'll be displayed to the user if this is rendered in the UI as a suggested action. readOnly True type string execution $ref Execution description Metadata for execution action. followUp $ref FollowUp description Metadata for follow up action. navigation $ref Navigation description Metadata for navigation action. useCaseId description Output only. The use case ID of the action. It's used internally to identify in which context the action is used. readOnly True type string type object AlertFieldAggregation id AlertFieldAggregation properties alertCount format int32 type integer allValues items $ref AlertFieldValueCount type array baselineAlertCount format int32 type integer bottomValues items $ref AlertFieldValueCount type array fieldName type string tooManyValues type boolean topValues items $ref AlertFieldValueCount type array valueCount format int32 type integer type object AlertFieldAggregations id AlertFieldAggregations properties fields items $ref AlertFieldAggregation type array type object AlertFieldValue id AlertFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string stringValue type string uint32Value format uint32 type integer uint64Value format uint64 type string type object AlertFieldValueCount id AlertFieldValueCount properties alertCount format int32 type integer baselineAlertCount format int32 type integer value $ref AlertFieldValue type object AnalystVerdict description Verdict provided by the human analyst. These fields are used to model Mandiant sources. id AnalystVerdict properties confidenceScore description Confidence score of the verdict. format int32 type integer verdictResponse description Details of the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp at which the verdict was generated. format google-datetime type string type object AnalyticsMetadata description Stores information about an analytics metric used in a rule. id AnalyticsMetadata properties analytic description Name of the analytic. type string type object Annotation description Extra parameters that don't fit anywhere else, captured as key/value. For example "VendorID/42" in BlackBerry user agents. The following keys are modified with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference): * "Chrome" (see `browser_version`) * "ChromiumBrowser" (unavailable) * "ChromeWebview" (unavailable) * "OS_VERSION" (see `os`) * "Rest" (unavailable) * "misc" (see `device`) id Annotation properties key type string value type string type object Artifact description Information about an artifact. The artifact can only be an IP. id Artifact properties anonymous description Whether the VPN tunnels are configured for anonymous browsing or not. type boolean artifactClient $ref ArtifactClient description Entity or software accessing or utilizing network resources. asOwner description Owner of the Autonomous System to which the IP address belongs. type string asn description Autonomous System Number to which the IP address belongs. format int64 type string firstSeenTime description First seen timestamp of the IP in the customer's environment. format google-datetime type string ip description IP address of the artifact. This field can be used as an entity indicator for an external destination IP entity. type string jarm description The JARM hash for the IP address. (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a). type string lastHttpsCertificate $ref SSLCertificate description SSL certificate information about the IP address. lastHttpsCertificateDate description Most recent date for the certificate in VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the IP address in the customer's environment. format google-datetime type string location $ref Location description Location of the Artifact's IP address. network $ref Network description Network information related to the Artifact's IP address. prevalence $ref Prevalence description The prevalence of the artifact within the customer's environment. regionalInternetRegistry description RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC). type string risks description This field lists potential risks associated with the network activity. items type string type array tags description Identification attributes items type string type array tunnels description VPN tunnels. items $ref Tunnels type array whois description WHOIS information as returned from the pertinent WHOIS server. type string whoisDate description Date of the last update of the WHOIS record in VirusTotal. format google-datetime type string type object ArtifactClient description Entity or software accessing or utilizing network resources. id ArtifactClient properties behaviors description The behaviors of the client accessing the network. items type string type array proxies description The type of proxies used by the client. items type string type array type object Asset description Information about a compute asset such as a workstation, laptop, phone, virtual desktop, or VM. id Asset properties assetId description The asset ID. Value must contain the ':' character. For example, cs:abcdd23434. This field can be used as an entity indicator for asset entities. type string attribute $ref Attribute description Generic entity metadata attributes of the asset. category description The category of the asset (e.g. "End User Asset", "Workstation", "Server"). type string creationTime deprecated True description Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. format google-datetime type string deploymentStatus description The deployment status of the asset for device lifecycle purposes. enum DEPLOYMENT_STATUS_UNSPECIFIED ACTIVE PENDING_DECOMISSION DECOMISSIONED enumDescriptions Unspecified deployment status. Asset is active, functional and deployed. Asset is pending decommission and no longer deployed. Asset is decommissioned. type string firstDiscoverTime description Time the asset was first discovered (by asset management/discoverability software). format google-datetime type string firstSeenTime description The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string hardware description The asset hardware specifications. items $ref Hardware type array hostname description Asset hostname or domain name field. This field can be used as an entity indicator for asset entities. type string ip description A list of IP addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array labels deprecated True description Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata. items $ref Label type array lastBootTime description Time the asset was last boot started. format google-datetime type string lastDiscoverTime description Time the asset was last discovered (by asset management/discoverability software). format google-datetime type string location $ref Location description Location of the asset. mac description List of MAC addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array natIp description List of NAT IP addresses associated with an asset. items type string type array networkDomain description The network domain of the asset (e.g. "corp.acme.com") type string platformSoftware $ref PlatformSoftware description The asset operating system platform software. productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID or similar). This field can be used as an entity indicator for asset entities. type string software description The asset software details. items $ref Software type array systemLastUpdateTime description Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a VM), use Attribute.last_update_time. format google-datetime type string type description The type of the asset (e.g. workstation or laptop or server). enum ROLE_UNSPECIFIED WORKSTATION LAPTOP IOT NETWORK_ATTACHED_STORAGE PRINTER SCANNER SERVER TAPE_LIBRARY MOBILE enumDescriptions Unspecified asset role. A workstation or desktop. A laptop computer. An IOT asset. A network attached storage device. A printer. A scanner. A server. A tape library device. A mobile device such as a mobile phone or PDA. type string vulnerabilities description Vulnerabilities discovered on asset. items $ref Vulnerability type array type object Association description Associations represents different metadata about malware and threat actors involved with an IoC. id Association properties alias description Different aliases of the threat actor given by different sources. items $ref AssociationAlias type array associatedActors description List of associated threat actors for a malware. Not applicable for threat actors. items $ref Association type array countryCode description Country from which the threat actor/ malware is originated. items type string type array description description Human readable description about the association. type string firstReferenceTime description First time the threat actor was referenced or seen. format google-datetime type string id description Unique association id generated by mandiant. type string industriesAffected description List of industries the threat actor affects. items type string type array lastReferenceTime description Last time the threat actor was referenced or seen. format google-datetime type string name description Name of the threat actor/malware. type string regionCode $ref Location description Name of the country, the threat is originating from. role description Role of the malware. Not applicable for threat actor. type string sourceCountry deprecated True description Name of the country the threat originated from. type string sponsorRegion $ref Location description Sponsor region of the threat actor. tags description Tags. items type string type array targetedRegions description Targeted regions. items $ref Location type array type description Signifies the type of association. enum ASSOCIATION_TYPE_UNSPECIFIED THREAT_ACTOR MALWARE enumDescriptions The default Association Type. Association type Threat actor. Association type Malware. type string type object AssociationAlias description Association Alias used to represent Mandiant Threat Intelligence. id AssociationAlias properties company description Name of the provider who gave the association's name. type string name description Name of the alias. type string type object AttackDetails description MITRE ATT&CK details. id AttackDetails properties tactics description Tactics employed. items $ref Tactic type array techniques description Techniques employed. items $ref Technique type array version description ATT&CK version (e.g. 12.1). type string type object Attribute description Attribute is a container for generic entity attributes including common attributes across core entities (such as, user or asset). For example, Cloud is a generic entity attribute since it can apply to an asset (for example, a VM) or a user (for example, an identity service account). id Attribute properties cloud $ref Cloud description Cloud metadata attributes such as project ID, account ID, or organizational hierarchy. creationTime description Time the resource or entity was created or provisioned. format google-datetime type string labels description Set of labels for the entity. Should only be used for product labels (for example, Google Cloud resource labels or Azure AD sensitivity labels. Should not be used for arbitrary key-value mappings. items $ref Label type array lastUpdateTime description Time the resource or entity was last updated. format google-datetime type string permissions description System permissions for IAM entity (human principal, service account, group). items $ref Permission type array roles description System IAM roles to be assumed by resources to use the role's permissions for access control. items $ref Role type array type object Authentication description The Authentication extension captures details specific to authentication events. General guidelines for authentication events: * Details about the source of the authentication event (for example, client IP or hostname), should be captured in principal. The principal may be empty if we have no details about the source of the login. * Details about the target of the authentication event (for example, details about the machine that is being logged into or logged out of) should be captured in target. * Some authentication events may involve a third-party. For example, a user logs into a cloud service (for example, Chronicle) via their company's SSO (the event is logged by their SSO solution). In this case, the principal captures information about the user's device, the target captures details about the cloud service they logged into, and the intermediary captures details about the SSO solution. id Authentication properties authDetails description The vendor defined details of the authentication. type string mechanism description The authentication mechanism. items enum MECHANISM_UNSPECIFIED USERNAME_PASSWORD OTP HARDWARE_KEY LOCAL REMOTE REMOTE_INTERACTIVE MECHANISM_OTHER BADGE_READER NETWORK BATCH SERVICE UNLOCK NETWORK_CLEAR_TEXT NEW_CREDENTIALS INTERACTIVE CACHED_INTERACTIVE CACHED_REMOTE_INTERACTIVE CACHED_UNLOCK BIOMETRIC WEARABLE enumDescriptions The default mechanism. Username + password authentication. OTP authentication. Hardware key authentication. Local authentication. Remote authentication. RDP, Terminal Services, or VNC. Some other mechanism that is not defined here. Badge reader authentication Network authentication. Batch authentication. Service authentication Direct human-interactive unlock authentication. Network clear text authentication. Authentication with new credentials. Interactive authentication. Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Biometric device such as a fingerprint reader. Wearable such as an Apple Watch. type string type array type description The type of authentication. enum AUTHTYPE_UNSPECIFIED MACHINE SSO VPN PHYSICAL TACACS enumDescriptions The default type. A machine authentication. An SSO authentication. A VPN authentication. A Physical authentication (e.g. "Badge reader"). A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+). type string type object AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. id AuthorityKeyId properties keyid description Key hexdump. type string serialNumber description Serial number hexdump. type string type object BackstoryEntity description An Entity provides additional context about an item in a UDM event. For example, a PROCESS_LAUNCH event describes that user 'abc@example.corp' launched process 'shady.exe'. The event does not include information that user 'abc@example.com' is a recently terminated employee who administers a server storing finance data. Information stored in one or more Entities can add this additional context. id BackstoryEntity properties additional additionalProperties description Properties of the object. type any description Important entity data that cannot be adequately represented within the formal sections of the Entity. type object entity $ref Noun description Noun in the UDM event that this entity represents. metadata $ref EntityMetadata description Entity metadata such as timestamp, product, etc. metric $ref Metric description Stores statistical metrics about the entity. Used if metadata.entity_type is METRIC. relations description One or more relationships between the entity (a) and other entities, including the relationship type and related entity. items $ref Relation type array riskScore $ref EntityRisk description Stores information related to the entity's risk score. type object BackstoryFile description Information about a file. id BackstoryFile properties ahash deprecated True description Deprecated. Use authentihash instead. type string authentihash description Authentihash of the file. type string capabilitiesTags description Capabilities tags. items type string type array createTime description Timestamp when the file was created. format google-datetime type string embeddedDomains description Embedded domains found in the file. items type string type array embeddedIps description Embedded IP addresses found in the file. items type string type array embeddedUrls description Embedded urls found in the file. items type string type array exifInfo $ref ExifInfo description Exif metadata from different file formats extracted by exiftool. fileMetadata $ref FileMetadata deprecated True description Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File. fileType description FileType field. enum FILE_TYPE_UNSPECIFIED FILE_TYPE_PE_EXE FILE_TYPE_PE_DLL FILE_TYPE_MSI FILE_TYPE_NE_EXE FILE_TYPE_NE_DLL FILE_TYPE_DOS_EXE FILE_TYPE_DOS_COM FILE_TYPE_COFF FILE_TYPE_ELF FILE_TYPE_LINUX_KERNEL FILE_TYPE_RPM FILE_TYPE_LINUX FILE_TYPE_MACH_O FILE_TYPE_JAVA_BYTECODE FILE_TYPE_DMG FILE_TYPE_DEB FILE_TYPE_PKG FILE_TYPE_PYC FILE_TYPE_LNK FILE_TYPE_DESKTOP_ENTRY FILE_TYPE_JPEG FILE_TYPE_TIFF FILE_TYPE_GIF FILE_TYPE_PNG FILE_TYPE_BMP FILE_TYPE_GIMP FILE_TYPE_IN_DESIGN FILE_TYPE_PSD FILE_TYPE_TARGA FILE_TYPE_XWD FILE_TYPE_DIB FILE_TYPE_JNG FILE_TYPE_ICO FILE_TYPE_FPX FILE_TYPE_EPS FILE_TYPE_SVG FILE_TYPE_EMF FILE_TYPE_WEBP FILE_TYPE_DWG FILE_TYPE_DXF FILE_TYPE_THREEDS FILE_TYPE_OGG FILE_TYPE_FLC FILE_TYPE_FLI FILE_TYPE_MP3 FILE_TYPE_FLAC FILE_TYPE_WAV FILE_TYPE_MIDI FILE_TYPE_AVI FILE_TYPE_MPEG FILE_TYPE_QUICKTIME FILE_TYPE_ASF FILE_TYPE_DIVX FILE_TYPE_FLV FILE_TYPE_WMA FILE_TYPE_WMV FILE_TYPE_RM FILE_TYPE_MOV FILE_TYPE_MP4 FILE_TYPE_T3GP FILE_TYPE_WEBM FILE_TYPE_MKV FILE_TYPE_PDF FILE_TYPE_PS FILE_TYPE_DOC FILE_TYPE_DOCX FILE_TYPE_PPT FILE_TYPE_PPTX FILE_TYPE_XLS FILE_TYPE_XLSX FILE_TYPE_RTF FILE_TYPE_PPSX FILE_TYPE_ODP FILE_TYPE_ODS FILE_TYPE_ODT FILE_TYPE_HWP FILE_TYPE_GUL FILE_TYPE_ODF FILE_TYPE_ODG FILE_TYPE_ONE_NOTE FILE_TYPE_OOXML FILE_TYPE_SLK FILE_TYPE_EBOOK FILE_TYPE_LATEX FILE_TYPE_TTF FILE_TYPE_EOT FILE_TYPE_WOFF FILE_TYPE_CHM FILE_TYPE_ZIP FILE_TYPE_GZIP FILE_TYPE_BZIP FILE_TYPE_RZIP FILE_TYPE_DZIP FILE_TYPE_SEVENZIP FILE_TYPE_CAB FILE_TYPE_JAR FILE_TYPE_RAR FILE_TYPE_MSCOMPRESS FILE_TYPE_ACE FILE_TYPE_ARC FILE_TYPE_ARJ FILE_TYPE_ASD FILE_TYPE_BLACKHOLE FILE_TYPE_KGB FILE_TYPE_ZLIB FILE_TYPE_TAR FILE_TYPE_ZST FILE_TYPE_LZFSE FILE_TYPE_PYTHON_WHL FILE_TYPE_PYTHON_PKG FILE_TYPE_MSIX FILE_TYPE_TEXT FILE_TYPE_SCRIPT FILE_TYPE_PHP FILE_TYPE_PYTHON FILE_TYPE_PERL FILE_TYPE_RUBY FILE_TYPE_C FILE_TYPE_CPP FILE_TYPE_JAVA FILE_TYPE_SHELLSCRIPT FILE_TYPE_PASCAL FILE_TYPE_AWK FILE_TYPE_DYALOG FILE_TYPE_FORTRAN FILE_TYPE_JAVASCRIPT FILE_TYPE_POWERSHELL FILE_TYPE_VBA FILE_TYPE_M4 FILE_TYPE_OBJETIVEC FILE_TYPE_JMOD FILE_TYPE_MAKEFILE FILE_TYPE_INI FILE_TYPE_CLJ FILE_TYPE_PDB FILE_TYPE_SQL FILE_TYPE_NEKO FILE_TYPE_WER FILE_TYPE_GOLANG FILE_TYPE_M3U FILE_TYPE_BAT FILE_TYPE_MSC FILE_TYPE_RDP FILE_TYPE_SYMBIAN FILE_TYPE_PALMOS FILE_TYPE_WINCE FILE_TYPE_ANDROID FILE_TYPE_IPHONE FILE_TYPE_HTML FILE_TYPE_XML FILE_TYPE_SWF FILE_TYPE_FLA FILE_TYPE_COOKIE FILE_TYPE_TORRENT FILE_TYPE_EMAIL_TYPE FILE_TYPE_OUTLOOK FILE_TYPE_SGML FILE_TYPE_JSON FILE_TYPE_CSV FILE_TYPE_HTA FILE_TYPE_INTERNET_SHORTCUT FILE_TYPE_CAP FILE_TYPE_ISOIMAGE FILE_TYPE_SQUASHFS FILE_TYPE_VHD FILE_TYPE_APPLE FILE_TYPE_MACINTOSH FILE_TYPE_APPLESINGLE FILE_TYPE_APPLEDOUBLE FILE_TYPE_MACINTOSH_HFS FILE_TYPE_APPLE_PLIST FILE_TYPE_MACINTOSH_LIB FILE_TYPE_APPLESCRIPT FILE_TYPE_APPLESCRIPT_COMPILED FILE_TYPE_CRX FILE_TYPE_XPI FILE_TYPE_ROM FILE_TYPE_IPS FILE_TYPE_PEM FILE_TYPE_PGP FILE_TYPE_CRT enumDescriptions File type is UNSPECIFIED. File type is PE_EXE. Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL. File type is MSI. File type is NE_EXE. File type is NE_DLL. File type is DOS_EXE. File type is DOS_COM. File type is COFF. File type is ELF. File type is LINUX_KERNEL. File type is RPM. File type is LINUX. File type is MACH_O. File type is JAVA_BYTECODE. File type is DMG. File type is DEB. File type is PKG. File type is PYC. File type is LNK. File type is DESKTOP_ENTRY. File type is JPEG. File type is TIFF. File type is GIF. File type is PNG. File type is BMP. File type is GIMP. File type is Adobe InDesign. File type is PSD. Adobe Photoshop. File type is TARGA. File type is XWD. File type is DIB. File type is JNG. File type is ICO. File type is FPX. File type is EPS. File type is SVG. File type is EMF. File type is WEBP. File type is DWG. File type is DXF. File type is 3DS. File type is OGG. File type is FLC. File type is FLI. File type is MP3. File type is FLAC. File type is WAV. File type is MIDI. File type is AVI. File type is MPEG. File type is QUICKTIME. File type is ASF. File type is DIVX. File type is FLV. File type is WMA. File type is WMV. File type is RM. RealMedia type. File type is MOV. File type is MP4. File type is T3GP. File type is WEBM. File type is MKV. File type is PDF. File type is PS. File type is DOC. File type is DOCX. File type is PPT. File type is PPTX. File type is XLS. File type is XLSX. File type is RTF. File type is PPSX. File type is ODP. File type is ODS. File type is ODT. File type is HWP. File type is GUL. File type is ODF. File type is ODG. File type is ONE_NOTE. File type is OOXML. File type is SLK. File type is EBOOK. File type is LATEX. File type is TTF. File type is EOT. File type is WOFF. File type is CHM. File type is ZIP. File type is GZIP. File type is BZIP. File type is RZIP. File type is DZIP. File type is SEVENZIP. File type is CAB. File type is JAR. File type is RAR. File type is MSCOMPRESS. File type is ACE. File type is ARC. File type is ARJ. File type is ASD. File type is BLACKHOLE. File type is KGB. File type is ZLIB. File type is TAR. File type is ZST. File type is LZFSE. File type is PYTHON_WHL. File type is PYTHON_PKG. File type is MSIX, new Windows app package format. File type is TEXT. File type is SCRIPT. File type is PHP. File type is PYTHON. File type is PERL. File type is RUBY. File type is C. File type is CPP. File type is JAVA. File type is SHELLSCRIPT. File type is PASCAL. File type is AWK. File type is DYALOG. File type is FORTRAN. File type is JAVASCRIPT. File type is POWERSHELL. File type is VBA. File type is M4. File type is OBJETIVEC. File type is JMOD. File type is MAKEFILE. File type is INI. File type is CLJ. File type is PDB. File type is SQL. File type is NEKO. File type is WER. File type is GOLANG. File type is M3U. File type is BAT, Windows .bat/.cmd (old files are tagged as SHELLSCRIPT). File type is MSC, Microsoft Management Console (MMC). File type is RDP, Microsoft Remote Desktop Protocol (RDP) file. File type is SYMBIAN. File type is PALMOS. File type is WINCE. File type is ANDROID. File type is IPHONE. File type is HTML. File type is XML. File type is SWF. File type is FLA. File type is COOKIE. File type is TORRENT. File type is EMAIL_TYPE. File type is OUTLOOK. File type is SGML. File type is JSON. File type is CSV. File type is HTA (HTML Application). File type is MSHTML .url. File type is CAP. File type is ISOIMAGE. File type is SQUASHFS. File type is VHD. File type is APPLE. File type is MACINTOSH. File type is APPLESINGLE. File type is APPLEDOUBLE. File type is MACINTOSH_HFS. File type is APPLE_PLIST. File type is MACINTOSH_LIB. File type is APPLESCRIPT. File type is APPLESCRIPT_COMPILED . File type is CRX. File type is XPI. File type is ROM. File type is IPS. File type is PEM. File type is PGP. File type is CRT. type string firstSeenTime description Timestamp the file was first seen in the customer's environment. format google-datetime type string firstSubmissionTime description First submission time of the file. format google-datetime type string fullPath description The full path identifying the location of the file on the system. This field can be used as an entity indicator for file entities. type string lastAccessTime description Timestamp when the file was accessed. format google-datetime type string lastAnalysisTime description Timestamp the file was last analysed. format google-datetime type string lastModificationTime description Timestamp when the file was last updated. format google-datetime type string lastSeenTime description Timestamp the file was last seen in the customer's environment. format google-datetime type string lastSubmissionTime description Last submission time of the file. format google-datetime type string mainIcon $ref Favicon description Icon's relevant hashes. md5 description The MD5 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string mimeType description The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script". type string names description Names fields. items type string type array ntfs $ref NtfsFileMetadata description NTFS metadata. pdfInfo $ref PDFInfo description Information about the PDF file structure. peFile $ref FileMetadataPE description Metadata about the Portable Executable (PE) file. prevalence $ref Prevalence description Prevalence of the file hash in the customer's environment. securityResult $ref SecurityResult description Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata. sha1 description The SHA1 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string sha256 description The SHA256 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string signatureInfo $ref SignatureInfo description File signature information extracted from different tools. size description The size of the file in bytes. format uint64 type string ssdeep description Ssdeep of the file type string statDev description The file system identifier to which the object belongs. format uint64 type string statFlags description User defined flags for file. format uint32 type integer statInode description The file identifier. Unique identifier of object within a file system. format uint64 type string statMode description The mode of the file. A bit string indicating the permissions and privileges of the file. format uint64 type string statNlink description Number of links to file. format uint64 type string symhash description SymHash of the file. Used for Mach-O (e.g. MacOS) binaries, to identify similar files based on their symbol table. type string tags description Tags for the file. items type string type array vhash description Vhash of the file. type string type object BoolSequence description BoolSequence represents a sequence of bools. id BoolSequence properties boolVals description bool sequence. items type boolean type array type object BytesSequence description BytesSequence represents a sequence of bytes. id BytesSequence properties bytesVals description bytes sequence. items format byte type string type array type object CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CertSignature description Certificate's signature and algorithm. id CertSignature properties signature description Signature. type string signatureAlgorithm description Algorithm. type string type object Certificate description Certificate information id Certificate properties issuer description Issuer of the certificate. type string md5 description The MD5 hash of the certificate, as a hex-encoded string. type string notAfter description Indicates when the certificate is no longer valid. format google-datetime type string notBefore description Indicates when the certificate is first valid. format google-datetime type string serial description Certificate serial number. type string sha1 description The SHA1 hash of the certificate, as a hex-encoded string. type string sha256 description The SHA256 hash of the certificate, as a hex-encoded string. type string subject description Subject of the certificate. type string version description Certificate version. type string type object Chip id Chip properties text type string type enum UNSPECIFIED ALERT NETWORK_CONNECTION EDR UNPARSED_RAW_LOG LOGIN_EVENT EMAIL_EVENT GENERIC TELEMETRY enumDescriptions type string type object Client description Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash). id Client properties certificate $ref Certificate description Client certificate. ja3 description JA3 hash from the TLS ClientHello, as a hex-encoded string. type string serverName description Host name of the server, that the client is connecting to. type string supportedCiphers description Ciphers supported by the client during client hello. items type string type array type object Cloud description Metadata related to the cloud environment. id Cloud properties availabilityZone description The cloud environment availability zone (different from region which is location.name). type string environment description The Cloud environment. enum UNSPECIFIED_CLOUD_ENVIRONMENT GOOGLE_CLOUD_PLATFORM AMAZON_WEB_SERVICES MICROSOFT_AZURE enumDescriptions Default. Google Cloud Platform. Amazon Web Services. Microsoft Azure. type string project $ref Resource deprecated True description The cloud environment project information. Deprecated: Use Resource.resource_ancestors vpc $ref Resource deprecated True description The cloud environment VPC. Deprecated. type object Collection description Collection represents a container of objects (such as events, entity context metadata, detection finding metadata) and state (such as investigation details). BEGIN GOOGLE-INTERNAL See go/udm:collections for additional details. END GOOGLE-INTERNAL An example use case for Collection is to model a detection and investigation from detection finding metadata to investigative state collected in the course of the investigation. For more complex investigation and response workflows a Collection could represent an incident consisting of multiple child findings or incidents. This can be expanded on to model remediation elements of a full detection and response workflow. NEXT TAG: 20 id Collection properties caseName description The resource name of the Case that this collection belongs to. Example: projects/{project id}/locations/{region}/chronicle/cases/{internal_case_id} type string collectionElements description Constituent elements of the collection. Each element shares an association that groups it together and is a component of the overall collection. For example, a detection collection may have several constituent elements that each share a correlation association that together represent a particular pattern or behavior. items $ref Element type array createdTime description Time the collection was created. format google-datetime type string dataAccessScope description The resource name of the DataAccessScope of this collection. BEGIN GOOGLE-INTERNAL We may change this name based on the final resource design of the scope. END GOOGLE-INTERNAL type string detection description Detection metadata for findings that represent detections, can include rule details, machine learning model metadata, and indicators implicated in the detection (using the .about field). items $ref SecurityResult type array detectionTime description Timestamp within the time_window related to the time of the collection_elements. For Rule Detections, this timestamp is the end of the the time_window for multi-event rules or the time of the event for single event rules. For late-arriving events that trigger new alerts, the detection_time will be the event time of the event. format google-datetime type string feedbackHistory description The history of feedback submitted by analysts for this finding, in descending order by timestamp. This field is limited to the most recent 1000 feedback events. The primary feedback will also be included in this list. items $ref Feedback type array feedbackSummary $ref Feedback description The current primary analyst feedback. This does not include the history of feedback given, which may be supplied in `feedback`. id description Unique ID for the collection. The ID is specific to the type of collection. For example, with rule detections this is the detection ID. type string idNamespace description The ID namespace used for the Collection. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string investigation $ref Investigation description Consolidated investigation details (categorization, status, etc) typically for collections that begin as detection findings and then evolve with analyst action and feedback into investigations around the detection output. lastUpdatedTime description Time the collection was last updated. format google-datetime type string responsePlatformInfo $ref ResponsePlatformInfo description Alert related info of this same alert in customer's SOAR platform. soarAlert description A boolean field indicating that the alert is present in SOAR. type boolean soarAlertMetadata $ref SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems via SOAR. tags description Tags set by UC/DSML/RE for the Finding during creation. items type string type array timeWindow $ref Interval description Time interval that the collection represents. type description What the collection represents. enum COLLECTION_TYPE_UNSPECIFIED TELEMETRY_ALERT GCTI_FINDING UPPERCASE_ALERT RULE_DETECTION MACHINE_INTELLIGENCE_ALERT SOAR_ALERT enumDescriptions An unspecified collection type. An alert reported in customer telemetry. A finding from the Uppercase team. A detection found by applying a rule. An alert generated by Chronicle machine learning models. An alert coming from other SIEMs via Chronicle SOAR. type string type object ColumnNames id ColumnNames properties names items type string type array type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DNSRecord description DNS record. id DNSRecord properties expire description Expire. format google-duration type string minimum description Minimum. format google-duration type string priority description Priority. format int64 type string refresh description Refresh. format google-duration type string retry description Retry. format int64 type string rname description Rname. type string serial description Serial. format int64 type string ttl description Time to live. format google-duration type string type description Type. type string value description Value. type string type object DataAccessIngestionLabel id DataAccessIngestionLabel properties key description The key. type string value description The value. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessLabels id DataAccessLabels properties allowScopedAccess description Are the labels ready for scoped access type boolean customLabels description All the complex labels (UDM search syntax based). items type string type array ingestionKvLabels description All the ingestion labels (key/value pairs). items $ref DataAccessIngestionLabel type array ingestionLabels deprecated True description All the ingestion labels. items type string type array logTypes description All the LogType labels. items type string type array namespaces description All the namespaces. items type string type array type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Date description Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values. * A month and day, with a zero year (for example, an anniversary). * A year on its own, with a zero month and a zero day. * A year and month, with a zero day (for example, a credit card expiration date). Related types: * google.type.TimeOfDay * google.type.DateTime * google.protobuf.Timestamp id Date properties day description Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. format int32 type integer month description Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. format int32 type integer year description Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. format int32 type integer type object Detections id Detections properties baselineAlertsCount format int32 type integer complete type boolean detectionFieldAggregations $ref AlertFieldAggregations detections items $ref Collection type array filteredAlertsCount format int32 type integer tooManyDetections type boolean validSnapshotQuery type boolean type object Dhcp description DHCP information. id Dhcp properties chaddr description Client hardware address (chaddr). type string ciaddr description Client IP address (ciaddr). type string clientHostname description Client hostname. See RFC2132, section 3.14. type string clientIdentifier description Client identifier. See RFC2132, section 9.14. Note: Make sure to update the client_identifier_string field as well if you update this field. format byte type string clientIdentifierString description Client identifier as string. See RFC2132, section 9.14. This field holds the string value of the client_identifier. type string file description Boot image filename. type string flags description Flags. format uint32 type integer giaddr description Relay agent IP address (giaddr). type string hlen description Hardware address length. format uint32 type integer hops description Hardware ops. format uint32 type integer htype description Hardware address type. format uint32 type integer leaseTimeSeconds description Lease time in seconds. See RFC2132, section 9.2. format uint32 type integer opcode description The BOOTP op code. enum UNKNOWN_OPCODE BOOTREQUEST BOOTREPLY enumDescriptions Default opcode. Request. Reply. type string options description List of DHCP options. items $ref Option type array requestedAddress description Requested IP address. See RFC2132, section 9.1. type string seconds description Seconds elapsed since client began address acquisition/renewal process. format uint32 type integer siaddr description IP address of the next bootstrap server. type string sname description Server name that the client wishes to boot from. type string transactionId description Transaction ID. format uint32 type integer type description DHCP message type. enum UNKNOWN_MESSAGE_TYPE DISCOVER OFFER REQUEST DECLINE ACK NAK RELEASE INFORM WIN_DELETED WIN_EXPIRED enumDescriptions Default message type. DHCPDISCOVER. DHCPOFFER. DHCPREQUEST. DHCPDECLINE. DHCPACK. DHCPNAK. DHCPRELEASE. DHCPINFORM. Microsoft Windows DHCP "lease deleted". Microsoft Windows DHCP "lease expired". type string yiaddr description Your IP address (yiaddr). type string type object Dns description DNS information. id Dns properties additional description A list of additional domain name servers that can be used to verify the answer to the domain. items $ref ResourceRecord type array answers description A list of answers to the domain name query. items $ref ResourceRecord type array authoritative description Other DNS header flags. See RFC1035, section 4.1.1. type boolean authority description A list of domain name servers which verified the answers to the domain name queries. items $ref ResourceRecord type array id description DNS query id. format uint32 type integer opcode description The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS). format uint32 type integer questions description A list of domain protocol message questions. items $ref Question type array recursionAvailable description Whether a recursive DNS lookup is available. type boolean recursionDesired description Whether a recursive DNS lookup is desired. type boolean response description Set to true if the event is a DNS response. See QR field from RFC1035. type boolean responseCode description Response code. See RCODE from RFC1035. format uint32 type integer truncated description Whether the DNS response was truncated. type boolean type object Domain description Information about a domain. id Domain properties admin $ref User description Parsed contact information for the administrative contact for the domain. auditUpdateTime description Audit updated time. format google-datetime type string billing $ref User description Parsed contact information for the billing contact of the domain. categories description Categories assign to the domain as retrieved from VirusTotal. items type string type array contactEmail description Contact email address. type string creationTime description Domain creation time. format google-datetime type string expirationTime description Expiration time. format google-datetime type string favicon $ref Favicon description Includes difference hash and MD5 hash of the domain's favicon. firstSeenTime description First seen timestamp of the domain in the customer's environment. format google-datetime type string ianaRegistrarId description IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml format int32 type integer jarm description Domain's JARM hash. type string lastDnsRecords description Domain's DNS records from the last scan. items $ref DNSRecord type array lastDnsRecordsTime description Date when the DNS records list was retrieved by VirusTotal. format google-datetime type string lastHttpsCertificate $ref SSLCertificate description SSL certificate object retrieved last time the domain was analyzed. lastHttpsCertificateTime description When the certificate was retrieved by VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the domain in the customer's environment. format google-datetime type string name description The domain name. This field can be used as an entity indicator for Domain entities. type string nameServer description Repeated list of name servers. items type string type array popularityRanks description Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc items $ref PopularityRank type array prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. privateRegistration description Indicates whether the domain appears to be using a private registration service to mask the owner's contact information. type boolean registrant $ref User description Parsed contact information for the registrant of the domain. registrar description Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM". type string registryDataRawText description Registry Data raw text. format byte type string status description Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values type string tags description List of representative attributes. items type string type array tech $ref User description Parsed contact information for the technical contact for the domain updateTime description Last updated time. format google-datetime type string whoisRecordRawText description WHOIS raw text. format byte type string whoisServer description Whois server name. type string whoisTime description Date of the last update of the WHOIS record. format google-datetime type string zone $ref User description Parsed contact information for the zone. type object DoubleSequence description DoubleSequence represents a sequence of doubles. id DoubleSequence properties doubleVals description double sequence. items format double type number type array type object EC description EC public key information. id EC properties oid description Curve name. type string pub description Public key hexdump. type string type object Element description NEXT TAG: 5 id Element properties association $ref SecurityResult description Metadata that provides the relevant association for the references in the element. For a detection, this can be the correlated aspect of the references that contributed to the overall detection. For example, may include sub-rule condition, machine learning model metadata, and/or indicators implicated in this component of the detection (using the .about field). label description A name that labels the entire references group. type string references description References to model primatives including events and entities that share a common association. Even though a reference can have both UDM and entity, a collection of references (of a single element) will only have one type of message in it (either UDM / Entity). items $ref Reference type array referencesSampled description Copied from the detection event_sample.too_many_event_samples field. If true, the number of references will be capped at the sample limit (set at rule service). This is applicable to both UDM references and Entity references. type boolean type object Email description Email info. id Email properties bcc description A list of 'bcc' addresses. items type string type array bounceAddress description The envelope from address. https://en.wikipedia.org/wiki/Bounce_address type string cc description A list of 'cc' addresses. items type string type array from description The 'from' address. type string mailId description The mail (or message) ID. type string replyTo description The 'reply to' address. type string subject description The subject line(s) of the email. items type string type array to description A list of 'to' addresses. items type string type array type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityChangedCountTimelineBucket id EntityChangedCountTimelineBucket properties entityChangedInfo items $ref EntityChangedInfo type array totalChangedEntitiesCount format int32 type integer type object EntityChangedInfo id EntityChangedInfo properties artifacts $ref FieldAndValue entityCount format int32 type integer type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityMetadata description Information about the Entity and the product where the entity was created. Next Tag: 17 id EntityMetadata properties collectedTimestamp description GMT timestamp when the entity information was collected by the vendor's local collection infrastructure. format google-datetime type string creationTimestamp description GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected. format google-datetime type string description description Human-readable description of the entity. type string entityType description Entity type. If an entity has multiple possible types, this specifies the most specific type. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string eventMetadata $ref Metadata description Metadata field from the event. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object feed description Vendor feed name for a threat indicator feed. type string interval $ref Interval description Valid existence time range for the version of the entity represented by this entity data. productEntityId description A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar). type string productName description Product name that produced the entity information. type string productVersion description Version of the product that produced the entity information. type string sourceLabels description Entity source metadata labels. items $ref Label type array sourceType description The source of the entity. enum SOURCE_TYPE_UNSPECIFIED ENTITY_CONTEXT DERIVED_CONTEXT GLOBAL_CONTEXT enumDescriptions Default source type Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT) Entities derived from customer data such as prevalence, artifact first/last seen, or asset/user first seen stats. Global contextual entities such as WHOIS or Safe Browsing. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Structured fields extracted from the log. type object threat description Metadata provided by a threat intelligence feed that identified the entity as malicious. items $ref SecurityResult type array vendorName description Vendor name of the product that produced the entity information. type string type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object EntityRisk description Stores information related to the risk score of an entity. Next ID: 15 id EntityRisk properties DEPRECATEDRiskScore deprecated True description Deprecated risk score. format int32 type integer detailUri description Link to the Google Security Operations UI with information about the entity risk score. If the SecOps instance has multiple frontend paths configured, this will be a relative path that can be used to construct the full URL. type string detectionsCount description Number of detections that make up the risk score within the time window. format int32 type integer firstDetectionTime description Timestamp of the first detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastDetectionTime description Timestamp of the last detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastResetTime description Timestamp for UEBA risk score reset based deduplication. Used specifically for risk based meta rules. format google-datetime type string normalizedRiskScore description Normalized risk score for the entity. This value is between 0-1000. format int32 type integer rawRiskDelta $ref RiskDelta description Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window. riskDelta $ref RiskDelta description Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window. riskScore description Raw risk score for the entity. format float type number riskVersion description Version of the risk score calculation algorithm. type string riskWindow $ref Interval description Time window used when computing the risk score for an entity, for example 24 hours or 7 days. riskWindowHasNewDetections description Whether there are new detections for the risk window. type boolean riskWindowSize description Risk window duration for the entity. format google-duration type string type object ErrorMessage id ErrorMessage properties errorText type string type enum UNDEFINED_ERROR_TYPE INVALID_QUERY_TYPE INVALID_FIELD_PATH_TYPE UNCLOSED_BRACKET_TYPE BACKEND_ERROR_TYPE UNCLOSED_QUOTES_TYPE QUERY_TOO_LARGE_TYPE enumDescriptions type string type object EventCountTimeline id EventCountTimeline properties buckets items $ref EventCountTimelineBucket type array sizeOfBucketMs format int64 type string type object EventCountTimelineBucket id EventCountTimelineBucket properties alertCount format int32 type integer baselineAlertCount format int32 type integer baselineEventCount format int32 type integer baselineTimedEntityCount format int32 type integer entityChangedCount $ref EntityChangedCountTimelineBucket eventCount format int32 type integer filteredTimedEntityCount format int32 type integer type object Execution description Execution can be used to store metadata required for what action the UI should execute. id Execution properties metadata additionalProperties type string description Output only. The payload to use when executing the action. readOnly True type object type object ExifInfo description Exif information. id ExifInfo properties company description company name. type string compilationTime description Compilation time. format google-datetime type string entryPoint description entry point. format int64 type string fileDescription description description of a file. type string originalFile description original file name. type string product description product name. type string type object Extension description Certificate's extensions. id Extension properties authorityKeyId $ref AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. ca description Whether the subject acts as a certificate authority (CA) or not. type boolean caInfoAccess description Authority information access locations are URLs that are added to a certificate in its authority information access extension. type string certTemplateNameDc description BMP data value "DomainController". See MS Q291010. type string certificatePolicies description Different certificate policies will relate to different applications which may use the certified key. type string crlDistributionPoints description CRL distribution points to which a certificate user should refer to ascertain if the certificate has been revoked. type string extendedKeyUsage description One or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field. type string keyUsage description The purpose for which the certified public key is used. type string netscapeCertComment description Used to include free-form text comments inside certificates. type string netscapeCertificate description Identify whether the certificate subject is an SSL client, an SSL server, or a CA. type boolean oldAuthorityKeyId description Whether the certificate has an old authority key identifier extension. type boolean peLogotype description Whether the certificate includes a logotype. type boolean subjectAlternativeName description Contains one or more alternative names, using any of a variety of name forms, for the entity that is bound by the CA to the certified public key. type string subjectKeyId description Identifies the public key being certified. type string type object Extensions description Extensions to a UDM event. id Extensions properties auth $ref Authentication description An authentication extension. entityRisk $ref EntityRisk description An entity risk change extension. vulns $ref Vulnerabilities description A vulnerability extension. type object Favicon description Difference hash and MD5 hash of the domain's favicon. id Favicon properties dhash description Difference hash. type string rawMd5 description Favicon's MD5 hash. type string type object Feedback id Feedback properties comment description Optional. type string confidenceScore format int32 type integer createdTime format google-datetime type string disregarded type boolean idpUserId type string priority description Optional. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string priorityDisplay description Optional. type string reason description Optional. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore format int32 type integer rootCause description Optional. type string severity format int32 type integer severityDisplay description Optional. type string status description Optional. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object FieldAndValue id FieldAndValue properties entityNamespace type string fieldPath type string kvalueType enum UNKNOWN COLLECTOR_ID EVENT_SHARD ASSET_IP_ADDRESS MAC HOSTNAME PRODUCT_SPECIFIC_ID NAMESPACE DOMAIN_NAME RESOLVED_IP_ADDRESS STEMMED_DOMAIN_NAME PROCESS_ID FULL_COMMAND_LINE FILE_NAME FILE_PATH HASH_MD5 HASH_SHA256 HASH_SHA1 RAW_PID PARENT_PROCESS_ID EMAIL USERNAME WINDOWS_SID EMPLOYEE_ID PRODUCT_OBJECT_ID USER_DISPLAY_NAME CLOUD_RESOURCE_NAME REGISTRY_KEY REGISTRY_VALUE_DATA REGISTRY_VALUE_NAME enumDescriptions type string value type string type object FileMetadata description Metadata about a file. Place metadata about different file types here, for example data from the Microsoft Windows VersionInfo block or digital signer details. Use a different sub-message per file type. id FileMetadata properties pe $ref PeFileMetadata deprecated True description Metadata for Microsoft Windows PE files. Deprecate PeFileMetadata in favor of single File proto. type object FileMetadataCodesign description File metadata from the codesign utility. id FileMetadataCodesign properties compilationTime description Code sign timestamp format google-datetime type string format description Code sign format. type string id description Code sign identifier. type string teamId description The assigned team identifier of the developer who signed the application. type string type object FileMetadataImports description File metadata imports. id FileMetadataImports properties functions description Function field. items type string type array library description Library field. type string type object FileMetadataPE description Metadata about the Portable Executable (PE) file. id FileMetadataPE properties compilationExiftoolTime description info.exiftool.TimeStamp. format google-datetime type string compilationTime description info.pe-timestamp. format google-datetime type string entryPoint description info.pe-entry-point. format int64 type string entryPointExiftool description info.exiftool.EntryPoint. format int64 type string imphash description Imphash of the file. type string imports description FilemetadataImports fields. items $ref FileMetadataImports type array resource description FilemetadataPeResourceInfo fields. items $ref FileMetadataPeResourceInfo type array resourcesLanguageCount deprecated True description Deprecated: use resources_language_count_str. items $ref StringToInt64MapEntry type array resourcesLanguageCountStr description Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10 items $ref Label type array resourcesTypeCount deprecated True description Deprecated: use resources_type_count_str. items $ref StringToInt64MapEntry type array resourcesTypeCountStr description Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5 items $ref Label type array section description FilemetadataSection fields. items $ref FileMetadataSection type array signatureInfo $ref FileMetadataSignatureInfo deprecated True description FilemetadataSignatureInfo field. deprecated, user File.signature_info instead. type object FileMetadataPeResourceInfo description File metadata for PE resource. id FileMetadataPeResourceInfo properties entropy description Entropy of the resource. format double type number fileType description File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum. type string filetypeMagic description Type of resource content, as identified by the magic Python module. type string languageCode description Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US | type string sha256Hex description SHA256_hex field.. type string type object FileMetadataSection description File metadata section. id FileMetadataSection properties entropy description Entropy of the section. format double type number md5Hex description MD5 hex of the file. type string name description Name of the section. type string rawSizeBytes description Raw file size in bytes. format int64 type string virtualSizeBytes description Virtual file size in bytes. format int64 type string type object FileMetadataSignatureInfo description Signature information. id FileMetadataSignatureInfo properties signer deprecated True description Deprecated: use signers field. items type string type array signers description File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority. items $ref SignerInfo type array verificationMessage description Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found. type string verified description True if verification_message == "Signed" type boolean x509 description List of certificates. items $ref X509 type array type object FilterProperties id FilterProperties properties hidden type boolean stringProperties additionalProperties $ref StringValues type object type object FindingVariable description A structure that holds the value and associated metadata for values extracted while producing a Finding. id FindingVariable properties boolSeq $ref BoolSequence description The value in boolsequence format. boolVal description The value in boolean format. type boolean bytesSeq $ref BytesSequence description The value in bytessequence format. bytesVal description The value in bytes format. format byte type string doubleSeq $ref DoubleSequence description The value in doublesequence format. doubleVal description The value in double format. format double type number int64Seq $ref Int64Sequence description The value in int64sequence format. int64Val description The value in int64 format. format int64 type string nullVal description Whether the value is null. type boolean sourcePath description The UDM field path for the field which this value was derived from. Example: `principal.user.username` type string stringSeq $ref StringSequence description The value in stringsequence format. stringVal description The value in string format. Enum values are returned as strings. type string type description The type of the variable. enum TYPE_UNSPECIFIED MATCH OUTCOME enumDescriptions An unspecified variable type. A variable coming from the match conditions. A variable representing significant data that was found in the detection logic. type string uint64Seq $ref Uint64Sequence description The value in uint64sequence format. uint64Val description The value in uint64 format. format uint64 type string value description The value in string form. type string type object FollowUp description FollowUp can be used to store metadata required to send a follow up message by the UI. id FollowUp properties followUp description Output only. The text to use as input when generating the follow up message. readOnly True type string type object Ftp description FTP info. id Ftp properties command description The FTP command. type string type object FunctionResponse id FunctionResponse properties rows items $ref FunctionResponseRow type array tooManyRows type boolean type object FunctionResponseRow id FunctionResponseRow properties values items $ref UdmFieldValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description LINT.IfChange(stats_data) Stats results when the query is for statistics NEXT TAG = 6; id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats properties dataQueryExpression description Expression that represent the subset of the requested query used to filter data. The expression will be used to enable features such as drill-down from stats results to UDM events. In that case, the new query will be composed by this expression and the expression related to a stats result. type string results description Result rows that are queried. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData type array sortOrder description Indicates the columns used for sorting and the order in which they are sorted. If no ORDER section is specified in the query, this will be empty. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort type array tooManyResults description If true, there are too many results to return and some have been omitted. type boolean totalResults description The total number of results returned. format int32 type integer type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData description Represents a single column in the set of columns returned as the stats query result. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData properties column description Used to store column names. type string filterExpression description Expression used to compose a query for filtering/drill-downs related to the data in this column. type string filterable description To identify if the column can be used for filtering/drill-downs. type boolean values description To store store column data. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort description Contains the column name and which direction the column is sorted (ascending or descenging). id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort properties descending description Whether the column is sorted in descending order (ascending by default); type boolean name description Name of the column. type string type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType description Singular vs list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType properties list $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description List of values in a column e.g. IPs value $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Single value in a column. type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description Store list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList properties values description List of values in one cell of the column. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Value of the column based on data type id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue properties boolVal description Boolean value. type boolean bytesVal description Bytes value. format byte type string dateVal $ref Date description Date values. doubleVal description Double value. format double type number int64Val description Integer value (signed). format int64 type string nullVal description True if the value is NULL. type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any description For any proto values that are not any of the above. type object stringVal description String value. Enum values are returned as strings. type string timestampVal description Timestamp values. format google-datetime type string uint64Val description Un-signed integer value. format uint64 type string type object Group description Information about an organizational group. id Group properties attribute $ref Attribute description Generic entity metadata attributes of the group. creationTime deprecated True description Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata. format google-datetime type string emailAddresses description Email addresses of the group. items type string type array groupDisplayName description Group display name. e.g. "Finance". type string productObjectId description Product globally unique user object identifier, such as an LDAP Object Identifier. type string windowsSid description Microsoft Windows SID of the group. type string type object GroupAggregationByField id GroupAggregationByField properties baselineEventCount format int32 type integer eventCount format int32 type integer fieldName type string fieldValue $ref UdmFieldValue fields items $ref UdmFieldAggregation type array valueCount format int32 type integer type object Hardware description Hardware specification details for a resource, including both physical and virtual hardware. id Hardware properties cpuClockSpeed description Clock speed of the hardware CPU in MHz. format uint64 type string cpuMaxClockSpeed description Maximum possible clock speed of the hardware CPU in MHz. format uint64 type string cpuModel description Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5"). type string cpuNumberCores description Number of CPU cores. format uint64 type string cpuPlatform description Platform of the hardware CPU (e.g. "Intel Broadwell"). type string manufacturer description Hardware manufacturer. type string model description Hardware model. type string ram description Amount of the hardware ramdom access memory (RAM) in Mb. format uint64 type string serialNumber description Hardware serial number. type string type object Http description Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target". id Http properties method description The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE"). type string parsedUserAgent $ref UserAgentProto description The parsed user_agent string. referralUrl description The URL for the HTTP referer. type string responseCode description The response status code, for example 200, 302, 404, or 500. format int32 type integer userAgent description The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent. type string type object Id description Identifier to identify a UDM object like a UDM event, Entity, Collection. The full identifier for persistence is created by setting the 32 most significant bits as the Id.Namespace enum and the rest according to go/udm:ids. This is a convenience wrapper to define the id space enum values and provide an easy interface for RPCs, most persistence use cases should use a denormalized form. See go/udm:ids for background and details. id Id properties id description Full raw ID. format byte type string namespace description Namespace the id belongs to. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string stringId description Some ids are stored as strings that are not able to be translated to bytes, so store these separately. Ex. detection id of the form de_aaaaaaaa-aaaa... type string type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{location}/instances/{instance} readOnly True type string type object InstanceUdmSearchResponse id InstanceUdmSearchResponse properties baselineEventsCount format int32 type integer complete type boolean detections $ref Detections filteredEventsCount format int32 type integer instanceId type string prevalence $ref UdmPrevalenceResponse progress format double type number runtimeErrors $ref RuntimeError timeline $ref EventCountTimeline tooManyEvents type boolean type object Int64Sequence description Int64Sequence represents a sequence of int64s. id Int64Sequence properties int64Vals description int64 sequence. items format int64 type string type array type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object Investigation description Represents the aggregated state of an investigation such as categorization, severity, and status. Can be expanded to include analyst assignment details and more. id Investigation properties comments description Comment added by the Analyst. items type string type array priority description Priority of the Alert or Finding set by analyst. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string reason description Reason for closing the Case or Alert. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation description Describes whether a finding was useful or not-useful. enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore description Risk score for a finding set by an analyst. format uint32 type integer rootCause description Root cause of the Alert or Finding set by analyst. type string severityScore description Severity score for a finding set by an analyst. format uint32 type integer status description Describes the workflow status of a finding. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict description Describes reason a finding investigation was resolved. enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object IoCStats description Information about the threat intelligence source. These fields are used to model Mandiant sources. id IoCStats properties benignCount description Count of responses where the IoC was identified as benign. format int32 type integer firstLevelSource description Name of first level IoC source, for example Mandiant or a third-party. type string iocStatsType description Describes the source of the IoCStat. enum UNSPECIFIED_IOC_STATS_TYPE MANDIANT_SOURCES THIRD_PARTY_SOURCES THREAT_INTELLIGENCE_IOC_STATS enumDescriptions IoCStat source is unidentified. IoCStat is from a Mandiant Source. IoCStat is from a third-party source. IoCStat is from a threat intelligence feed. type string maliciousCount description Count of responses where the IoC was identified as malicious. format int32 type integer quality description Level of confidence in the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total number of response from the source. format int32 type integer secondLevelSource description Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph. type string sourceCount description Number of sources from which information was extracted. format int32 type integer type object Label description Key value labels. id Label properties key description The key. type string rbacEnabled description Indicates whether this label can be used for Data RBAC type boolean source description Where the label is derived from. type string value description The value. type string type object LatLng description An object that represents a latitude/longitude pair. This is expressed as a pair of doubles to represent degrees latitude and degrees longitude. Unless specified otherwise, this object must conform to the WGS84 standard. Values must be within normalized ranges. id LatLng properties latitude description The latitude in degrees. It must be in the range [-90.0, +90.0]. format double type number longitude description The longitude in degrees. It must be in the range [-180.0, +180.0]. format double type number type object LegacyFederatedUdmSearchViewResponse description Response to a Federated UDM Search query. This will be used by StreamSearchOperation RPC to return the results of a federated search operation. id LegacyFederatedUdmSearchViewResponse properties activityTimeline $ref EventCountTimeline description Timeline of event counts broken into hourly/daily buckets to identify activity. aiOverview $ref AIOverview description LINT.ThenChange( //depot/google3/google/cloud/chronicle/v1main/dashboard_query.proto:data_sources, //depot/google3/googlex/security/malachite/proto/udm_search.proto:data_sources ) AI generated overview for the search results. Only populated if the AI features are enabled for the customer and generate_ai_overview is set to true in the request. baselineEventsCount description The number of events in the baseline query. format int32 type integer complete description Streaming for this response is done. There will be no additional updates. type boolean dataSources description Datasource of the query and results in case of a statistics query items enum SEARCH_DATA_SOURCE_UNSPECIFIED SEARCH_UDM SEARCH_ENTITY SEARCH_RULE_DETECTIONS SEARCH_RULESETS enumDescriptions Unspecified data source. Events Entities To be used for detections data source. To be used for ruleset with detections datasource. type string type array detectionFieldAggregations $ref AlertFieldAggregations description List of detection fields with aggregated values. This enabled filtering in the Alerts panel for federated search. events $ref UdmEventList description List of UDM events. NOTE: After complete is set to true, the `UdmEventList` message will be omitted from the response. The latest message should be used as reference. If the `UdmEventList` message is returned again, then it should replace the previous value. fieldAggregations $ref UdmFieldAggregations description List of UDM fields with aggregated values. filteredEventsCount description The number of events in the snapshot that match the snapshot_query. This is <= `baseline_events_count`. If the snapshot query is empty this will be equivalent to `baseline_events_count`. format int32 type integer groupedFieldAggregations $ref UdmFieldAggregations description List of grouped fields with aggregated values. instanceAggregations $ref UdmFieldAggregations description Instance aggregations for the search results. Provides information on the number of events per instance for the aggregations panel in the UI. This allows users to easily drill-down into the individual instances. instanceUdmSearchResponses description All the instance specific UDM search responses. items $ref InstanceUdmSearchResponse type array operation description The name of the operation resource representing the UDM Search operation. This can be passed to `StreamSearchOperation` to fetch stored results or stream the results of an in-progress operation. The metadata type of the operation is `UdmSearchMetadata`. The response type is `LegacyFetchUdmSearchViewResponse`. Format: projects/{project}/locations/{location}/instances/{instance}/operations/{operation} type string progress description Progress of the query represented as a double between 0 and 1. format double type number queryValidationErrors description Parse error for the baseline_query and/or the snapshot_query. items $ref ErrorMessage type array runtimeErrors description Runtime errors. items $ref RuntimeError type array stats $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description Stats results when the query is for statistics statsFunctionParameterValidationErrorMessage description If the request's stats_function_parameter` is invalid, this field will contain the detailed error message. type string statsFunctionResponse $ref FunctionResponse description Result for statistical function. timeline $ref EventCountTimeline description Timeline of event counts broken into buckets. This populates the trend-over-time chart in the UI. tooLargeResponse description If true, the response to be returned to the UI is too large and some events have been omitted. type boolean tooManyEvents description If true, there are too many events to return and some have been omitted. type boolean validBaselineQuery description Indicates whether the request baseline_query is a valid structured query or not. If not, `query_validation_errors` will include the parse error. type boolean validSnapshotQuery description Indicates whether the request baseline and snapshot queries are valid. If not, `query_validation_errors` will include the parse error. type boolean type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Location description Information about a location. id Location properties city description The city. type string countryOrRegion description The country or region. type string deskName description Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D"). type string floorName description Floor name, number or a combination of the two for a building. (e.g. "1-A"). type string name description Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2"). type string regionCoordinates $ref LatLng description Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. regionLatitude deprecated True description Deprecated: use region_coordinates. format float type number regionLongitude deprecated True description Deprecated: use region_coordinates. format float type number state description The state. type string type object Manual description Entities are added manually. id Manual properties type object Measure description Describes the precomputed measure. id Measure properties aggregateFunction description Function used to calculate the aggregated measure. enum AGGREGATE_FUNCTION_UNSPECIFIED MIN MAX COUNT SUM AVG STDDEV enumDescriptions Default value. Minimum. Maximum. Count. Sum. Average. Standard Deviation. type string value description Value of the aggregated measure. format double type number type object Metadata description General information associated with a UDM event. id Metadata properties baseLabels $ref DataAccessLabels description Data access labels on the base event. collectedTimestamp description The GMT timestamp when the event was collected by the vendor's local collection infrastructure. format google-datetime type string description description A human-readable unparsable description of the event. type string enrichmentLabels $ref DataAccessLabels description Data access labels from all the contextual events used to enrich the base event. enrichmentState description The enrichment state. enum ENRICHMENT_STATE_UNSPECIFIED ENRICHED UNENRICHED enumDescriptions Unspecified. The event has been enriched by Chronicle. The event has not been enriched by Chronicle. type string eventTimestamp description The GMT timestamp when the event was generated. format google-datetime type string eventType description The event type. If an event has multiple possible types, this specifies the most specific type. enum EVENTTYPE_UNSPECIFIED PROCESS_UNCATEGORIZED PROCESS_LAUNCH PROCESS_INJECTION PROCESS_PRIVILEGE_ESCALATION PROCESS_TERMINATION PROCESS_OPEN PROCESS_MODULE_LOAD REGISTRY_UNCATEGORIZED REGISTRY_CREATION REGISTRY_MODIFICATION REGISTRY_DELETION SETTING_UNCATEGORIZED SETTING_CREATION SETTING_MODIFICATION SETTING_DELETION MUTEX_UNCATEGORIZED MUTEX_CREATION FILE_UNCATEGORIZED FILE_CREATION FILE_DELETION FILE_MODIFICATION FILE_READ FILE_COPY FILE_OPEN FILE_MOVE FILE_SYNC USER_UNCATEGORIZED USER_LOGIN USER_LOGOUT USER_CREATION USER_CHANGE_PASSWORD USER_CHANGE_PERMISSIONS USER_STATS USER_BADGE_IN USER_DELETION USER_RESOURCE_CREATION USER_RESOURCE_UPDATE_CONTENT USER_RESOURCE_UPDATE_PERMISSIONS USER_COMMUNICATION USER_RESOURCE_ACCESS USER_RESOURCE_DELETION GROUP_UNCATEGORIZED GROUP_CREATION GROUP_DELETION GROUP_MODIFICATION EMAIL_UNCATEGORIZED EMAIL_TRANSACTION EMAIL_URL_CLICK NETWORK_UNCATEGORIZED NETWORK_FLOW NETWORK_CONNECTION NETWORK_FTP NETWORK_DHCP NETWORK_DNS NETWORK_HTTP NETWORK_SMTP STATUS_UNCATEGORIZED STATUS_HEARTBEAT STATUS_STARTUP STATUS_SHUTDOWN STATUS_UPDATE SCAN_UNCATEGORIZED SCAN_FILE SCAN_PROCESS_BEHAVIORS SCAN_PROCESS SCAN_HOST SCAN_VULN_HOST SCAN_VULN_NETWORK SCAN_NETWORK SCHEDULED_TASK_UNCATEGORIZED SCHEDULED_TASK_CREATION SCHEDULED_TASK_DELETION SCHEDULED_TASK_ENABLE SCHEDULED_TASK_DISABLE SCHEDULED_TASK_MODIFICATION SYSTEM_AUDIT_LOG_UNCATEGORIZED SYSTEM_AUDIT_LOG_WIPE SERVICE_UNSPECIFIED SERVICE_CREATION SERVICE_DELETION SERVICE_START SERVICE_STOP SERVICE_MODIFICATION GENERIC_EVENT RESOURCE_CREATION RESOURCE_DELETION RESOURCE_PERMISSIONS_CHANGE RESOURCE_READ RESOURCE_WRITTEN DEVICE_FIRMWARE_UPDATE DEVICE_CONFIG_UPDATE DEVICE_PROGRAM_UPLOAD DEVICE_PROGRAM_DOWNLOAD ANALYST_UPDATE_VERDICT ANALYST_UPDATE_REPUTATION ANALYST_UPDATE_SEVERITY_SCORE ANALYST_UPDATE_STATUS ANALYST_ADD_COMMENT ANALYST_UPDATE_PRIORITY ANALYST_UPDATE_ROOT_CAUSE ANALYST_UPDATE_REASON ANALYST_UPDATE_RISK_SCORE ENTITY_RISK_CHANGE enumDeprecated False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False enumDescriptions Default event type Activity related to a process which does not match any other event types. Process launch. Process injecting into another process. Process privilege escalation. Process termination. Process being opened. Process loading a module. Registry event which does not match any of the other event types. Registry creation. Registry modification. Registry deletion. Settings-related event which does not match any of the other event types. Setting creation. Setting modification. Setting deletion. Any mutex event other than creation. Mutex creation. File event which does not match any of the other event types. File created. File deleted. File modified. File read. File copied. Used for file copies, for example, to a thumb drive. File opened. File moved or renamed. File synced (for example, Google Drive, Dropbox, backup). User activity which does not match any of the other event types. User login. User logout. User creation. User password change event. Change in user permissions. Deprecated. Used to update user info for an LDAP dump. User physically badging into a location. User deletion. User creating a virtual resource. This is equivalent to RESOURCE_CREATION. User updating content of a virtual resource. This is equivalent to RESOURCE_WRITTEN. User updating permissions of a virtual resource. This is equivalent to RESOURCE_PERMISSIONS_CHANGE. User initiating communication through a medium (for example, video). User accessing a virtual resource. This is equivalent to RESOURCE_READ. User deleting a virtual resource. This is equivalent to RESOURCE_DELETION. A group activity that does not fall into one of the other event types. A group creation. A group deletion. A group modification. Email messages An email transaction. Deprecated: use NETWORK_HTTP instead. An email URL click event. A network event that does not fit into one of the other event types. Aggregated flow stats like netflow. Network connection details like from a FW. FTP telemetry. DHCP payload. DNS payload. HTTP telemetry. SMTP telemetry. A status message that does not fit into one of the other event types. Heartbeat indicating product is alive. An agent startup. An agent shutdown. A software or fingerprint update. Scan item that does not fit into one of the other event types. A file scan. Scan process behaviors. Please use SCAN_PROCESS instead. Scan process. Scan results from scanning an entire host device for threats/sensitive documents. Vulnerability scan logs about host vulnerabilities (e.g., out of date software) and network vulnerabilities (e.g., unprotected service detected via a network scan). Vulnerability scan logs about network vulnerabilities. Scan network for suspicious activity Scheduled task event that does not fall into one of the other event types. Scheduled task creation. Scheduled task deletion. Scheduled task being enabled. Scheduled task being disabled. Scheduled task being modified. A system audit log event that is not a wipe. A system audit log wipe. Service event that does not fit into one of the other event types. A service creation. A service deletion. A service start. A service stop. A service modification. Operating system events that are not described by any of the other event types. Might include uncategorized Microsoft Windows event logs. The resource was created/provisioned. This is equivalent to USER_RESOURCE_CREATION. The resource was deleted/deprovisioned. This is equivalent to USER_RESOURCE_DELETION. The resource had it's permissions or ACLs updated. This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS. The resource was read. This is equivalent to USER_RESOURCE_ACCESS. The resource was written to. This is equivalent to USER_RESOURCE_UPDATE_CONTENT. Firmware update. Configuration update. A program or application uploaded to a device. A program or application downloaded to a device. Analyst update about the Verdict (such as true positive, false positive, or disregard) of a finding. Analyst update about the Reputation (such as useful or not useful) of a finding. Analyst update about the Severity score (0-100) of a finding. Analyst update about the finding status. Analyst addition of a comment for a finding. Analyst update about the priority (such as low, medium, or high) for a finding. Analyst update about the root cause for a finding. Analyst update about the reason (such as malicious or not malicious) for a finding. Analyst update about the risk score (0-100) of a finding. An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. type string id description ID of the UDM event. Can be used for raw and normalized event retrieval. format byte type string ingestedTimestamp description The GMT timestamp when the event was ingested (received) by Chronicle. format google-datetime type string ingestionLabels description User-configured ingestion metadata labels. items $ref Label type array logType description The string value of log type. type string productDeploymentId description The deployment identifier assigned by the vendor for a product deployment. type string productEventType description A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start"). type string productLogId description A vendor-specific event identifier to uniquely identify the event (e.g. a GUID). type string productName description The name of the product. type string productVersion description The version of the product. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Flattened fields extracted from the log. type object tags $ref Tags description Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser. urlBackToProduct description A URL that takes the user to the source product console for this event. type string vendorName description The name of the product vendor. type string type object Metric description Stores precomputed aggregated analytic data for an entity. id Metric properties dimensions description All group by clauses used to calculate the metric. items enum DIMENSION_UNSPECIFIED PRINCIPAL_DEVICE TARGET_USER TARGET_DEVICE PRINCIPAL_USER TARGET_IP PRINCIPAL_FILE_HASH PRINCIPAL_COUNTRY SECURITY_CATEGORY NETWORK_ASN CLIENT_CERTIFICATE_HASH DNS_QUERY_TYPE DNS_DOMAIN HTTP_USER_AGENT EVENT_TYPE PRODUCT_NAME PRODUCT_EVENT_TYPE PARENT_FOLDER_PATH TARGET_RESOURCE_NAME PRINCIPAL_APPLICATION TARGET_APPLICATION EMAIL_TO_ADDRESS EMAIL_FROM_ADDRESS MAIL_ID PRINCIPAL_IP SECURITY_ACTION SECURITY_RULE_ID TARGET_NETWORK_ORGANIZATION_NAME PRINCIPAL_NETWORK_ORGANIZATION_NAME PRINCIPAL_PROCESS_FILE_PATH PRINCIPAL_PROCESS_FILE_HASH SECURITY_RESULT_RULE_NAME TARGET_RESOURCE_LABEL_KEY VENDOR_NAME TARGET_RESOURCE_TYPE TARGET_LOCATION_NAME enumDescriptions Default Principal Device Target User Target Device Principal User Target IP Principal File Hash Principal Country Security Category Network ASN Client Certificate Hash DNS Query Type DNS Domain HTTP User Agent Event Type Product Name Product Event Type Parent Folder Path Target resource Name Principal Application. Target Application. Email To Address. Email From Address. Mail Id. Principal IP. Security Action. Security Rule Id. Target Network Organization name. Principal Network Organization name. Principal Process File Path. Principal Process File SHA256 Hash. Security Result rule name. Target Resource label key. Vendor name. Target Resource type. Target Location name. type string type array exportWindow description Export window for which the metric was exported. format int64 type string firstSeen description Timestamp of the first time the entity was seen in the environment. format google-datetime type string lastSeen description Time stamp of the last time last time the entity was seen in the environment. format google-datetime type string metricName description Name of the analytic. enum METRIC_NAME_UNSPECIFIED NETWORK_BYTES_INBOUND NETWORK_BYTES_OUTBOUND NETWORK_BYTES_TOTAL AUTH_ATTEMPTS_SUCCESS AUTH_ATTEMPTS_FAIL AUTH_ATTEMPTS_TOTAL DNS_BYTES_OUTBOUND NETWORK_FLOWS_INBOUND NETWORK_FLOWS_OUTBOUND NETWORK_FLOWS_TOTAL DNS_QUERIES_SUCCESS DNS_QUERIES_FAIL DNS_QUERIES_TOTAL FILE_EXECUTIONS_SUCCESS FILE_EXECUTIONS_FAIL FILE_EXECUTIONS_TOTAL HTTP_QUERIES_SUCCESS HTTP_QUERIES_FAIL HTTP_QUERIES_TOTAL WORKSPACE_EMAILS_SENT_TOTAL WORKSPACE_TOTAL_DOWNLOAD_ACTIONS WORKSPACE_TOTAL_CHANGE_ACTIONS WORKSPACE_AUTH_ATTEMPTS_TOTAL WORKSPACE_NETWORK_BYTES_OUTBOUND WORKSPACE_NETWORK_BYTES_TOTAL ALERT_EVENT_NAME_COUNT RESOURCE_CREATION_TOTAL RESOURCE_CREATION_SUCCESS RESOURCE_READ_SUCCESS RESOURCE_READ_FAIL RESOURCE_DELETION_SUCCESS enumDescriptions Default Total received network bytes. Total network sent bytes. Total network sent bytes and received bytes. Successful authentication attempts. Failed authentication attempts. Total authentication attempts. Total number of sent bytes for DNS events. Total number of events having non-null received bytes. Total number of events having non-null sent bytes. Total events having non-null sent or received bytes. DNS query success count - Number of events with response_code = 0. Number of events with response_code != 0. Total number of DNS queries made. Number of successfule file executions. Number of failed file executions. Total number file executions. Number of successful HTTP queries. Number of failed HTTP queries. Total number of HTTP queries. Total number of emails sent in Google Workspace. Total number of download actions in Google Workspace. Total number of change actions in Google Workspace. Total number of authentication attempts in Google Workspace. Number of outbound network bytes (total sent) in Google Workspace. Total number of network bytes (both sent and received) in Google Workspace. Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH. First-time analytic tracking successful resource creations. Volume-based analytic tracking successful resource creations. Volume-based analytic tracking successful resource reads. Volume-based analytic tracking failed resource reads. Volume-based analytic tracking successful resource deletions. type string sumMeasure $ref Measure description Sum of all precomputed measures for the given metric. totalEvents description Total number of events used to calculate the given precomputed metric. format int64 type string type object Navigation description Navigation can be used to store the metadata required to navigate the user to a new URL. id Navigation properties targetUri description Output only. The URI to redirect the user to. readOnly True type string type object Network description A network event. id Network properties applicationProtocol description The application protocol. enum UNKNOWN_APPLICATION_PROTOCOL AFP APPC AMQP ATOM BEEP BITCOIN BIT_TORRENT CFDP CIP COAP COTP DCERPC DDS DEVICE_NET DHCP DICOM DNP3 DNS E_DONKEY ENRP FAST_TRACK FINGER FREENET FTAM GOOSE GOPHER GRPC HL7 H323 HTTP HTTPS IEC104 IRCP KADEMLIA KRB5 LDAP LPD MIME MMS MODBUS MQTT NETCONF NFS NIS NNTP NTCIP NTP OSCAR PNRP PTP QUIC RDP RELP RIP RLOGIN RPC RTMP RTP RTPS RTSP SAP SDP SIP SLP SMB SMTP SNMP SNTP SSH SSMS STYX SV TCAP TDS TOR TSP VTP WHOIS WEB_DAV X400 X500 XMPP enumDescriptions The default application protocol. Apple Filing Protocol. Advanced Program-to-Program Communication. Advanced Message Queuing Protocol. Publishing Protocol. Block Extensible Exchange Protocol. Crypto currency protocol. Peer-to-peer file sharing. Coherent File Distribution Protocol. Common Industrial Protocol. Constrained Application Protocol. Connection Oriented Transport Protocol. DCE/RPC. Data Distribution Service. Automation industry protocol. DHCP. Digital Imaging and Communications in Medicine Protocol. Distributed Network Protocol 3 (DNP3) DNS. Classic file sharing protocol. Endpoint Handlespace Redundancy Protocol. Filesharing peer-to-peer protocol. User Information Protocol. Censorship resistant peer-to-peer network. File Transfer Access and Management. GOOSE Protocol. Gopher protocol. gRPC Remote Procedure Call. Health Level Seven. Packet-based multimedia communications system. HTTP. HTTPS. IEC 60870-5-104 (IEC 104) Protocol. Internet Relay Chat Protocol. Peer-to-peer hashtables. Kerberos 5. Lightweight Directory Access Protocol. Line Printer Daemon Protocol. Multipurpose Internet Mail Extensions and Secure MIME. Multimedia Messaging Service. Serial communications protocol. Message Queuing Telemetry Transport. Network Configuration. Network File System. Network Information Service. Network News Transfer Protocol. National Transportation Communications for Intelligent Transportation System. Network Time Protocol. AOL Instant Messenger Protocol. Peer Name Resolution Protocol. Precision Time Protocol. QUIC. Remote Desktop Protocol. Reliable Event Logging Protocol. Routing Information Protocol. Remote Login in UNIX Systems. Remote Procedure Call. Real Time Messaging Protocol. Real-time Transport Protocol. Real Time Publish Subscribe. Real Time Streaming Protocol. Session Announcement Protocol. Session Description Protocol. Session Initiation Protocol. Service Location Protocol. Server Message Block. Simple Mail Transfer Protocol. Simple Network Management Protocol. Simple Network Time Protocol. Secure Shell. Secure SMS Messaging Protocol. Styx/9P - Plan 9 from Bell Labs distributed file system protocol. Sampled Values Protocol. Transaction Capabilities Application Part. Tabular Data Stream. Anonymity network. Time Stamp Protocol. Virtual Terminal Protocol. Remote Directory Access Protocol. Web Distributed Authoring and Versioning. Message Handling Service Protocol. Directory Access Protocol (DAP). Extensible Messaging and Presence Protocol. type string applicationProtocolVersion description The version of the application protocol. e.g. "1.1, 2.0" type string asn description Autonomous system number. type string carrierName description Carrier identification. type string communityId description Community ID network flow value. type string dhcp $ref Dhcp description DHCP info. direction description The direction of network traffic. enum UNKNOWN_DIRECTION INBOUND OUTBOUND BROADCAST enumDescriptions The default direction. An inbound request. An outbound request. A broadcast. type string dns $ref Dns description DNS info. dnsDomain description DNS domain name. type string email $ref Email description Email info for the sender/recipient. ftp $ref Ftp description FTP info. http $ref Http description HTTP info. ipProtocol description The IP protocol. enum UNKNOWN_IP_PROTOCOL ICMP IGMP TCP UDP IP6IN4 GRE ESP ICMP6 EIGRP ETHERIP PIM VRRP SCTP enumDescriptions The default protocol. ICMP. IGMP TCP. UDP. IPv6 Encapsulation Generic Routing Encapsulation Encapsulating Security Payload ICMPv6 Enhanced Interior Gateway Routing Ethernet-within-IP Encapsulation Protocol Independent Multicast Virtual Router Redundancy Protocol Stream Control Transmission Protocol type string ipSubnetRange description Associated human-readable IP subnet range (e.g. 10.1.2.0/24). type string organizationName description Organization name (e.g Google). type string parentSessionId description The ID of the parent network session. type string receivedBytes description The number of bytes received. format uint64 type string receivedPackets description The number of packets received. format int64 type string sentBytes description The number of bytes sent. format uint64 type string sentPackets description The number of packets sent. format int64 type string sessionDuration description The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer. format google-duration type string sessionId description The ID of the network session. type string smtp $ref Smtp description SMTP info. Store fields specific to SMTP not covered by Email. tls $ref Tls description TLS info. type object Noun description The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event. id Noun properties administrativeDomain description Domain which the device belongs to (for example, the Microsoft Windows domain). type string application description The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle". type string artifact $ref Artifact description Information about an artifact. asset $ref Asset description Information about the asset. assetId description The asset ID. This field can be used as an entity indicator for asset entities. type string cloud $ref Cloud deprecated True description Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud). domain $ref Domain description Information about the domain. email description Email address. Only filled in for security_result.about type string file $ref BackstoryFile description Information about the file. group $ref Group description Information about the group. hostname description Client hostname or domain name field. Hostname also doubles as the domain for remote entities. This field can be used as an entity indicator for asset entities. type string investigation $ref Investigation description Analyst feedback/investigation for alerts. ip description A list of IP addresses associated with a network connection. This field can be used as an entity indicator for asset entities. items type string type array ipGeoArtifact description Enriched geographic information corresponding to an IP address. Specifically, location and network data. items $ref Artifact type array ipLocation deprecated True description Deprecated: use ip_geo_artifact.location instead. items $ref Location type array labels deprecated True description Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels). items $ref Label type array location $ref Location description Physical location. For cloud environments, set the region in location.name. mac description List of MAC addresses associated with a device. This field can be used as an entity indicator for asset entities. items type string type array namespace description Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition. This field can be used along with an asset indicator to identify an asset. type string natIp description A list of NAT translated IP addresses associated with a network connection. items type string type array natPort description NAT external network port number when a specific network connection is described within an event. format int32 type integer network $ref Network description Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). objectReference $ref Id description Finding to which the Analyst updated the feedback. platform description Platform. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description Platform patch level. For example, "Build 17134.48" type string platformVersion description Platform version. For example, "Microsoft Windows 1803". type string port description Source or destination network port number when a specific network connection is described within an event. format int32 type integer process $ref Process description Information about the process. processAncestors description Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery. items $ref Process type array registry $ref Registry description Registry information. resource $ref Resource description Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun. resourceAncestors description Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource). items $ref Resource type array securityResult description A list of security results. items $ref SecurityResult type array url description The URL. type string urlMetadata $ref Url description Information about the URL. user $ref User description Information about the user. userManagementChain description Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery. items $ref User type array type object NtfsFileMetadata description NTFS-specific file metadata. id NtfsFileMetadata properties changeTime description NTFS MFT entry changed timestamp. format google-datetime type string filenameAccessTime description NTFS $FILE_NAME attribute accessed timestamp. format google-datetime type string filenameChangeTime description NTFS $FILE_NAME attribute changed timestamp. format google-datetime type string filenameCreateTime description NTFS $FILE_NAME attribute created timestamp. format google-datetime type string filenameModifyTime description NTFS $FILE_NAME attribute modified timestamp. format google-datetime type string type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object Option description DHCP options. id Option properties code description Code. See RFC1533. format uint32 type integer data description Data. format byte type string type object PDFInfo description Information about the PDF file structure. See https://developers.virustotal.com/reference/pdf_info id PDFInfo properties acroform description Number of /AcroForm tags found in the PDF. format int64 type string autoaction description Number of /AA tags found in the PDF. format int64 type string embeddedFile description Number of /EmbeddedFile tags found in the PDF. format int64 type string encrypted description Whether the document is encrypted or not. This is defined by the /Encrypt tag. format int64 type string endobjCount description Number of object definitions (endobj keyword). format int64 type string endstreamCount description Number of defined stream objects (stream keyword). format int64 type string flash description Number of /RichMedia tags found in the PDF. format int64 type string header description PDF version. type string javascript description Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios. format int64 type string jbig2Compression description Number of /JBIG2Decode tags found in the PDF. format int64 type string js description Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios. format int64 type string launchActionCount description Number of /Launch tags found in the PDF file. format int64 type string objCount description Number of objects definitions (obj keyword). format int64 type string objectStreamCount description Number of object streams. format int64 type string openaction description Number of /OpenAction tags found in the PDF. format int64 type string pageCount description Number of pages in the PDF. format int64 type string startxref description Number of startxref keywords in the PDF. format int64 type string streamCount description Number of defined stream objects (stream keyword). format int64 type string suspiciousColors description Number of colors expressed with more than 3 bytes (CVE-2009-3459). format int64 type string trailer description Number of trailer keywords in the PDF. format int64 type string xfa description Number of \XFA tags found in the PDF. format int64 type string xref description Number of xref keywords in the PDF. format int64 type string type object PeFileMetadata description Metadata about a Microsoft Windows Portable Executable. id PeFileMetadata properties importHash description Hash of PE imports. type string type object Permission description System permission for resource access and modification. id Permission properties description description Description of the permission (e.g. 'Ability to update detect rules'). type string name description Name of the permission (e.g. chronicle.analyst.updateRule). type string type description Type of the permission. enum UNKNOWN_PERMISSION_TYPE ADMIN_WRITE ADMIN_READ DATA_WRITE DATA_READ enumDescriptions Default permission type. Administrator write permission. Administrator read permission. Data resource access write permission. Data resource access read permission. type string type object PlatformSoftware description Platform software information about an operating system. id PlatformSoftware properties platform description The platform operating system. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description The platform software patch level ( e.g. "Build 17134.48", "SP1"). type string platformVersion description The platform software version ( e.g. "Microsoft Windows 1803"). type string type object PopularityRank description Domain's position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo. id PopularityRank properties giver description Name of the rank serial number hexdump. type string ingestionTime description Timestamp when the rank was ingested. format google-datetime type string rank description Rank position. format int64 type string type object Prevalence description The prevalence of a resource within the customer's environment. This measures how common it is for assets to access the resource. id Prevalence properties dayCount description The number of days over which rolling_max is calculated. format int32 type integer dayMax description The max prevalence score in a day interval window. format int32 type integer dayMaxSubDomains description The max prevalence score in a day interval window across sub-domains. This field is only valid for domains. format int32 type integer rollingMax description The maximum number of assets per day accessing the resource over the trailing day_count days. format int32 type integer rollingMaxSubDomains description The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains. format int32 type integer type object Process description Information about a process. id Process properties accessMask description A bit mask representing the level of access. format uint64 type string commandLine description The command line command that created the process. This field can be used as an entity indicator for process entities. type string commandLineHistory description The command line history of the process. items type string type array egid description The effective group ID of the process. type string euid description The effective user ID of the process. type string file $ref BackstoryFile description Information about the file in use by the process. integrityLevelRid description The Microsoft Windows integrity level relative ID (RID) of the process. format uint64 type string parentPid deprecated True description The ID of the parent process. Deprecated: use parent_process.pid instead. type string parentProcess $ref Process description Information about the parent process. pgid description The identifier that points to the process group ID leader. type string pid description The process ID. This field can be used as an entity indicator for process entities. type string productSpecificParentProcessId deprecated True description A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. type string productSpecificProcessId description A product specific process id. type string rgid description The real group ID of the process. type string ruid description The real user ID of the process. type string sessionLeaderPid description The process ID of the session leader process. type string tokenElevationType description The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled. enum UNKNOWN TYPE_1 TYPE_2 TYPE_3 enumDescriptions An undetermined token type. A full token with no privileges removed or groups disabled. An elevated token with no privileges removed or groups disabled. Used when running as administrator. A limited token with administrative privileges removed and administrative groups disabled. type string tty description The teletype terminal which the command was executed within. type string type object ProviderMLVerdict description Deprecated. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. id ProviderMLVerdict properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer confidenceScore description Confidence score of the verdict. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer mandiantSources description List of mandiant sources from which the verdict was generated. items $ref Source type array sourceProvider description Source provider giving the ML verdict. type string thirdPartySources description List of third-party sources from which the verdict was generated. items $ref Source type array type object PublicKey description Subject public key info. id PublicKey properties algorithm description Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the certificate. type string rsa $ref RSA description RSA public key information. type object Question description DNS Questions. See RFC1035, section 4.1.2. id Question properties class description The code specifying the class of the query. format uint32 type integer name description The domain name. type string prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. type description The code specifying the type of the query. format uint32 type integer type object RSA description RSA public key information. id RSA properties exponent description Key exponent hexdump. type string keySize description Key size. format int64 type string modulus description Key modulus hexdump. type string type object Reference description Reference to model primatives including event and entity. As support is added for fast retrieval of objects by identifiers, this will be expanded to include ID references rather than full object copies. BEGIN GOOGLE-INTERNAL See go/udm:ids for additional details. END GOOGLE-INTERNAL id Reference properties entity $ref BackstoryEntity description Entity being referenced. End one-of event $ref UDM description Only one of event or entity will be populated for a single reference. Start one-of Event being referenced. id $ref Id description Id being referenced. This field will also be populated for both event and entity with the event id. For detections, only this field will be populated. type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Registry description Information about a registry key or value. id Registry properties registryKey description Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...). type string registryValueData description Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp). type string registryValueName description Name of the registry value associated with an application or system component (e.g. TEMP). type string registryValueType description Type of the registry value. enum TYPE_UNSPECIFIED NONE SZ EXPAND_SZ BINARY DWORD DWORD_LITTLE_ENDIAN DWORD_BIG_ENDIAN LINK MULTI_SZ RESOURCE_LIST QWORD QWORD_LITTLE_ENDIAN enumDescriptions Default registry value type used when the type is unknown. The registry value is not set and only the key exists. A null-terminated string. A null-terminated string that contains unexpanded references to environment variables Binary data in any form. A 32-bit number. A 32-bit number in little-endian format. A 32-bit number in big-endian format. A null-terminated Unicode string that contains the target path of a symbolic link. A sequence of null-terminated strings, terminated by an empty string A device driver resource list. A 64-bit number. A 64-bit number in little-endian format. type string type object Relation description Defines the relationship between the entity (a) and another entity (b). id Relation properties direction description Directionality of relationship between primary entity (a) and the related entity (b). enum DIRECTIONALITY_UNSPECIFIED BIDIRECTIONAL UNIDIRECTIONAL enumDescriptions Default value. Modeled in both directions. Primary entity (a) to related entity (b) and related entity (b) to primary entity (a). Modeled in a single direction. Primary entity (a) to related entity (b). type string entity $ref Noun description Entity (b) that the primary entity (a) is related to. entityLabel description Label to identify the Noun of the relation. enum ENTITY_LABEL_UNSPECIFIED PRINCIPAL TARGET OBSERVER SRC NETWORK SECURITY_RESULT INTERMEDIARY enumDescriptions Default value. The Noun represents a principal type object. The Noun represents a target type object. The Noun represents an observer type object. The Noun represents src type object. The Noun represents a network type object. The Noun represents a SecurityResult object. The Noun represents an intermediary type object. type string entityType description Type of the related entity (b) in this relationship. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string relationship description Type of relationship. enum RELATIONSHIP_UNSPECIFIED OWNS ADMINISTERS MEMBER EXECUTES DOWNLOADED_FROM CONTACTS enumDescriptions Default value Related entity is owned by the primary entity (e.g. user owns device asset). Related entity is administered by the primary entity (e.g. user administers a group). Primary entity is a member of the related entity (e.g. user is a member of a group). Primary entity may have executed the related entity. Primary entity may have been downloaded from the related entity. Primary entity contacts the related entity. type string uid description UID of the relationship. format byte type string type object Resource description Information about a resource such as a task, Cloud Storage bucket, database, disk, logical policy, or something similar. id Resource properties attribute $ref Attribute description Generic entity metadata attributes of the resource. id deprecated True description Deprecated: Use resource.name or resource.product_object_id. type string name description The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. type string parent deprecated True description The parent of the resource. For a database table, the parent is the database. For a storage object, the bucket name. Deprecated: use resource_ancestors.name. type string productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) This field can be used as an entity indicator for a Resource entity. type string resourceSubtype description Resource sub-type (e.g. "BigQuery", "Bigtable"). type string resourceType description Resource type. enum UNSPECIFIED MUTEX TASK PIPE DEVICE FIREWALL_RULE MAILBOX_FOLDER VPC_NETWORK VIRTUAL_MACHINE STORAGE_BUCKET STORAGE_OBJECT DATABASE TABLE CLOUD_PROJECT CLOUD_ORGANIZATION SERVICE_ACCOUNT ACCESS_POLICY CLUSTER SETTING DATASET BACKEND_SERVICE POD CONTAINER FUNCTION RUNTIME IP_ADDRESS DISK VOLUME IMAGE SNAPSHOT REPOSITORY CREDENTIAL LOAD_BALANCER GATEWAY SUBNET USER enumDescriptions Default type. Mutex. Task. Named pipe. Device. Firewall rule. Mailbox folder. VPC Network. Virtual machine. Storage bucket. Storage object. Database. Data table. Cloud project. Cloud organization. Service account. Access policy. Cluster. Settings. Dataset. Endpoint that receive traffic from a load balancer or proxy. Pod, which is a collection of containers. Often used in Kubernetes. Container. Cloud function. Runtime. IP address. Disk. Volume. Machine image. Snapshot. Repository. Credential, e.g. access keys, ssh keys, tokens, certificates. Load balancer. Gateway. Subnet. User. type string type deprecated True description Deprecated: use resource_type instead. type string type object ResourceRecord description DNS Resource Records. See RFC1035, section 4.1.3. id ResourceRecord properties binaryData description The raw bytes of any non-UTF8 strings that might be included as part of a DNS response. format byte type string class description The code specifying the class of the resource record. format uint32 type integer data description The payload or response to the DNS question for all responses encoded in UTF-8 format type string name description The name of the owner of the resource record. type string ttl description The time interval for which the resource record can be cached before the source of the information should again be queried. format uint32 type integer type description The code specifying the type of the resource record. format uint32 type integer type object ResponsePlatformInfo description Related info of an Alert in customer's SOAR platform. id ResponsePlatformInfo properties alertId description Id of the alert in SOAR product. type string responsePlatformType description Type of SOAR product. enum RESPONSE_PLATFORM_TYPE_UNSPECIFIED RESPONSE_PLATFORM_TYPE_SIEMPLIFY enumDescriptions Response platform not specified. Siemplify type string type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object RiskDelta description Describes the difference in risk score between two points in time. id RiskDelta properties previousRangeEndTime description End time of the previous time window. format google-datetime type string previousRiskScore description Risk score from previous risk window format int32 type integer riskScoreDelta description Difference in the normalized risk score from the previous recorded value. format int32 type integer riskScoreNumericDelta description Numeric change between current and previous risk score format int32 type integer type object Role description System role for resource access and modification. id Role properties description description System role description for user. type string name description System role name for user. type string type description System role type for well known roles. enum TYPE_UNSPECIFIED ADMINISTRATOR SERVICE_ACCOUNT enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object RuntimeError id RuntimeError properties errorText type string timeRange $ref Interval type object SSLCertificate description SSL certificate. id SSLCertificate properties certExtensions additionalProperties description Properties of the object. type any description Certificate's extensions. type object certSignature $ref CertSignature description Certificate's signature and algorithm. ec $ref EC description EC public key information. extension $ref Extension deprecated True description (DEPRECATED) certificate's extension. firstSeenTime description Date the certificate was first retrieved by VirusTotal. format google-datetime type string issuer $ref Subject description Certificate's issuer data. publicKey $ref PublicKey description Public key information. serialNumber description Certificate's serial number hexdump. type string signatureAlgorithm description Algorithm used for the signature (for example, "sha1RSA"). type string size description Certificate content length. format int64 type string subject $ref Subject description Certificate's subject data. thumbprint description Certificate's content SHA1 hash. type string thumbprintSha256 description Certificate's content SHA256 hash. type string validity $ref Validity description Certificate's validity period. version description Certificate version (typically "V1", "V2" or "V3"). type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object SearchDataTableColumnInfo id SearchDataTableColumnInfo properties isDefault type boolean originalColumn type string type object SearchDataTableInfo id SearchDataTableInfo properties columnInfo items $ref SearchDataTableColumnInfo type array dataTable type string type object SearchDataTableRow id SearchDataTableRow properties column type string value type string type object SearchDataTableRowInfo id SearchDataTableRowInfo properties dataTable type string rows items $ref SearchDataTableRow type array type object SecurityResult description Security related metadata for the event. A security result might be something like "virus detected and quarantined," "malicious connection blocked," or "sensitive data included in document foo.doc." Each security result, of which there may be more than one, may either pertain to the whole event, or to a specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (such as process, user, IP, domain, URL, IP, or email address) in the about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty. id SecurityResult properties about $ref Noun description If the security result is about a specific entity (Noun), add it here. This field is not populated when the SecurityResult appears in a finding (a detection or alert). action description Actions taken for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_ACTION ALLOW BLOCK ALLOW_WITH_MODIFICATION QUARANTINE FAIL CHALLENGE enumDescriptions The default action. Allowed. Blocked. Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded). Put somewhere for later analysis (does NOT imply block). Failed (e.g. the event was allowed but failed). Challenged (e.g. the user was challenged by a Captcha, 2FA). type string type array actionDetails description The detail of the action taken as provided by the vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string alertState description The alerting types of this security result. This is primarily set for rule-generated detections and alerts. enum UNSPECIFIED NOT_ALERTING ALERTING enumDescriptions The security result type is not known. The security result is not an alert. The security result is an alert. type string analyticsMetadata description Stores metadata about each risk analytic metric the rule uses. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref AnalyticsMetadata type array associations description Associations related to the threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref Association type array attackDetails $ref AttackDetails description MITRE ATT&CK details. This field is not populated when the SecurityResult appears in a finding (a detection or alert). campaigns description Campaigns using this IOC threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array category description The security category. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_CATEGORY SOFTWARE_MALICIOUS SOFTWARE_SUSPICIOUS SOFTWARE_PUA NETWORK_MALICIOUS NETWORK_SUSPICIOUS NETWORK_CATEGORIZED_CONTENT NETWORK_DENIAL_OF_SERVICE NETWORK_RECON NETWORK_COMMAND_AND_CONTROL ACL_VIOLATION AUTH_VIOLATION EXPLOIT DATA_EXFILTRATION DATA_AT_REST DATA_DESTRUCTION TOR_EXIT_NODE MAIL_SPAM MAIL_PHISHING MAIL_SPOOFING POLICY_VIOLATION SOCIAL_ENGINEERING PHISHING enumDescriptions The default category. Malware, spyware, rootkit. Below the conviction threshold; probably bad. Potentially Unwanted App (such as adware). Includes C&C or network exploit. Suspicious activity, such as potential reverse tunnel. Non-security related: URL has category like gambling or porn. DoS, DDoS. Port scan detected by an IDS, probing of web app. If we know this is a C&C channel. Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc. Authentication failed (e.g. bad password or bad 2-factor authentication). Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits. DLP: Sensitive data transmission, copy to thumb drive. DLP: Sensitive data found at rest in a scan. Attempt to destroy/delete data. TOR Exit Nodes. Spam email, message, etc. Phishing email, chat messages, etc. Spoofed source email address, etc. Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action). Threats which manipulate to break normal security procedures. Phishing pages, pops, https phishing etc. type string type array categoryDetails description For vendor-specific categories. For web categorization, put type in here such as "gambling" or "porn". This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array confidence description The confidence level of the result as estimated by the product. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string confidenceDetails description Additional detail with regards to the confidence of a security event as estimated by the product vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string confidenceScore description The confidence score of the security result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format float type number description description A human-readable description (e.g. "user password was wrong"). This can be more detailed than the summary. type string detectionDepth description The depth of the detection chain. Applies only to composite detections. format int64 type string detectionFields description An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (the security result matched variables). This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array firstDiscoveredTime description First time the IoC threat was discovered in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastDiscoveredTime description Last time the IoC was seen in the provider data. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastUpdatedTime description Last time the IoC threat was updated in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string outcomes description A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to a stringified version of their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array priority description The priority of the result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_PRIORITY LOW_PRIORITY MEDIUM_PRIORITY HIGH_PRIORITY enumDescriptions Default priority level. Low priority. Medium priority. High priority. type string priorityDetails description Vendor-specific information about the security result priority. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string reports description Reports that reference this IOC threat. These are the report IDs. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array riskScore description The risk score of the security result. format float type number ruleAuthor description Author of the security rule. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string ruleId description A vendor-specific ID for a rule, varying by observer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe"). type string ruleLabels description A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John"). This is primarily set in rule-generated detections and alerts. items $ref Label type array ruleName description Name of the security rule (e.g. "BlockInboundToOracle"). type string ruleSet description The curated detection's rule set identifier. (for example, "windows-threats") This is primarily set in rule-generated detections and alerts. type string ruleSetDisplayName description The curated detections rule set display name. This is primarily set in rule-generated detections and alerts. type string ruleType description The type of security rule. type string ruleVersion description Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed. type string rulesetCategoryDisplayName description The curated detection rule set category display name. (for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration", the rule_set_category is "Cloud Threats"). This is primarily set in rule-generated detections and alerts. type string severity description The severity of the result. enum UNKNOWN_SEVERITY INFORMATIONAL ERROR NONE LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Info severity. An error. No malicious result. Low-severity malicious result. Medium-severity malicious result. High-severity malicious result. Critical-severity malicious result. type string severityDetails description Vendor-specific severity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string summary description A short human-readable summary (e.g. "failed login occurred") type string threatFeedName description Vendor feed name for a threat indicator feed. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatId description Vendor-specific ID for a threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatIdNamespace description The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string threatName description A vendor-assigned classification common across multiple customers (for example, "W32/File-A", "Slammer"). This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatStatus description Current status of the threat This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_STATUS_UNSPECIFIED ACTIVE CLEARED FALSE_POSITIVE enumDescriptions Default threat status Active threat. Cleared threat. False positive. type string threatVerdict description GCTI threat verdict on the security result entity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_VERDICT_UNSPECIFIED UNDETECTED SUSPICIOUS MALICIOUS enumDescriptions Unspecified threat verdict level. Undetected threat verdict level. Suspicious threat verdict level. Malicious threat verdict level. type string urlBackToProduct description URL that takes the user to the source product console for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string variables additionalProperties $ref FindingVariable description A list of outcomes and match variables that represent the results of this security finding. This list represents a mapping of names of the requested outcomes or match variables, to their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). type object verdict $ref Verdict deprecated True description Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead. verdictInfo description Verdict information about the IoC from the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref VerdictInfo type array type object Server description Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash). id Server properties certificate $ref Certificate description Server certificate. ja3s description JA3 hash from the TLS ServerHello, as a hex-encoded string. type string type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object SignatureInfo description File signature information extracted from different tools. id SignatureInfo properties codesign $ref FileMetadataCodesign description Signature information extracted from the codesign utility. sigcheck $ref FileMetadataSignatureInfo description Signature information extracted from the sigcheck tool. type object SignerInfo description File metadata related to the signer information. id SignerInfo properties certIssuer description Company that issued the certificate. type string name description Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority. type string status description It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid."). type string validUsage description Indicates which situations the certificate is valid for (e.g. "Code Signing"). type string type object Smtp description SMTP info. See RFC 2821. id Smtp properties helo description The client's 'HELO'/'EHLO' string. type string isTls description If the connection switched to TLS. type boolean isWebmail description If the message was sent via a webmail client. type boolean mailFrom description The client's 'MAIL FROM' string. type string messagePath description The message's path (extracted from the headers). type string rcptTo description The client's 'RCPT TO' string(s). items type string type array serverResponse description The server's response(s) to the client. items type string type array type object SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems. id SoarAlertMetadata properties alertId description Alert ID in the source SIEM system. type string product description Name of the product the alert is coming from. type string sourceRule description Name of the rule triggering the alert in the source SIEM. type string sourceSystem description Name of the Source SIEM system. type string sourceSystemTicketId description Ticket id for the alert in the source system. type string sourceSystemUri description Url to the source SIEM system. type string vendor description Name of the vendor. type string type object Software description Information about a software package or application. id Software properties description description The description of the software. type string name description The name of the software. type string permissions description System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE" items $ref Permission type array vendorName description The name of the software vendor. type string version description The version of the software. type string type object Source description Deprecated. Information about the threat intelligence source. These fields are used to model Mandiant sources. id Source properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer name description Name of the IoC source. type string quality description Quality of the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total response count from this source. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer threatIntelligenceSources description Different threat intelligence sources from which IoC info was extracted. items $ref Source type array type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object StringSequence description StringSequence represents a sequence of string. id StringSequence properties stringVals description string sequence. items type string type array type object StringToInt64MapEntry id StringToInt64MapEntry properties key description Key field. type string value description Value field. format int64 type string type object StringValue id StringValue properties displayValue type string rawValue type string type object StringValues id StringValues properties values items $ref StringValue type array type object Subject description Subject data. id Subject properties commonName description CN: CommonName. type string countryName description C: Country name. type string locality description L: Locality. type string organization description O: Organization. type string organizationalUnit description OU: OrganizationalUnit. type string stateOrProvinceName description ST: StateOrProvinceName. type string type object Tactic description Tactic information related to an attack or threat. id Tactic properties id description Tactic ID (e.g. "TA0043"). type string name description Tactic Name (e.g. "Reconnaissance") type string type object Tags description Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenant_id based on certain customer-defined parameters. id Tags properties dataTapConfigName description A list of sink name values defined in DataTap configurations. items type string type array tenantId description A list of subtenant ids that this event belongs to. items format byte type string type array type object Technique description Technique information related to an attack or threat. id Technique properties id description Technique ID (e.g. "T1595"). type string name description Technique Name (e.g. "Active Scanning"). type string subtechniqueId description Subtechnique ID (e.g. "T1595.001"). type string subtechniqueName description Subtechnique Name (e.g. "Scanning IP Blocks"). type string type object TimeOff description System record for leave/time-off from a Human Capital Management (HCM) system. id TimeOff properties description description Description of the leave if available (e.g. 'Vacation'). type string interval $ref Interval description Interval duration of the leave. type object Tls description Transport Layer Security (TLS) information. id Tls properties cipher description Cipher used during the connection. type string client $ref Client description Certificate information for the client certificate. curve description Elliptical curve used for a given cipher. type string established description Indicates whether the TLS negotiation was successful. type boolean nextProtocol description Protocol to be used for tunnel. type string resumed description Indicates whether the TLS connection was resumed from a previous TLS negotiation. type boolean server $ref Server description Certificate information for the server certificate. version description TLS version. type string versionProtocol description Protocol. type string type object Tracker description URL Tracker. id Tracker properties id description Tracker ID, if available. type string timestamp description Tracker ingestion date. format google-datetime type string tracker description Tracker name. type string url description Tracker script URL. type string type object Tunnels description VPN tunnels. id Tunnels properties provider description The provider of the VPN tunnels being used. type string type description The type of the VPN tunnels. type string type object UDM description A Unified Data Model event. id UDM properties about description Represents entities referenced by the event that are not otherwise described in principal, src, target, intermediary or observer. For example, it could be used to track email file attachments, domains/URLs/IPs embedded within an email body, and DLLs that are loaded during a PROCESS_LAUNCH event. items $ref Noun type array additional additionalProperties description Properties of the object. type any description Any important vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model. type object extensions $ref Extensions description All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object intermediary description Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a proxy server or SMTP relay server. If an active event (that has a principal and possibly target) passes through any intermediaries, they're added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that 'principal', 'target', and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C). items $ref Noun type array metadata $ref Metadata description Event metadata such as timestamp, source product, etc. network $ref Network description All network details go here, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). observer $ref Noun description Represents an observer entity (for example, a packet sniffer or network-based vulnerability scanner), which is not a direct intermediary, but which observes and reports on the event in question. principal $ref Noun description Represents the acting entity that originates the activity described in the event. The principal must include at least one machine detail (hostname, MACs, IPs, port, product-specific identifiers like an EDR asset ID) or user detail (for example, username), and optionally include process details. It must NOT include any of the following fields: email, files, registry keys or values. securityResult description A list of security results. items $ref SecurityResult type array src $ref Noun description Represents a source entity being acted upon by the participant along with the device or process context for the source object (the machine where the source object resides). For example, if user U copies file A on machine X to file B on machine Y, both file A and machine X would be specified in the src portion of the UDM event. target $ref Noun description Represents a target entity being referenced by the event or an object on the target entity. For example, in a firewall connection from device A to device B, A is described as the principal and B is described as the target. For a process injection by process C into target process D, process C is described as the principal and process D is described as the target. type object UdmColumnList id UdmColumnList properties values items $ref UdmColumnValue type array type object UdmColumnType id UdmColumnType properties list $ref UdmColumnList value $ref UdmColumnValue type object UdmColumnValue id UdmColumnValue properties boolVal type boolean bytesVal format byte type string dateVal $ref Date doubleVal format double type number int64Val format int64 type string nullVal type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any type object stringVal type string timestampVal format google-datetime type string uint64Val format uint64 type string type object UdmEventInfo id UdmEventInfo properties alertNumber format int32 type integer annotations items enum ANNOTATION_UNSPECIFIED ANNOTATION_ALERT enumDescriptions type string type array chip $ref Chip deprecated True connectedComponentLabel description Optional. format byte type string datatableRowInfo items $ref SearchDataTableRowInfo type array detections items $ref Collection type array displayName deprecated True type string entity $ref BackstoryEntity event $ref UDM eventLogToken type string filterProperties $ref FilterProperties deprecated True outcomes items $ref UdmColumnType type array tenantId description Optional. type string uid format byte type string type object UdmEventList id UdmEventList properties columnNames $ref ColumnNames complete type boolean datatableInfo items $ref SearchDataTableInfo type array events items $ref UdmEventInfo type array progress format double type number tooManyEvents type boolean type object UdmFieldAggregation id UdmFieldAggregation properties aggregationType enum UNSPECIFIED_FIELD_AGGREGATION_TYPE UDM_FIELD_AGGREGATION_TYPE ENTITY_FIELD_AGGREGATION_TYPE enumDescriptions type string allValues items $ref UdmValueCount type array baselineEventCount format int32 type integer bottomValues items $ref UdmValueCount type array eventCount format int32 type integer fieldName type string tooManyValues type boolean topValues items $ref UdmValueCount type array valueCount format int32 type integer type object UdmFieldAggregations id UdmFieldAggregations properties complete type boolean fields items $ref UdmFieldAggregation type array groupByFields items $ref GroupAggregationByField type array type object UdmFieldValue id UdmFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string isNull type boolean stringValue type string timestampValue format google-datetime type string uint32Value format uint32 type integer uint64Value format uint64 type string type object UdmPrevalence id UdmPrevalence properties artifacts items $ref FieldAndValue type array prevalence format int32 type integer type object UdmPrevalenceBucket id UdmPrevalenceBucket properties prevalence items $ref UdmPrevalence type array type object UdmPrevalenceResponse id UdmPrevalenceResponse properties buckets items $ref UdmPrevalenceBucket type array partialPrevalence type boolean type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UdmValueCount id UdmValueCount properties baselineEventCount format int32 type integer eventCount format int32 type integer value $ref UdmFieldValue type object Uint64Sequence description Uint64Sequence represents a sequence of uint64s. id Uint64Sequence properties uint64Vals description uint64 sequence. items format uint64 type string type array type object Url description Url. id Url properties categories description Categorisation done by VirusTotal partners. items type string type array favicon $ref Favicon description Difference hash and MD5 hash of the URL's. htmlMeta additionalProperties description Properties of the object. type any description Meta tags (only for URLs downloading HTML). type object lastFinalUrl description If the original URL redirects, where does it end. type string lastHttpResponseCode description HTTP response code of the last response. format int32 type integer lastHttpResponseContentLength description Length in bytes of the content received. format int64 type string lastHttpResponseContentSha256 description URL response body's SHA256 hash. type string lastHttpResponseCookies additionalProperties description Properties of the object. type any description Website's cookies. type object lastHttpResponseHeaders additionalProperties description Properties of the object. type any description Headers and values of the last HTTP response. type object tags description Tags. items type string type array title description Webpage title. type string trackers description Trackers found in the URL in a historical manner. items $ref Tracker type array url description URL. type string type object User description Information about a user. id User properties accountExpirationTime description User account expiration timestamp. format google-datetime type string accountLockoutTime description User account lockout timestamp. format google-datetime type string accountType description Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/ enum ACCOUNT_TYPE_UNSPECIFIED DOMAIN_ACCOUNT_TYPE LOCAL_ACCOUNT_TYPE CLOUD_ACCOUNT_TYPE SERVICE_ACCOUNT_TYPE DEFAULT_ACCOUNT_TYPE enumDescriptions Default user account type. A human account part of some domain in directory services. A local machine account. A SaaS service account type (such as Slack or GitHub). A non-human account for data access. A system built in default account. type string attribute $ref Attribute description Generic entity metadata attributes of the user. companyName description User job company name. type string department description User job department items type string type array emailAddresses description Email addresses of the user. This field can be used as an entity indicator for user entities. items type string type array employeeId description Human capital management identifier. This field can be used as an entity indicator for user entities. type string firstName description First name of the user (e.g. "John"). type string firstSeenTime description The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string groupIdentifiers description Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar). items type string type array groupid deprecated True description The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. type string hireDate description User job employment hire date. format google-datetime type string lastBadPasswordAttemptTime description User last bad password attempt timestamp. format google-datetime type string lastLoginTime description User last login timestamp. format google-datetime type string lastName description Last name of the user (e.g. "Locke"). type string lastPasswordChangeTime description User last password change timestamp. format google-datetime type string managers description User job manager(s). items $ref User type array middleName description Middle name of the user. type string officeAddress $ref Location description User job office location. passwordExpirationTime description User password expiration timestamp. format google-datetime type string personalAddress $ref Location description Personal address of the user. phoneNumbers description Phone numbers for the user. items type string type array productObjectId description A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar). This field can be used as an entity indicator for user entities. type string roleDescription deprecated True description System role description for user. Deprecated: use attribute.roles. type string roleName deprecated True description System role name for user. Deprecated: use attribute.roles. type string terminationDate description User job employment termination date. format google-datetime type string timeOff description User time off leaves from active work. items $ref TimeOff type array title description User job title. type string userAuthenticationStatus description System authentication status for user. enum UNKNOWN_AUTHENTICATION_STATUS ACTIVE SUSPENDED NO_ACTIVE_CREDENTIALS DELETED enumDescriptions The default authentication status. The authentication method is in active state. The authentication method is in suspended/disabled state. The authentication method has no active credentials. The authentication method has been deleted. type string userDisplayName description The display name of the user (e.g. "John Locke"). type string userRole deprecated True description System role for user. Deprecated: use attribute.roles. enum UNKNOWN_ROLE ADMINISTRATOR SERVICE_ACCOUNT enumDeprecated False False True enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. Deprecated: not a role, instead set User.account_type. type string userid description The ID of the user. This field can be used as an entity indicator for user entities. type string windowsSid description The Microsoft Windows SID of the user. This field can be used as an entity indicator for user entities. type string type object UserAgentProto id UserAgentProto properties annotation items $ref Annotation type array browser description Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents. type string browserEngineVersion description Version of the rendering engine e.g. "8.01" for "Opera/8.01" type string browserVersion description Minor and lower versions unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string carrier description Mobile specific: name of mobile carrier type string device description (Usually) Mobile specific: name of hardware device, may or may not contain the full model name. e.g. iPhone, Palm750, SPH-M800. Reduced to "K" for Android devices with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string deviceVersion description (Usually) Mobile specific: version of hardware device Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string family description User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.. enum USER_DEFINED MSIE GECKO APPLEWEBKIT OPERA KHTML OTHER APPLE BLACKBERRY DOCOMO GOOGLE OPENWAVE POLARIS OBIGO TELECA MICROSOFT NOKIA NETFRONT SEMC SMIT KOREAN CLIENT_HINTS enumDescriptions Used to represent new families supported by user-defined parsers Desktop user agent families WebKit based browsers e.g. Safari e.g. Konqueror Mobile and non-browser user agent families UA's w/o enough data to fit into a family Apple apps e.g. YouTube on iPhone Google Earth, Sketchup, UpdateChecker etc... UP.Browser Windows Media Player, RSS platform etc... Sony Ericsson Mobile Communications SKT, LGT Constructed from UA-CH instead of UserAgent string. type string googleToolbarVersion description Version number of GoogleToolbar, if installed. Applies only to MSIE and Firefox at this time. type string javaConfiguration description Mobile specific: e.g. Configuration/CLDC-1.1 type string javaConfigurationVersion type string javaProfile description Mobile specific: e.g. Profile/MIDP-2.0 type string javaProfileVersion type string locale description Locale in which the browser is running as country code and optionally language pair. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string messaging description Mobile specific: e.g. MMP/2.0 type string messagingVersion type string os description Full name of the operating system e.g. "Darwin/9.7.0", "Android 1.5", "Windows 98" Version is reduced, and other data might also be missing, for reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string osVariant description Extra qualifier for the OS e.g. "(i386)", "Build/CUPCAKE", "PalmSource/Palm-D061" Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string platform description The platform describes the environment in which the browser or app runs. For desktop user agents, Platform is a string describing the OS family e.g. Windows, Macintosh, Linux. For mobile user agents, Platform either describes the OS family (if available) or the hardware maker. e.g. Linux, or HTC, LG, Palm. type string security description Security level reported by user agent, either U, I or N. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string subFamily description Sub-family identifies individual regexps when a family has more than 1. This is used to generate the right UA string from a protobuf. Examples in the AppleWebKit family: Chrome and Safari. Can also be an arbitrary identifier. type string type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Validity description Defines certificate's validity period. id Validity properties expiryTime description Expiry date. format google-datetime type string issueTime description Issue date. format google-datetime type string type object Verdict description Deprecated. Encapsulates the threat verdict provided by human analysts and ML models. These fields are used to model Mandiant sources. id Verdict properties analystVerdict $ref AnalystVerdict description Human analyst verdict provided by sources like Mandiant. neighbourInfluence description Describes the neighbour influence of the verdict. type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer verdict $ref ProviderMLVerdict description ML Verdict provided by sources like Mandiant. type object VerdictInfo description Describes the threat verdict provided by human analysts and machine learning models. These fields are used to model Mandiant sources. id VerdictInfo properties benignCount description Count of responses where this IoC was marked as benign. format int32 type integer categoryDetails description Tags related to the verdict. type string confidenceScore description Confidence score of the verdict. format int32 type integer globalCustomerCount description Global customer count over the last 30 days format int32 type integer globalHitsCount description Global hit count over the last 30 days. format int32 type integer iocStats description List of IoCStats from which the verdict was generated. items $ref IoCStats type array maliciousCount description Count of responses where this IoC was marked as malicious. format int32 type integer neighbourInfluence description Describes the near neighbor influence of the verdict. type string pwn description Whether one or more Mandiant incident response customers had this indicator in their environment. type boolean pwnFirstTaggedTime description The timestamp of the first time a pwn was associated to this entity. format google-datetime type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer sourceProvider description Source provider giving the machine learning verdict. type string verdictResponse description Details about the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp when the verdict was generated. format google-datetime type string verdictType description Type of verdict. enum VERDICT_TYPE_UNSPECIFIED PROVIDER_ML_VERDICT ANALYST_VERDICT enumDescriptions Verdict category not specified. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. Verdict provided by the human analyst. These fields are used to model Mandiant sources. type string type object Vulnerabilities description The Vulnerabilities extension captures details on observed/detected vulnerabilities. id Vulnerabilities properties vulnerabilities description A list of vulnerabilities. items $ref Vulnerability type array type object Vulnerability description A vulnerability. id Vulnerability properties about $ref Noun description If the vulnerability is about a specific noun (e.g. executable), then add it here. cveDescription description Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record type string cveId description Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id type string cvssBaseScore description CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting. format float type number cvssVector description Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator type string cvssVersion description Version of CVSS Vector/Score. type string description description Description of the vulnerability. type string firstFound description Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset. format google-datetime type string lastFound description Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset. format google-datetime type string name description Name of the vulnerability (e.g. "Unsupported OS Version detected"). type string scanEndTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable. format google-datetime type string scanStartTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable. format google-datetime type string severity description The severity of the vulnerability. enum UNKNOWN_SEVERITY LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Low severity. Medium severity. High severity. Critical severity. type string severityDetails description Vendor-specific severity type string vendor description Vendor of scan that discovered vulnerability. type string vendorKnowledgeBaseArticleId description Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase type string vendorVulnerabilityId description Vendor specific vulnerability id (e.g. Microsoft security bulletin id). type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object X509 description File certificate. id X509 properties algorithm description Certificate algorithm. type string certIssuer description Issuer of the certificate. type string name description Certificate name. type string serialNumber description Certificate serial number. type string thumbprint description Certificate thumbprint. type string type object old_value CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{region}/instances/{instance} readOnly True type string type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Manual description Entities are added manually. id Manual properties type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object
prod/familymanagement-pa-	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/familymanagement-pa-v1	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/fcmregistrations-	values_changed root['revision'] new_value 20250309 old_value 20250306
prod/fcmregistrations-v1	values_changed root['revision'] new_value 20250309 old_value 20250306
prod/firebaseabt-pa-	values_changed root['revision'] new_value 20250309 old_value 20250304
prod/firebaseabt-pa-v1	values_changed root['revision'] new_value 20250309 old_value 20250304
prod/firebaseabt-pa-v2	values_changed root['revision'] new_value 20250309 old_value 20250304
prod/firebaseapphosting-	values_changed root['revision'] new_value 20250305 old_value 20250304
prod/firebaseapphosting-v1	values_changed root['revision'] new_value 20250305 old_value 20250304
prod/firebaseapphosting-v1alpha	values_changed root['revision'] new_value 20250305 old_value 20250304
prod/firebaseapphosting-v1beta	values_changed root['revision'] new_value 20250305 old_value 20250304
prod/firebaseapptesters-	values_changed root['revision'] new_value 20250310 old_value 20250307
prod/firebaseapptesters-v1	values_changed root['revision'] new_value 20250310 old_value 20250307
prod/firebaseapptesters-v1alpha	values_changed root['revision'] new_value 20250310 old_value 20250307
prod/firebasecrashlytics-	values_changed root['revision'] new_value 20250310 old_value 20250307
prod/firebasecrashlytics-v1alpha	values_changed root['revision'] new_value 20250311 old_value 20250307
prod/firebaseextensions-	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/firebaseextensions-v1beta	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/firebaseextensionspublisher-	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/firebaseextensionspublisher-v1beta	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/firebasegenaimonitoring-pa-	values_changed root['revision'] new_value 20250310 old_value 20250307
prod/firebasegenaimonitoring-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250307
prod/firebaseinstallations-	values_changed root['revision'] new_value 20250307 old_value 20250228
prod/firebaseinstallations-v1	values_changed root['revision'] new_value 20250307 old_value 20250228
prod/firebasereleasemon-pa-	values_changed root['revision'] new_value 20250310 old_value 20250307
prod/firebasereleasemon-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250307
prod/firebaseremoteconfig-pa-	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/firebaseremoteconfig-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/firebaseremoteconfig-pa-v2	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/firebaseremoteconfigrealtime-	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/firebaseremoteconfigrealtime-v1	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/firebasesagepredictions-pa-	values_changed root['revision'] new_value 20250309 old_value 20250304
prod/firebasesagepredictions-pa-v1	values_changed root['revision'] new_value 20250309 old_value 20250304
prod/firebasetargeting-pa-	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/firebasetargeting-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/fireconsole-pa-	dictionary_item_added root['schemas']['AnalyticsConfigPerformanceemailPerformanceEmailKey'] root['schemas']['AnalyticsConfigEntityKey']['properties']['performanceEmailKey'] values_changed root['revision'] new_value 20250307 old_value 20250305 iterable_item_added root['schemas']['Permission']['properties']['entityType']['enum'][264] PERFORMANCE_EMAIL
prod/fireconsole-pa-v1	dictionary_item_added root['schemas']['AnalyticsConfigPerformanceemailPerformanceEmailKey'] root['schemas']['AnalyticsConfigEntityKey']['properties']['performanceEmailKey'] values_changed root['revision'] new_value 20250307 old_value 20250305 iterable_item_added root['schemas']['Permission']['properties']['entityType']['enum'][264] PERFORMANCE_EMAIL
prod/fit-	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/fit-v2beta1	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/floodforecasting-	dictionary_item_added root['schemas']['GaugeModel']['properties']['gaugeModelId'] dictionary_item_removed root['resources']['floodStatus']['methods']['queryLatestFloodStatusByGaugeIds']['parameters']['pageSize'] root['resources']['floodStatus']['methods']['queryLatestFloodStatusByGaugeIds']['parameters']['pageToken'] root['schemas']['QueryLatestFloodStatusByGaugeIdsResponse']['properties']['nextPageToken'] values_changed root['revision'] new_value 20250310 old_value 20250224
prod/floodforecasting-v1	dictionary_item_added root['schemas']['GaugeModel']['properties']['gaugeModelId'] dictionary_item_removed root['resources']['floodStatus']['methods']['queryLatestFloodStatusByGaugeIds']['parameters']['pageSize'] root['resources']['floodStatus']['methods']['queryLatestFloodStatusByGaugeIds']['parameters']['pageToken'] root['schemas']['QueryLatestFloodStatusByGaugeIdsResponse']['properties']['nextPageToken'] values_changed root['revision'] new_value 20250310 old_value 20250224
prod/generativelanguage-	values_changed root['revision'] new_value 20250309 old_value 20250307
prod/generativelanguage-v1	values_changed root['revision'] new_value 20250311 old_value 20250307
prod/generativelanguage-v1alpha	values_changed root['revision'] new_value 20250311 old_value 20250307
prod/generativelanguage-v1beta	values_changed root['revision'] new_value 20250309 old_value 20250307
prod/generativelanguage-v1beta1	values_changed root['revision'] new_value 20250309 old_value 20250307
prod/generativelanguage-v1beta2	values_changed root['revision'] new_value 20250311 old_value 20250307
prod/generativelanguage-v1beta3	values_changed root['revision'] new_value 20250309 old_value 20250307
prod/geoar-	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/geoar-v1	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/geofeedtaskrouting-	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/geofeedtaskrouting-v1alpha	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/growth-pa-	values_changed root['revision'] new_value 20250307 old_value 20250304
prod/growth-pa-v1	values_changed root['revision'] new_value 20250307 old_value 20250304
prod/gsuiteaddons-v1alpha1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/guidedhelp-pa-	values_changed root['revision'] new_value 20250309 old_value 20250306
prod/guidedhelp-pa-v1	values_changed root['revision'] new_value 20250309 old_value 20250306
prod/hourly-dynamicmail-pa.sandbox-	values_changed root['revision'] new_value 20250311 old_value 20250308
prod/hourly-dynamicmail-pa.sandbox-v2	values_changed root['revision'] new_value 20250311 old_value 20250308
prod/ipprotection-ppissuer-	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/ipprotection-ppissuer-v1	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/kidsmanagement-pa-	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/kidsmanagement-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/kidsnotification-pa-	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/kidsnotification-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/legalproductions-pa-	values_changed root['revision'] new_value 20250309 old_value 20250126
prod/legalproductions-pa-v1	values_changed root['revision'] new_value 20250309 old_value 20250126
prod/licensemanager-	values_changed root['revision'] new_value 20250305 old_value 20250226
prod/licensemanager-v1	values_changed root['revision'] new_value 20250305 old_value 20250226
prod/licensemanager-v1alpha	values_changed root['revision'] new_value 20250305 old_value 20250226
prod/linkauthorization-	values_changed root['revision'] new_value 20250307 old_value 20250304
prod/linkauthorization-v1	values_changed root['revision'] new_value 20250307 old_value 20250304
prod/localservicespartner-	values_changed root['revision'] new_value 20250309 old_value 20250307
prod/localservicespartner-v1beta1	values_changed root['revision'] new_value 20250309 old_value 20250307
prod/mapsplatformdatasets-	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/mapsplatformdatasets-v1	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/mapsplatformdatasets-v1alpha	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/media3p-	values_changed root['revision'] new_value 20250309 old_value 20250306
prod/media3p-v1	values_changed root['revision'] new_value 20250309 old_value 20250306
prod/microservices-	values_changed root['revision'] new_value 20250305 old_value 20250226
prod/microservices-v1alpha1	values_changed root['revision'] new_value 20250305 old_value 20250226
prod/mlkit-	values_changed root['revision'] new_value 20250309 old_value 20250225
prod/mlkit-pa-	values_changed root['revision'] new_value 20250309 old_value 20250225
prod/mlkit-pa-v1	values_changed root['revision'] new_value 20250309 old_value 20250225
prod/mlkit-v1	values_changed root['revision'] new_value 20250309 old_value 20250225
prod/mlkit-v1beta1	values_changed root['revision'] new_value 20250309 old_value 20250225
prod/mobilemlaccelerationcompatibility-	values_changed root['revision'] new_value 20250309 old_value 20250307
prod/mobilemlaccelerationcompatibility-v1	values_changed root['revision'] new_value 20250309 old_value 20250307
prod/mobileperformancereporting-pa-	values_changed root['revision'] new_value 20250309 old_value 20250306
prod/mobileperformancereporting-pa-v1	values_changed root['revision'] new_value 20250309 old_value 20250306
prod/mobilesdk-pa-	values_changed root['revision'] new_value 20250307 old_value 20250305
prod/mobilesdk-pa-v1	values_changed root['revision'] new_value 20250307 old_value 20250305
prod/monospace-pa-	values_changed root['revision'] new_value 20250309 old_value 20250308
prod/monospace-pa-v1	values_changed root['revision'] new_value 20250309 old_value 20250308
prod/networkbuildingblocks-pa-	values_changed root['revision'] new_value 20250310 old_value 20250226
prod/networkbuildingblocks-pa-v1beta1	values_changed root['revision'] new_value 20250310 old_value 20250226
prod/northamerica-northeast2-chronicle-	values_changed root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['get']['parameters']['name']['description'] new_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{region}/instances/{instance} root['revision'] new_value 20250310 old_value 20250227 root['schemas'] new_value AIOverview description AI generated overview for the search results. id AIOverview properties aiSummary description AI summary for the search results. Markdown formatted. type string complete description Whether AI overview generation is complete. type boolean suggestions description Suggested actions to continue the investigation in chat. items $ref Action type array type object Action description Action represents an action that can be performed in the host UI. id Action properties actionType description Output only. Type of action. enum ACTION_TYPE_UNSPECIFIED FOLLOW_UP NAVIGATION EXECUTION enumDescriptions The action type is unspecified. The action is a follow up action. The action is a navigation action. The action is an execution action. readOnly True type string displayText description Output only. The text that'll be displayed to the user if this is rendered in the UI as a suggested action. readOnly True type string execution $ref Execution description Metadata for execution action. followUp $ref FollowUp description Metadata for follow up action. navigation $ref Navigation description Metadata for navigation action. useCaseId description Output only. The use case ID of the action. It's used internally to identify in which context the action is used. readOnly True type string type object AlertFieldAggregation id AlertFieldAggregation properties alertCount format int32 type integer allValues items $ref AlertFieldValueCount type array baselineAlertCount format int32 type integer bottomValues items $ref AlertFieldValueCount type array fieldName type string tooManyValues type boolean topValues items $ref AlertFieldValueCount type array valueCount format int32 type integer type object AlertFieldAggregations id AlertFieldAggregations properties fields items $ref AlertFieldAggregation type array type object AlertFieldValue id AlertFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string stringValue type string uint32Value format uint32 type integer uint64Value format uint64 type string type object AlertFieldValueCount id AlertFieldValueCount properties alertCount format int32 type integer baselineAlertCount format int32 type integer value $ref AlertFieldValue type object AnalystVerdict description Verdict provided by the human analyst. These fields are used to model Mandiant sources. id AnalystVerdict properties confidenceScore description Confidence score of the verdict. format int32 type integer verdictResponse description Details of the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp at which the verdict was generated. format google-datetime type string type object AnalyticsMetadata description Stores information about an analytics metric used in a rule. id AnalyticsMetadata properties analytic description Name of the analytic. type string type object Annotation description Extra parameters that don't fit anywhere else, captured as key/value. For example "VendorID/42" in BlackBerry user agents. The following keys are modified with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference): * "Chrome" (see `browser_version`) * "ChromiumBrowser" (unavailable) * "ChromeWebview" (unavailable) * "OS_VERSION" (see `os`) * "Rest" (unavailable) * "misc" (see `device`) id Annotation properties key type string value type string type object Artifact description Information about an artifact. The artifact can only be an IP. id Artifact properties anonymous description Whether the VPN tunnels are configured for anonymous browsing or not. type boolean artifactClient $ref ArtifactClient description Entity or software accessing or utilizing network resources. asOwner description Owner of the Autonomous System to which the IP address belongs. type string asn description Autonomous System Number to which the IP address belongs. format int64 type string firstSeenTime description First seen timestamp of the IP in the customer's environment. format google-datetime type string ip description IP address of the artifact. This field can be used as an entity indicator for an external destination IP entity. type string jarm description The JARM hash for the IP address. (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a). type string lastHttpsCertificate $ref SSLCertificate description SSL certificate information about the IP address. lastHttpsCertificateDate description Most recent date for the certificate in VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the IP address in the customer's environment. format google-datetime type string location $ref Location description Location of the Artifact's IP address. network $ref Network description Network information related to the Artifact's IP address. prevalence $ref Prevalence description The prevalence of the artifact within the customer's environment. regionalInternetRegistry description RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC). type string risks description This field lists potential risks associated with the network activity. items type string type array tags description Identification attributes items type string type array tunnels description VPN tunnels. items $ref Tunnels type array whois description WHOIS information as returned from the pertinent WHOIS server. type string whoisDate description Date of the last update of the WHOIS record in VirusTotal. format google-datetime type string type object ArtifactClient description Entity or software accessing or utilizing network resources. id ArtifactClient properties behaviors description The behaviors of the client accessing the network. items type string type array proxies description The type of proxies used by the client. items type string type array type object Asset description Information about a compute asset such as a workstation, laptop, phone, virtual desktop, or VM. id Asset properties assetId description The asset ID. Value must contain the ':' character. For example, cs:abcdd23434. This field can be used as an entity indicator for asset entities. type string attribute $ref Attribute description Generic entity metadata attributes of the asset. category description The category of the asset (e.g. "End User Asset", "Workstation", "Server"). type string creationTime deprecated True description Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. format google-datetime type string deploymentStatus description The deployment status of the asset for device lifecycle purposes. enum DEPLOYMENT_STATUS_UNSPECIFIED ACTIVE PENDING_DECOMISSION DECOMISSIONED enumDescriptions Unspecified deployment status. Asset is active, functional and deployed. Asset is pending decommission and no longer deployed. Asset is decommissioned. type string firstDiscoverTime description Time the asset was first discovered (by asset management/discoverability software). format google-datetime type string firstSeenTime description The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string hardware description The asset hardware specifications. items $ref Hardware type array hostname description Asset hostname or domain name field. This field can be used as an entity indicator for asset entities. type string ip description A list of IP addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array labels deprecated True description Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata. items $ref Label type array lastBootTime description Time the asset was last boot started. format google-datetime type string lastDiscoverTime description Time the asset was last discovered (by asset management/discoverability software). format google-datetime type string location $ref Location description Location of the asset. mac description List of MAC addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array natIp description List of NAT IP addresses associated with an asset. items type string type array networkDomain description The network domain of the asset (e.g. "corp.acme.com") type string platformSoftware $ref PlatformSoftware description The asset operating system platform software. productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID or similar). This field can be used as an entity indicator for asset entities. type string software description The asset software details. items $ref Software type array systemLastUpdateTime description Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a VM), use Attribute.last_update_time. format google-datetime type string type description The type of the asset (e.g. workstation or laptop or server). enum ROLE_UNSPECIFIED WORKSTATION LAPTOP IOT NETWORK_ATTACHED_STORAGE PRINTER SCANNER SERVER TAPE_LIBRARY MOBILE enumDescriptions Unspecified asset role. A workstation or desktop. A laptop computer. An IOT asset. A network attached storage device. A printer. A scanner. A server. A tape library device. A mobile device such as a mobile phone or PDA. type string vulnerabilities description Vulnerabilities discovered on asset. items $ref Vulnerability type array type object Association description Associations represents different metadata about malware and threat actors involved with an IoC. id Association properties alias description Different aliases of the threat actor given by different sources. items $ref AssociationAlias type array associatedActors description List of associated threat actors for a malware. Not applicable for threat actors. items $ref Association type array countryCode description Country from which the threat actor/ malware is originated. items type string type array description description Human readable description about the association. type string firstReferenceTime description First time the threat actor was referenced or seen. format google-datetime type string id description Unique association id generated by mandiant. type string industriesAffected description List of industries the threat actor affects. items type string type array lastReferenceTime description Last time the threat actor was referenced or seen. format google-datetime type string name description Name of the threat actor/malware. type string regionCode $ref Location description Name of the country, the threat is originating from. role description Role of the malware. Not applicable for threat actor. type string sourceCountry deprecated True description Name of the country the threat originated from. type string sponsorRegion $ref Location description Sponsor region of the threat actor. tags description Tags. items type string type array targetedRegions description Targeted regions. items $ref Location type array type description Signifies the type of association. enum ASSOCIATION_TYPE_UNSPECIFIED THREAT_ACTOR MALWARE enumDescriptions The default Association Type. Association type Threat actor. Association type Malware. type string type object AssociationAlias description Association Alias used to represent Mandiant Threat Intelligence. id AssociationAlias properties company description Name of the provider who gave the association's name. type string name description Name of the alias. type string type object AttackDetails description MITRE ATT&CK details. id AttackDetails properties tactics description Tactics employed. items $ref Tactic type array techniques description Techniques employed. items $ref Technique type array version description ATT&CK version (e.g. 12.1). type string type object Attribute description Attribute is a container for generic entity attributes including common attributes across core entities (such as, user or asset). For example, Cloud is a generic entity attribute since it can apply to an asset (for example, a VM) or a user (for example, an identity service account). id Attribute properties cloud $ref Cloud description Cloud metadata attributes such as project ID, account ID, or organizational hierarchy. creationTime description Time the resource or entity was created or provisioned. format google-datetime type string labels description Set of labels for the entity. Should only be used for product labels (for example, Google Cloud resource labels or Azure AD sensitivity labels. Should not be used for arbitrary key-value mappings. items $ref Label type array lastUpdateTime description Time the resource or entity was last updated. format google-datetime type string permissions description System permissions for IAM entity (human principal, service account, group). items $ref Permission type array roles description System IAM roles to be assumed by resources to use the role's permissions for access control. items $ref Role type array type object Authentication description The Authentication extension captures details specific to authentication events. General guidelines for authentication events: * Details about the source of the authentication event (for example, client IP or hostname), should be captured in principal. The principal may be empty if we have no details about the source of the login. * Details about the target of the authentication event (for example, details about the machine that is being logged into or logged out of) should be captured in target. * Some authentication events may involve a third-party. For example, a user logs into a cloud service (for example, Chronicle) via their company's SSO (the event is logged by their SSO solution). In this case, the principal captures information about the user's device, the target captures details about the cloud service they logged into, and the intermediary captures details about the SSO solution. id Authentication properties authDetails description The vendor defined details of the authentication. type string mechanism description The authentication mechanism. items enum MECHANISM_UNSPECIFIED USERNAME_PASSWORD OTP HARDWARE_KEY LOCAL REMOTE REMOTE_INTERACTIVE MECHANISM_OTHER BADGE_READER NETWORK BATCH SERVICE UNLOCK NETWORK_CLEAR_TEXT NEW_CREDENTIALS INTERACTIVE CACHED_INTERACTIVE CACHED_REMOTE_INTERACTIVE CACHED_UNLOCK BIOMETRIC WEARABLE enumDescriptions The default mechanism. Username + password authentication. OTP authentication. Hardware key authentication. Local authentication. Remote authentication. RDP, Terminal Services, or VNC. Some other mechanism that is not defined here. Badge reader authentication Network authentication. Batch authentication. Service authentication Direct human-interactive unlock authentication. Network clear text authentication. Authentication with new credentials. Interactive authentication. Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Biometric device such as a fingerprint reader. Wearable such as an Apple Watch. type string type array type description The type of authentication. enum AUTHTYPE_UNSPECIFIED MACHINE SSO VPN PHYSICAL TACACS enumDescriptions The default type. A machine authentication. An SSO authentication. A VPN authentication. A Physical authentication (e.g. "Badge reader"). A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+). type string type object AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. id AuthorityKeyId properties keyid description Key hexdump. type string serialNumber description Serial number hexdump. type string type object BackstoryEntity description An Entity provides additional context about an item in a UDM event. For example, a PROCESS_LAUNCH event describes that user 'abc@example.corp' launched process 'shady.exe'. The event does not include information that user 'abc@example.com' is a recently terminated employee who administers a server storing finance data. Information stored in one or more Entities can add this additional context. id BackstoryEntity properties additional additionalProperties description Properties of the object. type any description Important entity data that cannot be adequately represented within the formal sections of the Entity. type object entity $ref Noun description Noun in the UDM event that this entity represents. metadata $ref EntityMetadata description Entity metadata such as timestamp, product, etc. metric $ref Metric description Stores statistical metrics about the entity. Used if metadata.entity_type is METRIC. relations description One or more relationships between the entity (a) and other entities, including the relationship type and related entity. items $ref Relation type array riskScore $ref EntityRisk description Stores information related to the entity's risk score. type object BackstoryFile description Information about a file. id BackstoryFile properties ahash deprecated True description Deprecated. Use authentihash instead. type string authentihash description Authentihash of the file. type string capabilitiesTags description Capabilities tags. items type string type array createTime description Timestamp when the file was created. format google-datetime type string embeddedDomains description Embedded domains found in the file. items type string type array embeddedIps description Embedded IP addresses found in the file. items type string type array embeddedUrls description Embedded urls found in the file. items type string type array exifInfo $ref ExifInfo description Exif metadata from different file formats extracted by exiftool. fileMetadata $ref FileMetadata deprecated True description Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File. fileType description FileType field. enum FILE_TYPE_UNSPECIFIED FILE_TYPE_PE_EXE FILE_TYPE_PE_DLL FILE_TYPE_MSI FILE_TYPE_NE_EXE FILE_TYPE_NE_DLL FILE_TYPE_DOS_EXE FILE_TYPE_DOS_COM FILE_TYPE_COFF FILE_TYPE_ELF FILE_TYPE_LINUX_KERNEL FILE_TYPE_RPM FILE_TYPE_LINUX FILE_TYPE_MACH_O FILE_TYPE_JAVA_BYTECODE FILE_TYPE_DMG FILE_TYPE_DEB FILE_TYPE_PKG FILE_TYPE_PYC FILE_TYPE_LNK FILE_TYPE_DESKTOP_ENTRY FILE_TYPE_JPEG FILE_TYPE_TIFF FILE_TYPE_GIF FILE_TYPE_PNG FILE_TYPE_BMP FILE_TYPE_GIMP FILE_TYPE_IN_DESIGN FILE_TYPE_PSD FILE_TYPE_TARGA FILE_TYPE_XWD FILE_TYPE_DIB FILE_TYPE_JNG FILE_TYPE_ICO FILE_TYPE_FPX FILE_TYPE_EPS FILE_TYPE_SVG FILE_TYPE_EMF FILE_TYPE_WEBP FILE_TYPE_DWG FILE_TYPE_DXF FILE_TYPE_THREEDS FILE_TYPE_OGG FILE_TYPE_FLC FILE_TYPE_FLI FILE_TYPE_MP3 FILE_TYPE_FLAC FILE_TYPE_WAV FILE_TYPE_MIDI FILE_TYPE_AVI FILE_TYPE_MPEG FILE_TYPE_QUICKTIME FILE_TYPE_ASF FILE_TYPE_DIVX FILE_TYPE_FLV FILE_TYPE_WMA FILE_TYPE_WMV FILE_TYPE_RM FILE_TYPE_MOV FILE_TYPE_MP4 FILE_TYPE_T3GP FILE_TYPE_WEBM FILE_TYPE_MKV FILE_TYPE_PDF FILE_TYPE_PS FILE_TYPE_DOC FILE_TYPE_DOCX FILE_TYPE_PPT FILE_TYPE_PPTX FILE_TYPE_XLS FILE_TYPE_XLSX FILE_TYPE_RTF FILE_TYPE_PPSX FILE_TYPE_ODP FILE_TYPE_ODS FILE_TYPE_ODT FILE_TYPE_HWP FILE_TYPE_GUL FILE_TYPE_ODF FILE_TYPE_ODG FILE_TYPE_ONE_NOTE FILE_TYPE_OOXML FILE_TYPE_SLK FILE_TYPE_EBOOK FILE_TYPE_LATEX FILE_TYPE_TTF FILE_TYPE_EOT FILE_TYPE_WOFF FILE_TYPE_CHM FILE_TYPE_ZIP FILE_TYPE_GZIP FILE_TYPE_BZIP FILE_TYPE_RZIP FILE_TYPE_DZIP FILE_TYPE_SEVENZIP FILE_TYPE_CAB FILE_TYPE_JAR FILE_TYPE_RAR FILE_TYPE_MSCOMPRESS FILE_TYPE_ACE FILE_TYPE_ARC FILE_TYPE_ARJ FILE_TYPE_ASD FILE_TYPE_BLACKHOLE FILE_TYPE_KGB FILE_TYPE_ZLIB FILE_TYPE_TAR FILE_TYPE_ZST FILE_TYPE_LZFSE FILE_TYPE_PYTHON_WHL FILE_TYPE_PYTHON_PKG FILE_TYPE_MSIX FILE_TYPE_TEXT FILE_TYPE_SCRIPT FILE_TYPE_PHP FILE_TYPE_PYTHON FILE_TYPE_PERL FILE_TYPE_RUBY FILE_TYPE_C FILE_TYPE_CPP FILE_TYPE_JAVA FILE_TYPE_SHELLSCRIPT FILE_TYPE_PASCAL FILE_TYPE_AWK FILE_TYPE_DYALOG FILE_TYPE_FORTRAN FILE_TYPE_JAVASCRIPT FILE_TYPE_POWERSHELL FILE_TYPE_VBA FILE_TYPE_M4 FILE_TYPE_OBJETIVEC FILE_TYPE_JMOD FILE_TYPE_MAKEFILE FILE_TYPE_INI FILE_TYPE_CLJ FILE_TYPE_PDB FILE_TYPE_SQL FILE_TYPE_NEKO FILE_TYPE_WER FILE_TYPE_GOLANG FILE_TYPE_M3U FILE_TYPE_BAT FILE_TYPE_MSC FILE_TYPE_RDP FILE_TYPE_SYMBIAN FILE_TYPE_PALMOS FILE_TYPE_WINCE FILE_TYPE_ANDROID FILE_TYPE_IPHONE FILE_TYPE_HTML FILE_TYPE_XML FILE_TYPE_SWF FILE_TYPE_FLA FILE_TYPE_COOKIE FILE_TYPE_TORRENT FILE_TYPE_EMAIL_TYPE FILE_TYPE_OUTLOOK FILE_TYPE_SGML FILE_TYPE_JSON FILE_TYPE_CSV FILE_TYPE_HTA FILE_TYPE_INTERNET_SHORTCUT FILE_TYPE_CAP FILE_TYPE_ISOIMAGE FILE_TYPE_SQUASHFS FILE_TYPE_VHD FILE_TYPE_APPLE FILE_TYPE_MACINTOSH FILE_TYPE_APPLESINGLE FILE_TYPE_APPLEDOUBLE FILE_TYPE_MACINTOSH_HFS FILE_TYPE_APPLE_PLIST FILE_TYPE_MACINTOSH_LIB FILE_TYPE_APPLESCRIPT FILE_TYPE_APPLESCRIPT_COMPILED FILE_TYPE_CRX FILE_TYPE_XPI FILE_TYPE_ROM FILE_TYPE_IPS FILE_TYPE_PEM FILE_TYPE_PGP FILE_TYPE_CRT enumDescriptions File type is UNSPECIFIED. File type is PE_EXE. Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL. File type is MSI. File type is NE_EXE. File type is NE_DLL. File type is DOS_EXE. File type is DOS_COM. File type is COFF. File type is ELF. File type is LINUX_KERNEL. File type is RPM. File type is LINUX. File type is MACH_O. File type is JAVA_BYTECODE. File type is DMG. File type is DEB. File type is PKG. File type is PYC. File type is LNK. File type is DESKTOP_ENTRY. File type is JPEG. File type is TIFF. File type is GIF. File type is PNG. File type is BMP. File type is GIMP. File type is Adobe InDesign. File type is PSD. Adobe Photoshop. File type is TARGA. File type is XWD. File type is DIB. File type is JNG. File type is ICO. File type is FPX. File type is EPS. File type is SVG. File type is EMF. File type is WEBP. File type is DWG. File type is DXF. File type is 3DS. File type is OGG. File type is FLC. File type is FLI. File type is MP3. File type is FLAC. File type is WAV. File type is MIDI. File type is AVI. File type is MPEG. File type is QUICKTIME. File type is ASF. File type is DIVX. File type is FLV. File type is WMA. File type is WMV. File type is RM. RealMedia type. File type is MOV. File type is MP4. File type is T3GP. File type is WEBM. File type is MKV. File type is PDF. File type is PS. File type is DOC. File type is DOCX. File type is PPT. File type is PPTX. File type is XLS. File type is XLSX. File type is RTF. File type is PPSX. File type is ODP. File type is ODS. File type is ODT. File type is HWP. File type is GUL. File type is ODF. File type is ODG. File type is ONE_NOTE. File type is OOXML. File type is SLK. File type is EBOOK. File type is LATEX. File type is TTF. File type is EOT. File type is WOFF. File type is CHM. File type is ZIP. File type is GZIP. File type is BZIP. File type is RZIP. File type is DZIP. File type is SEVENZIP. File type is CAB. File type is JAR. File type is RAR. File type is MSCOMPRESS. File type is ACE. File type is ARC. File type is ARJ. File type is ASD. File type is BLACKHOLE. File type is KGB. File type is ZLIB. File type is TAR. File type is ZST. File type is LZFSE. File type is PYTHON_WHL. File type is PYTHON_PKG. File type is MSIX, new Windows app package format. File type is TEXT. File type is SCRIPT. File type is PHP. File type is PYTHON. File type is PERL. File type is RUBY. File type is C. File type is CPP. File type is JAVA. File type is SHELLSCRIPT. File type is PASCAL. File type is AWK. File type is DYALOG. File type is FORTRAN. File type is JAVASCRIPT. File type is POWERSHELL. File type is VBA. File type is M4. File type is OBJETIVEC. File type is JMOD. File type is MAKEFILE. File type is INI. File type is CLJ. File type is PDB. File type is SQL. File type is NEKO. File type is WER. File type is GOLANG. File type is M3U. File type is BAT, Windows .bat/.cmd (old files are tagged as SHELLSCRIPT). File type is MSC, Microsoft Management Console (MMC). File type is RDP, Microsoft Remote Desktop Protocol (RDP) file. File type is SYMBIAN. File type is PALMOS. File type is WINCE. File type is ANDROID. File type is IPHONE. File type is HTML. File type is XML. File type is SWF. File type is FLA. File type is COOKIE. File type is TORRENT. File type is EMAIL_TYPE. File type is OUTLOOK. File type is SGML. File type is JSON. File type is CSV. File type is HTA (HTML Application). File type is MSHTML .url. File type is CAP. File type is ISOIMAGE. File type is SQUASHFS. File type is VHD. File type is APPLE. File type is MACINTOSH. File type is APPLESINGLE. File type is APPLEDOUBLE. File type is MACINTOSH_HFS. File type is APPLE_PLIST. File type is MACINTOSH_LIB. File type is APPLESCRIPT. File type is APPLESCRIPT_COMPILED . File type is CRX. File type is XPI. File type is ROM. File type is IPS. File type is PEM. File type is PGP. File type is CRT. type string firstSeenTime description Timestamp the file was first seen in the customer's environment. format google-datetime type string firstSubmissionTime description First submission time of the file. format google-datetime type string fullPath description The full path identifying the location of the file on the system. This field can be used as an entity indicator for file entities. type string lastAccessTime description Timestamp when the file was accessed. format google-datetime type string lastAnalysisTime description Timestamp the file was last analysed. format google-datetime type string lastModificationTime description Timestamp when the file was last updated. format google-datetime type string lastSeenTime description Timestamp the file was last seen in the customer's environment. format google-datetime type string lastSubmissionTime description Last submission time of the file. format google-datetime type string mainIcon $ref Favicon description Icon's relevant hashes. md5 description The MD5 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string mimeType description The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script". type string names description Names fields. items type string type array ntfs $ref NtfsFileMetadata description NTFS metadata. pdfInfo $ref PDFInfo description Information about the PDF file structure. peFile $ref FileMetadataPE description Metadata about the Portable Executable (PE) file. prevalence $ref Prevalence description Prevalence of the file hash in the customer's environment. securityResult $ref SecurityResult description Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata. sha1 description The SHA1 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string sha256 description The SHA256 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string signatureInfo $ref SignatureInfo description File signature information extracted from different tools. size description The size of the file in bytes. format uint64 type string ssdeep description Ssdeep of the file type string statDev description The file system identifier to which the object belongs. format uint64 type string statFlags description User defined flags for file. format uint32 type integer statInode description The file identifier. Unique identifier of object within a file system. format uint64 type string statMode description The mode of the file. A bit string indicating the permissions and privileges of the file. format uint64 type string statNlink description Number of links to file. format uint64 type string symhash description SymHash of the file. Used for Mach-O (e.g. MacOS) binaries, to identify similar files based on their symbol table. type string tags description Tags for the file. items type string type array vhash description Vhash of the file. type string type object BoolSequence description BoolSequence represents a sequence of bools. id BoolSequence properties boolVals description bool sequence. items type boolean type array type object BytesSequence description BytesSequence represents a sequence of bytes. id BytesSequence properties bytesVals description bytes sequence. items format byte type string type array type object CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CertSignature description Certificate's signature and algorithm. id CertSignature properties signature description Signature. type string signatureAlgorithm description Algorithm. type string type object Certificate description Certificate information id Certificate properties issuer description Issuer of the certificate. type string md5 description The MD5 hash of the certificate, as a hex-encoded string. type string notAfter description Indicates when the certificate is no longer valid. format google-datetime type string notBefore description Indicates when the certificate is first valid. format google-datetime type string serial description Certificate serial number. type string sha1 description The SHA1 hash of the certificate, as a hex-encoded string. type string sha256 description The SHA256 hash of the certificate, as a hex-encoded string. type string subject description Subject of the certificate. type string version description Certificate version. type string type object Chip id Chip properties text type string type enum UNSPECIFIED ALERT NETWORK_CONNECTION EDR UNPARSED_RAW_LOG LOGIN_EVENT EMAIL_EVENT GENERIC TELEMETRY enumDescriptions type string type object Client description Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash). id Client properties certificate $ref Certificate description Client certificate. ja3 description JA3 hash from the TLS ClientHello, as a hex-encoded string. type string serverName description Host name of the server, that the client is connecting to. type string supportedCiphers description Ciphers supported by the client during client hello. items type string type array type object Cloud description Metadata related to the cloud environment. id Cloud properties availabilityZone description The cloud environment availability zone (different from region which is location.name). type string environment description The Cloud environment. enum UNSPECIFIED_CLOUD_ENVIRONMENT GOOGLE_CLOUD_PLATFORM AMAZON_WEB_SERVICES MICROSOFT_AZURE enumDescriptions Default. Google Cloud Platform. Amazon Web Services. Microsoft Azure. type string project $ref Resource deprecated True description The cloud environment project information. Deprecated: Use Resource.resource_ancestors vpc $ref Resource deprecated True description The cloud environment VPC. Deprecated. type object Collection description Collection represents a container of objects (such as events, entity context metadata, detection finding metadata) and state (such as investigation details). BEGIN GOOGLE-INTERNAL See go/udm:collections for additional details. END GOOGLE-INTERNAL An example use case for Collection is to model a detection and investigation from detection finding metadata to investigative state collected in the course of the investigation. For more complex investigation and response workflows a Collection could represent an incident consisting of multiple child findings or incidents. This can be expanded on to model remediation elements of a full detection and response workflow. NEXT TAG: 20 id Collection properties caseName description The resource name of the Case that this collection belongs to. Example: projects/{project id}/locations/{region}/chronicle/cases/{internal_case_id} type string collectionElements description Constituent elements of the collection. Each element shares an association that groups it together and is a component of the overall collection. For example, a detection collection may have several constituent elements that each share a correlation association that together represent a particular pattern or behavior. items $ref Element type array createdTime description Time the collection was created. format google-datetime type string dataAccessScope description The resource name of the DataAccessScope of this collection. BEGIN GOOGLE-INTERNAL We may change this name based on the final resource design of the scope. END GOOGLE-INTERNAL type string detection description Detection metadata for findings that represent detections, can include rule details, machine learning model metadata, and indicators implicated in the detection (using the .about field). items $ref SecurityResult type array detectionTime description Timestamp within the time_window related to the time of the collection_elements. For Rule Detections, this timestamp is the end of the the time_window for multi-event rules or the time of the event for single event rules. For late-arriving events that trigger new alerts, the detection_time will be the event time of the event. format google-datetime type string feedbackHistory description The history of feedback submitted by analysts for this finding, in descending order by timestamp. This field is limited to the most recent 1000 feedback events. The primary feedback will also be included in this list. items $ref Feedback type array feedbackSummary $ref Feedback description The current primary analyst feedback. This does not include the history of feedback given, which may be supplied in `feedback`. id description Unique ID for the collection. The ID is specific to the type of collection. For example, with rule detections this is the detection ID. type string idNamespace description The ID namespace used for the Collection. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string investigation $ref Investigation description Consolidated investigation details (categorization, status, etc) typically for collections that begin as detection findings and then evolve with analyst action and feedback into investigations around the detection output. lastUpdatedTime description Time the collection was last updated. format google-datetime type string responsePlatformInfo $ref ResponsePlatformInfo description Alert related info of this same alert in customer's SOAR platform. soarAlert description A boolean field indicating that the alert is present in SOAR. type boolean soarAlertMetadata $ref SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems via SOAR. tags description Tags set by UC/DSML/RE for the Finding during creation. items type string type array timeWindow $ref Interval description Time interval that the collection represents. type description What the collection represents. enum COLLECTION_TYPE_UNSPECIFIED TELEMETRY_ALERT GCTI_FINDING UPPERCASE_ALERT RULE_DETECTION MACHINE_INTELLIGENCE_ALERT SOAR_ALERT enumDescriptions An unspecified collection type. An alert reported in customer telemetry. A finding from the Uppercase team. A detection found by applying a rule. An alert generated by Chronicle machine learning models. An alert coming from other SIEMs via Chronicle SOAR. type string type object ColumnNames id ColumnNames properties names items type string type array type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DNSRecord description DNS record. id DNSRecord properties expire description Expire. format google-duration type string minimum description Minimum. format google-duration type string priority description Priority. format int64 type string refresh description Refresh. format google-duration type string retry description Retry. format int64 type string rname description Rname. type string serial description Serial. format int64 type string ttl description Time to live. format google-duration type string type description Type. type string value description Value. type string type object DataAccessIngestionLabel id DataAccessIngestionLabel properties key description The key. type string value description The value. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessLabels id DataAccessLabels properties allowScopedAccess description Are the labels ready for scoped access type boolean customLabels description All the complex labels (UDM search syntax based). items type string type array ingestionKvLabels description All the ingestion labels (key/value pairs). items $ref DataAccessIngestionLabel type array ingestionLabels deprecated True description All the ingestion labels. items type string type array logTypes description All the LogType labels. items type string type array namespaces description All the namespaces. items type string type array type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Date description Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values. * A month and day, with a zero year (for example, an anniversary). * A year on its own, with a zero month and a zero day. * A year and month, with a zero day (for example, a credit card expiration date). Related types: * google.type.TimeOfDay * google.type.DateTime * google.protobuf.Timestamp id Date properties day description Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. format int32 type integer month description Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. format int32 type integer year description Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. format int32 type integer type object Detections id Detections properties baselineAlertsCount format int32 type integer complete type boolean detectionFieldAggregations $ref AlertFieldAggregations detections items $ref Collection type array filteredAlertsCount format int32 type integer tooManyDetections type boolean validSnapshotQuery type boolean type object Dhcp description DHCP information. id Dhcp properties chaddr description Client hardware address (chaddr). type string ciaddr description Client IP address (ciaddr). type string clientHostname description Client hostname. See RFC2132, section 3.14. type string clientIdentifier description Client identifier. See RFC2132, section 9.14. Note: Make sure to update the client_identifier_string field as well if you update this field. format byte type string clientIdentifierString description Client identifier as string. See RFC2132, section 9.14. This field holds the string value of the client_identifier. type string file description Boot image filename. type string flags description Flags. format uint32 type integer giaddr description Relay agent IP address (giaddr). type string hlen description Hardware address length. format uint32 type integer hops description Hardware ops. format uint32 type integer htype description Hardware address type. format uint32 type integer leaseTimeSeconds description Lease time in seconds. See RFC2132, section 9.2. format uint32 type integer opcode description The BOOTP op code. enum UNKNOWN_OPCODE BOOTREQUEST BOOTREPLY enumDescriptions Default opcode. Request. Reply. type string options description List of DHCP options. items $ref Option type array requestedAddress description Requested IP address. See RFC2132, section 9.1. type string seconds description Seconds elapsed since client began address acquisition/renewal process. format uint32 type integer siaddr description IP address of the next bootstrap server. type string sname description Server name that the client wishes to boot from. type string transactionId description Transaction ID. format uint32 type integer type description DHCP message type. enum UNKNOWN_MESSAGE_TYPE DISCOVER OFFER REQUEST DECLINE ACK NAK RELEASE INFORM WIN_DELETED WIN_EXPIRED enumDescriptions Default message type. DHCPDISCOVER. DHCPOFFER. DHCPREQUEST. DHCPDECLINE. DHCPACK. DHCPNAK. DHCPRELEASE. DHCPINFORM. Microsoft Windows DHCP "lease deleted". Microsoft Windows DHCP "lease expired". type string yiaddr description Your IP address (yiaddr). type string type object Dns description DNS information. id Dns properties additional description A list of additional domain name servers that can be used to verify the answer to the domain. items $ref ResourceRecord type array answers description A list of answers to the domain name query. items $ref ResourceRecord type array authoritative description Other DNS header flags. See RFC1035, section 4.1.1. type boolean authority description A list of domain name servers which verified the answers to the domain name queries. items $ref ResourceRecord type array id description DNS query id. format uint32 type integer opcode description The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS). format uint32 type integer questions description A list of domain protocol message questions. items $ref Question type array recursionAvailable description Whether a recursive DNS lookup is available. type boolean recursionDesired description Whether a recursive DNS lookup is desired. type boolean response description Set to true if the event is a DNS response. See QR field from RFC1035. type boolean responseCode description Response code. See RCODE from RFC1035. format uint32 type integer truncated description Whether the DNS response was truncated. type boolean type object Domain description Information about a domain. id Domain properties admin $ref User description Parsed contact information for the administrative contact for the domain. auditUpdateTime description Audit updated time. format google-datetime type string billing $ref User description Parsed contact information for the billing contact of the domain. categories description Categories assign to the domain as retrieved from VirusTotal. items type string type array contactEmail description Contact email address. type string creationTime description Domain creation time. format google-datetime type string expirationTime description Expiration time. format google-datetime type string favicon $ref Favicon description Includes difference hash and MD5 hash of the domain's favicon. firstSeenTime description First seen timestamp of the domain in the customer's environment. format google-datetime type string ianaRegistrarId description IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml format int32 type integer jarm description Domain's JARM hash. type string lastDnsRecords description Domain's DNS records from the last scan. items $ref DNSRecord type array lastDnsRecordsTime description Date when the DNS records list was retrieved by VirusTotal. format google-datetime type string lastHttpsCertificate $ref SSLCertificate description SSL certificate object retrieved last time the domain was analyzed. lastHttpsCertificateTime description When the certificate was retrieved by VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the domain in the customer's environment. format google-datetime type string name description The domain name. This field can be used as an entity indicator for Domain entities. type string nameServer description Repeated list of name servers. items type string type array popularityRanks description Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc items $ref PopularityRank type array prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. privateRegistration description Indicates whether the domain appears to be using a private registration service to mask the owner's contact information. type boolean registrant $ref User description Parsed contact information for the registrant of the domain. registrar description Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM". type string registryDataRawText description Registry Data raw text. format byte type string status description Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values type string tags description List of representative attributes. items type string type array tech $ref User description Parsed contact information for the technical contact for the domain updateTime description Last updated time. format google-datetime type string whoisRecordRawText description WHOIS raw text. format byte type string whoisServer description Whois server name. type string whoisTime description Date of the last update of the WHOIS record. format google-datetime type string zone $ref User description Parsed contact information for the zone. type object DoubleSequence description DoubleSequence represents a sequence of doubles. id DoubleSequence properties doubleVals description double sequence. items format double type number type array type object EC description EC public key information. id EC properties oid description Curve name. type string pub description Public key hexdump. type string type object Element description NEXT TAG: 5 id Element properties association $ref SecurityResult description Metadata that provides the relevant association for the references in the element. For a detection, this can be the correlated aspect of the references that contributed to the overall detection. For example, may include sub-rule condition, machine learning model metadata, and/or indicators implicated in this component of the detection (using the .about field). label description A name that labels the entire references group. type string references description References to model primatives including events and entities that share a common association. Even though a reference can have both UDM and entity, a collection of references (of a single element) will only have one type of message in it (either UDM / Entity). items $ref Reference type array referencesSampled description Copied from the detection event_sample.too_many_event_samples field. If true, the number of references will be capped at the sample limit (set at rule service). This is applicable to both UDM references and Entity references. type boolean type object Email description Email info. id Email properties bcc description A list of 'bcc' addresses. items type string type array bounceAddress description The envelope from address. https://en.wikipedia.org/wiki/Bounce_address type string cc description A list of 'cc' addresses. items type string type array from description The 'from' address. type string mailId description The mail (or message) ID. type string replyTo description The 'reply to' address. type string subject description The subject line(s) of the email. items type string type array to description A list of 'to' addresses. items type string type array type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityChangedCountTimelineBucket id EntityChangedCountTimelineBucket properties entityChangedInfo items $ref EntityChangedInfo type array totalChangedEntitiesCount format int32 type integer type object EntityChangedInfo id EntityChangedInfo properties artifacts $ref FieldAndValue entityCount format int32 type integer type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityMetadata description Information about the Entity and the product where the entity was created. Next Tag: 17 id EntityMetadata properties collectedTimestamp description GMT timestamp when the entity information was collected by the vendor's local collection infrastructure. format google-datetime type string creationTimestamp description GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected. format google-datetime type string description description Human-readable description of the entity. type string entityType description Entity type. If an entity has multiple possible types, this specifies the most specific type. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string eventMetadata $ref Metadata description Metadata field from the event. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object feed description Vendor feed name for a threat indicator feed. type string interval $ref Interval description Valid existence time range for the version of the entity represented by this entity data. productEntityId description A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar). type string productName description Product name that produced the entity information. type string productVersion description Version of the product that produced the entity information. type string sourceLabels description Entity source metadata labels. items $ref Label type array sourceType description The source of the entity. enum SOURCE_TYPE_UNSPECIFIED ENTITY_CONTEXT DERIVED_CONTEXT GLOBAL_CONTEXT enumDescriptions Default source type Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT) Entities derived from customer data such as prevalence, artifact first/last seen, or asset/user first seen stats. Global contextual entities such as WHOIS or Safe Browsing. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Structured fields extracted from the log. type object threat description Metadata provided by a threat intelligence feed that identified the entity as malicious. items $ref SecurityResult type array vendorName description Vendor name of the product that produced the entity information. type string type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object EntityRisk description Stores information related to the risk score of an entity. Next ID: 15 id EntityRisk properties DEPRECATEDRiskScore deprecated True description Deprecated risk score. format int32 type integer detailUri description Link to the Google Security Operations UI with information about the entity risk score. If the SecOps instance has multiple frontend paths configured, this will be a relative path that can be used to construct the full URL. type string detectionsCount description Number of detections that make up the risk score within the time window. format int32 type integer firstDetectionTime description Timestamp of the first detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastDetectionTime description Timestamp of the last detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastResetTime description Timestamp for UEBA risk score reset based deduplication. Used specifically for risk based meta rules. format google-datetime type string normalizedRiskScore description Normalized risk score for the entity. This value is between 0-1000. format int32 type integer rawRiskDelta $ref RiskDelta description Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window. riskDelta $ref RiskDelta description Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window. riskScore description Raw risk score for the entity. format float type number riskVersion description Version of the risk score calculation algorithm. type string riskWindow $ref Interval description Time window used when computing the risk score for an entity, for example 24 hours or 7 days. riskWindowHasNewDetections description Whether there are new detections for the risk window. type boolean riskWindowSize description Risk window duration for the entity. format google-duration type string type object ErrorMessage id ErrorMessage properties errorText type string type enum UNDEFINED_ERROR_TYPE INVALID_QUERY_TYPE INVALID_FIELD_PATH_TYPE UNCLOSED_BRACKET_TYPE BACKEND_ERROR_TYPE UNCLOSED_QUOTES_TYPE QUERY_TOO_LARGE_TYPE enumDescriptions type string type object EventCountTimeline id EventCountTimeline properties buckets items $ref EventCountTimelineBucket type array sizeOfBucketMs format int64 type string type object EventCountTimelineBucket id EventCountTimelineBucket properties alertCount format int32 type integer baselineAlertCount format int32 type integer baselineEventCount format int32 type integer baselineTimedEntityCount format int32 type integer entityChangedCount $ref EntityChangedCountTimelineBucket eventCount format int32 type integer filteredTimedEntityCount format int32 type integer type object Execution description Execution can be used to store metadata required for what action the UI should execute. id Execution properties metadata additionalProperties type string description Output only. The payload to use when executing the action. readOnly True type object type object ExifInfo description Exif information. id ExifInfo properties company description company name. type string compilationTime description Compilation time. format google-datetime type string entryPoint description entry point. format int64 type string fileDescription description description of a file. type string originalFile description original file name. type string product description product name. type string type object Extension description Certificate's extensions. id Extension properties authorityKeyId $ref AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. ca description Whether the subject acts as a certificate authority (CA) or not. type boolean caInfoAccess description Authority information access locations are URLs that are added to a certificate in its authority information access extension. type string certTemplateNameDc description BMP data value "DomainController". See MS Q291010. type string certificatePolicies description Different certificate policies will relate to different applications which may use the certified key. type string crlDistributionPoints description CRL distribution points to which a certificate user should refer to ascertain if the certificate has been revoked. type string extendedKeyUsage description One or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field. type string keyUsage description The purpose for which the certified public key is used. type string netscapeCertComment description Used to include free-form text comments inside certificates. type string netscapeCertificate description Identify whether the certificate subject is an SSL client, an SSL server, or a CA. type boolean oldAuthorityKeyId description Whether the certificate has an old authority key identifier extension. type boolean peLogotype description Whether the certificate includes a logotype. type boolean subjectAlternativeName description Contains one or more alternative names, using any of a variety of name forms, for the entity that is bound by the CA to the certified public key. type string subjectKeyId description Identifies the public key being certified. type string type object Extensions description Extensions to a UDM event. id Extensions properties auth $ref Authentication description An authentication extension. entityRisk $ref EntityRisk description An entity risk change extension. vulns $ref Vulnerabilities description A vulnerability extension. type object Favicon description Difference hash and MD5 hash of the domain's favicon. id Favicon properties dhash description Difference hash. type string rawMd5 description Favicon's MD5 hash. type string type object Feedback id Feedback properties comment description Optional. type string confidenceScore format int32 type integer createdTime format google-datetime type string disregarded type boolean idpUserId type string priority description Optional. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string priorityDisplay description Optional. type string reason description Optional. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore format int32 type integer rootCause description Optional. type string severity format int32 type integer severityDisplay description Optional. type string status description Optional. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object FieldAndValue id FieldAndValue properties entityNamespace type string fieldPath type string kvalueType enum UNKNOWN COLLECTOR_ID EVENT_SHARD ASSET_IP_ADDRESS MAC HOSTNAME PRODUCT_SPECIFIC_ID NAMESPACE DOMAIN_NAME RESOLVED_IP_ADDRESS STEMMED_DOMAIN_NAME PROCESS_ID FULL_COMMAND_LINE FILE_NAME FILE_PATH HASH_MD5 HASH_SHA256 HASH_SHA1 RAW_PID PARENT_PROCESS_ID EMAIL USERNAME WINDOWS_SID EMPLOYEE_ID PRODUCT_OBJECT_ID USER_DISPLAY_NAME CLOUD_RESOURCE_NAME REGISTRY_KEY REGISTRY_VALUE_DATA REGISTRY_VALUE_NAME enumDescriptions type string value type string type object FileMetadata description Metadata about a file. Place metadata about different file types here, for example data from the Microsoft Windows VersionInfo block or digital signer details. Use a different sub-message per file type. id FileMetadata properties pe $ref PeFileMetadata deprecated True description Metadata for Microsoft Windows PE files. Deprecate PeFileMetadata in favor of single File proto. type object FileMetadataCodesign description File metadata from the codesign utility. id FileMetadataCodesign properties compilationTime description Code sign timestamp format google-datetime type string format description Code sign format. type string id description Code sign identifier. type string teamId description The assigned team identifier of the developer who signed the application. type string type object FileMetadataImports description File metadata imports. id FileMetadataImports properties functions description Function field. items type string type array library description Library field. type string type object FileMetadataPE description Metadata about the Portable Executable (PE) file. id FileMetadataPE properties compilationExiftoolTime description info.exiftool.TimeStamp. format google-datetime type string compilationTime description info.pe-timestamp. format google-datetime type string entryPoint description info.pe-entry-point. format int64 type string entryPointExiftool description info.exiftool.EntryPoint. format int64 type string imphash description Imphash of the file. type string imports description FilemetadataImports fields. items $ref FileMetadataImports type array resource description FilemetadataPeResourceInfo fields. items $ref FileMetadataPeResourceInfo type array resourcesLanguageCount deprecated True description Deprecated: use resources_language_count_str. items $ref StringToInt64MapEntry type array resourcesLanguageCountStr description Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10 items $ref Label type array resourcesTypeCount deprecated True description Deprecated: use resources_type_count_str. items $ref StringToInt64MapEntry type array resourcesTypeCountStr description Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5 items $ref Label type array section description FilemetadataSection fields. items $ref FileMetadataSection type array signatureInfo $ref FileMetadataSignatureInfo deprecated True description FilemetadataSignatureInfo field. deprecated, user File.signature_info instead. type object FileMetadataPeResourceInfo description File metadata for PE resource. id FileMetadataPeResourceInfo properties entropy description Entropy of the resource. format double type number fileType description File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum. type string filetypeMagic description Type of resource content, as identified by the magic Python module. type string languageCode description Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US | type string sha256Hex description SHA256_hex field.. type string type object FileMetadataSection description File metadata section. id FileMetadataSection properties entropy description Entropy of the section. format double type number md5Hex description MD5 hex of the file. type string name description Name of the section. type string rawSizeBytes description Raw file size in bytes. format int64 type string virtualSizeBytes description Virtual file size in bytes. format int64 type string type object FileMetadataSignatureInfo description Signature information. id FileMetadataSignatureInfo properties signer deprecated True description Deprecated: use signers field. items type string type array signers description File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority. items $ref SignerInfo type array verificationMessage description Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found. type string verified description True if verification_message == "Signed" type boolean x509 description List of certificates. items $ref X509 type array type object FilterProperties id FilterProperties properties hidden type boolean stringProperties additionalProperties $ref StringValues type object type object FindingVariable description A structure that holds the value and associated metadata for values extracted while producing a Finding. id FindingVariable properties boolSeq $ref BoolSequence description The value in boolsequence format. boolVal description The value in boolean format. type boolean bytesSeq $ref BytesSequence description The value in bytessequence format. bytesVal description The value in bytes format. format byte type string doubleSeq $ref DoubleSequence description The value in doublesequence format. doubleVal description The value in double format. format double type number int64Seq $ref Int64Sequence description The value in int64sequence format. int64Val description The value in int64 format. format int64 type string nullVal description Whether the value is null. type boolean sourcePath description The UDM field path for the field which this value was derived from. Example: `principal.user.username` type string stringSeq $ref StringSequence description The value in stringsequence format. stringVal description The value in string format. Enum values are returned as strings. type string type description The type of the variable. enum TYPE_UNSPECIFIED MATCH OUTCOME enumDescriptions An unspecified variable type. A variable coming from the match conditions. A variable representing significant data that was found in the detection logic. type string uint64Seq $ref Uint64Sequence description The value in uint64sequence format. uint64Val description The value in uint64 format. format uint64 type string value description The value in string form. type string type object FollowUp description FollowUp can be used to store metadata required to send a follow up message by the UI. id FollowUp properties followUp description Output only. The text to use as input when generating the follow up message. readOnly True type string type object Ftp description FTP info. id Ftp properties command description The FTP command. type string type object FunctionResponse id FunctionResponse properties rows items $ref FunctionResponseRow type array tooManyRows type boolean type object FunctionResponseRow id FunctionResponseRow properties values items $ref UdmFieldValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description LINT.IfChange(stats_data) Stats results when the query is for statistics NEXT TAG = 6; id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats properties dataQueryExpression description Expression that represent the subset of the requested query used to filter data. The expression will be used to enable features such as drill-down from stats results to UDM events. In that case, the new query will be composed by this expression and the expression related to a stats result. type string results description Result rows that are queried. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData type array sortOrder description Indicates the columns used for sorting and the order in which they are sorted. If no ORDER section is specified in the query, this will be empty. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort type array tooManyResults description If true, there are too many results to return and some have been omitted. type boolean totalResults description The total number of results returned. format int32 type integer type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData description Represents a single column in the set of columns returned as the stats query result. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData properties column description Used to store column names. type string filterExpression description Expression used to compose a query for filtering/drill-downs related to the data in this column. type string filterable description To identify if the column can be used for filtering/drill-downs. type boolean values description To store store column data. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort description Contains the column name and which direction the column is sorted (ascending or descenging). id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort properties descending description Whether the column is sorted in descending order (ascending by default); type boolean name description Name of the column. type string type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType description Singular vs list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType properties list $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description List of values in a column e.g. IPs value $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Single value in a column. type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description Store list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList properties values description List of values in one cell of the column. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Value of the column based on data type id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue properties boolVal description Boolean value. type boolean bytesVal description Bytes value. format byte type string dateVal $ref Date description Date values. doubleVal description Double value. format double type number int64Val description Integer value (signed). format int64 type string nullVal description True if the value is NULL. type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any description For any proto values that are not any of the above. type object stringVal description String value. Enum values are returned as strings. type string timestampVal description Timestamp values. format google-datetime type string uint64Val description Un-signed integer value. format uint64 type string type object Group description Information about an organizational group. id Group properties attribute $ref Attribute description Generic entity metadata attributes of the group. creationTime deprecated True description Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata. format google-datetime type string emailAddresses description Email addresses of the group. items type string type array groupDisplayName description Group display name. e.g. "Finance". type string productObjectId description Product globally unique user object identifier, such as an LDAP Object Identifier. type string windowsSid description Microsoft Windows SID of the group. type string type object GroupAggregationByField id GroupAggregationByField properties baselineEventCount format int32 type integer eventCount format int32 type integer fieldName type string fieldValue $ref UdmFieldValue fields items $ref UdmFieldAggregation type array valueCount format int32 type integer type object Hardware description Hardware specification details for a resource, including both physical and virtual hardware. id Hardware properties cpuClockSpeed description Clock speed of the hardware CPU in MHz. format uint64 type string cpuMaxClockSpeed description Maximum possible clock speed of the hardware CPU in MHz. format uint64 type string cpuModel description Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5"). type string cpuNumberCores description Number of CPU cores. format uint64 type string cpuPlatform description Platform of the hardware CPU (e.g. "Intel Broadwell"). type string manufacturer description Hardware manufacturer. type string model description Hardware model. type string ram description Amount of the hardware ramdom access memory (RAM) in Mb. format uint64 type string serialNumber description Hardware serial number. type string type object Http description Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target". id Http properties method description The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE"). type string parsedUserAgent $ref UserAgentProto description The parsed user_agent string. referralUrl description The URL for the HTTP referer. type string responseCode description The response status code, for example 200, 302, 404, or 500. format int32 type integer userAgent description The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent. type string type object Id description Identifier to identify a UDM object like a UDM event, Entity, Collection. The full identifier for persistence is created by setting the 32 most significant bits as the Id.Namespace enum and the rest according to go/udm:ids. This is a convenience wrapper to define the id space enum values and provide an easy interface for RPCs, most persistence use cases should use a denormalized form. See go/udm:ids for background and details. id Id properties id description Full raw ID. format byte type string namespace description Namespace the id belongs to. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string stringId description Some ids are stored as strings that are not able to be translated to bytes, so store these separately. Ex. detection id of the form de_aaaaaaaa-aaaa... type string type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{location}/instances/{instance} readOnly True type string type object InstanceUdmSearchResponse id InstanceUdmSearchResponse properties baselineEventsCount format int32 type integer complete type boolean detections $ref Detections filteredEventsCount format int32 type integer instanceId type string prevalence $ref UdmPrevalenceResponse progress format double type number runtimeErrors $ref RuntimeError timeline $ref EventCountTimeline tooManyEvents type boolean type object Int64Sequence description Int64Sequence represents a sequence of int64s. id Int64Sequence properties int64Vals description int64 sequence. items format int64 type string type array type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object Investigation description Represents the aggregated state of an investigation such as categorization, severity, and status. Can be expanded to include analyst assignment details and more. id Investigation properties comments description Comment added by the Analyst. items type string type array priority description Priority of the Alert or Finding set by analyst. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string reason description Reason for closing the Case or Alert. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation description Describes whether a finding was useful or not-useful. enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore description Risk score for a finding set by an analyst. format uint32 type integer rootCause description Root cause of the Alert or Finding set by analyst. type string severityScore description Severity score for a finding set by an analyst. format uint32 type integer status description Describes the workflow status of a finding. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict description Describes reason a finding investigation was resolved. enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object IoCStats description Information about the threat intelligence source. These fields are used to model Mandiant sources. id IoCStats properties benignCount description Count of responses where the IoC was identified as benign. format int32 type integer firstLevelSource description Name of first level IoC source, for example Mandiant or a third-party. type string iocStatsType description Describes the source of the IoCStat. enum UNSPECIFIED_IOC_STATS_TYPE MANDIANT_SOURCES THIRD_PARTY_SOURCES THREAT_INTELLIGENCE_IOC_STATS enumDescriptions IoCStat source is unidentified. IoCStat is from a Mandiant Source. IoCStat is from a third-party source. IoCStat is from a threat intelligence feed. type string maliciousCount description Count of responses where the IoC was identified as malicious. format int32 type integer quality description Level of confidence in the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total number of response from the source. format int32 type integer secondLevelSource description Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph. type string sourceCount description Number of sources from which information was extracted. format int32 type integer type object Label description Key value labels. id Label properties key description The key. type string rbacEnabled description Indicates whether this label can be used for Data RBAC type boolean source description Where the label is derived from. type string value description The value. type string type object LatLng description An object that represents a latitude/longitude pair. This is expressed as a pair of doubles to represent degrees latitude and degrees longitude. Unless specified otherwise, this object must conform to the WGS84 standard. Values must be within normalized ranges. id LatLng properties latitude description The latitude in degrees. It must be in the range [-90.0, +90.0]. format double type number longitude description The longitude in degrees. It must be in the range [-180.0, +180.0]. format double type number type object LegacyFederatedUdmSearchViewResponse description Response to a Federated UDM Search query. This will be used by StreamSearchOperation RPC to return the results of a federated search operation. id LegacyFederatedUdmSearchViewResponse properties activityTimeline $ref EventCountTimeline description Timeline of event counts broken into hourly/daily buckets to identify activity. aiOverview $ref AIOverview description LINT.ThenChange( //depot/google3/google/cloud/chronicle/v1main/dashboard_query.proto:data_sources, //depot/google3/googlex/security/malachite/proto/udm_search.proto:data_sources ) AI generated overview for the search results. Only populated if the AI features are enabled for the customer and generate_ai_overview is set to true in the request. baselineEventsCount description The number of events in the baseline query. format int32 type integer complete description Streaming for this response is done. There will be no additional updates. type boolean dataSources description Datasource of the query and results in case of a statistics query items enum SEARCH_DATA_SOURCE_UNSPECIFIED SEARCH_UDM SEARCH_ENTITY SEARCH_RULE_DETECTIONS SEARCH_RULESETS enumDescriptions Unspecified data source. Events Entities To be used for detections data source. To be used for ruleset with detections datasource. type string type array detectionFieldAggregations $ref AlertFieldAggregations description List of detection fields with aggregated values. This enabled filtering in the Alerts panel for federated search. events $ref UdmEventList description List of UDM events. NOTE: After complete is set to true, the `UdmEventList` message will be omitted from the response. The latest message should be used as reference. If the `UdmEventList` message is returned again, then it should replace the previous value. fieldAggregations $ref UdmFieldAggregations description List of UDM fields with aggregated values. filteredEventsCount description The number of events in the snapshot that match the snapshot_query. This is <= `baseline_events_count`. If the snapshot query is empty this will be equivalent to `baseline_events_count`. format int32 type integer groupedFieldAggregations $ref UdmFieldAggregations description List of grouped fields with aggregated values. instanceAggregations $ref UdmFieldAggregations description Instance aggregations for the search results. Provides information on the number of events per instance for the aggregations panel in the UI. This allows users to easily drill-down into the individual instances. instanceUdmSearchResponses description All the instance specific UDM search responses. items $ref InstanceUdmSearchResponse type array operation description The name of the operation resource representing the UDM Search operation. This can be passed to `StreamSearchOperation` to fetch stored results or stream the results of an in-progress operation. The metadata type of the operation is `UdmSearchMetadata`. The response type is `LegacyFetchUdmSearchViewResponse`. Format: projects/{project}/locations/{location}/instances/{instance}/operations/{operation} type string progress description Progress of the query represented as a double between 0 and 1. format double type number queryValidationErrors description Parse error for the baseline_query and/or the snapshot_query. items $ref ErrorMessage type array runtimeErrors description Runtime errors. items $ref RuntimeError type array stats $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description Stats results when the query is for statistics statsFunctionParameterValidationErrorMessage description If the request's stats_function_parameter` is invalid, this field will contain the detailed error message. type string statsFunctionResponse $ref FunctionResponse description Result for statistical function. timeline $ref EventCountTimeline description Timeline of event counts broken into buckets. This populates the trend-over-time chart in the UI. tooLargeResponse description If true, the response to be returned to the UI is too large and some events have been omitted. type boolean tooManyEvents description If true, there are too many events to return and some have been omitted. type boolean validBaselineQuery description Indicates whether the request baseline_query is a valid structured query or not. If not, `query_validation_errors` will include the parse error. type boolean validSnapshotQuery description Indicates whether the request baseline and snapshot queries are valid. If not, `query_validation_errors` will include the parse error. type boolean type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Location description Information about a location. id Location properties city description The city. type string countryOrRegion description The country or region. type string deskName description Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D"). type string floorName description Floor name, number or a combination of the two for a building. (e.g. "1-A"). type string name description Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2"). type string regionCoordinates $ref LatLng description Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. regionLatitude deprecated True description Deprecated: use region_coordinates. format float type number regionLongitude deprecated True description Deprecated: use region_coordinates. format float type number state description The state. type string type object Manual description Entities are added manually. id Manual properties type object Measure description Describes the precomputed measure. id Measure properties aggregateFunction description Function used to calculate the aggregated measure. enum AGGREGATE_FUNCTION_UNSPECIFIED MIN MAX COUNT SUM AVG STDDEV enumDescriptions Default value. Minimum. Maximum. Count. Sum. Average. Standard Deviation. type string value description Value of the aggregated measure. format double type number type object Metadata description General information associated with a UDM event. id Metadata properties baseLabels $ref DataAccessLabels description Data access labels on the base event. collectedTimestamp description The GMT timestamp when the event was collected by the vendor's local collection infrastructure. format google-datetime type string description description A human-readable unparsable description of the event. type string enrichmentLabels $ref DataAccessLabels description Data access labels from all the contextual events used to enrich the base event. enrichmentState description The enrichment state. enum ENRICHMENT_STATE_UNSPECIFIED ENRICHED UNENRICHED enumDescriptions Unspecified. The event has been enriched by Chronicle. The event has not been enriched by Chronicle. type string eventTimestamp description The GMT timestamp when the event was generated. format google-datetime type string eventType description The event type. If an event has multiple possible types, this specifies the most specific type. enum EVENTTYPE_UNSPECIFIED PROCESS_UNCATEGORIZED PROCESS_LAUNCH PROCESS_INJECTION PROCESS_PRIVILEGE_ESCALATION PROCESS_TERMINATION PROCESS_OPEN PROCESS_MODULE_LOAD REGISTRY_UNCATEGORIZED REGISTRY_CREATION REGISTRY_MODIFICATION REGISTRY_DELETION SETTING_UNCATEGORIZED SETTING_CREATION SETTING_MODIFICATION SETTING_DELETION MUTEX_UNCATEGORIZED MUTEX_CREATION FILE_UNCATEGORIZED FILE_CREATION FILE_DELETION FILE_MODIFICATION FILE_READ FILE_COPY FILE_OPEN FILE_MOVE FILE_SYNC USER_UNCATEGORIZED USER_LOGIN USER_LOGOUT USER_CREATION USER_CHANGE_PASSWORD USER_CHANGE_PERMISSIONS USER_STATS USER_BADGE_IN USER_DELETION USER_RESOURCE_CREATION USER_RESOURCE_UPDATE_CONTENT USER_RESOURCE_UPDATE_PERMISSIONS USER_COMMUNICATION USER_RESOURCE_ACCESS USER_RESOURCE_DELETION GROUP_UNCATEGORIZED GROUP_CREATION GROUP_DELETION GROUP_MODIFICATION EMAIL_UNCATEGORIZED EMAIL_TRANSACTION EMAIL_URL_CLICK NETWORK_UNCATEGORIZED NETWORK_FLOW NETWORK_CONNECTION NETWORK_FTP NETWORK_DHCP NETWORK_DNS NETWORK_HTTP NETWORK_SMTP STATUS_UNCATEGORIZED STATUS_HEARTBEAT STATUS_STARTUP STATUS_SHUTDOWN STATUS_UPDATE SCAN_UNCATEGORIZED SCAN_FILE SCAN_PROCESS_BEHAVIORS SCAN_PROCESS SCAN_HOST SCAN_VULN_HOST SCAN_VULN_NETWORK SCAN_NETWORK SCHEDULED_TASK_UNCATEGORIZED SCHEDULED_TASK_CREATION SCHEDULED_TASK_DELETION SCHEDULED_TASK_ENABLE SCHEDULED_TASK_DISABLE SCHEDULED_TASK_MODIFICATION SYSTEM_AUDIT_LOG_UNCATEGORIZED SYSTEM_AUDIT_LOG_WIPE SERVICE_UNSPECIFIED SERVICE_CREATION SERVICE_DELETION SERVICE_START SERVICE_STOP SERVICE_MODIFICATION GENERIC_EVENT RESOURCE_CREATION RESOURCE_DELETION RESOURCE_PERMISSIONS_CHANGE RESOURCE_READ RESOURCE_WRITTEN DEVICE_FIRMWARE_UPDATE DEVICE_CONFIG_UPDATE DEVICE_PROGRAM_UPLOAD DEVICE_PROGRAM_DOWNLOAD ANALYST_UPDATE_VERDICT ANALYST_UPDATE_REPUTATION ANALYST_UPDATE_SEVERITY_SCORE ANALYST_UPDATE_STATUS ANALYST_ADD_COMMENT ANALYST_UPDATE_PRIORITY ANALYST_UPDATE_ROOT_CAUSE ANALYST_UPDATE_REASON ANALYST_UPDATE_RISK_SCORE ENTITY_RISK_CHANGE enumDeprecated False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False enumDescriptions Default event type Activity related to a process which does not match any other event types. Process launch. Process injecting into another process. Process privilege escalation. Process termination. Process being opened. Process loading a module. Registry event which does not match any of the other event types. Registry creation. Registry modification. Registry deletion. Settings-related event which does not match any of the other event types. Setting creation. Setting modification. Setting deletion. Any mutex event other than creation. Mutex creation. File event which does not match any of the other event types. File created. File deleted. File modified. File read. File copied. Used for file copies, for example, to a thumb drive. File opened. File moved or renamed. File synced (for example, Google Drive, Dropbox, backup). User activity which does not match any of the other event types. User login. User logout. User creation. User password change event. Change in user permissions. Deprecated. Used to update user info for an LDAP dump. User physically badging into a location. User deletion. User creating a virtual resource. This is equivalent to RESOURCE_CREATION. User updating content of a virtual resource. This is equivalent to RESOURCE_WRITTEN. User updating permissions of a virtual resource. This is equivalent to RESOURCE_PERMISSIONS_CHANGE. User initiating communication through a medium (for example, video). User accessing a virtual resource. This is equivalent to RESOURCE_READ. User deleting a virtual resource. This is equivalent to RESOURCE_DELETION. A group activity that does not fall into one of the other event types. A group creation. A group deletion. A group modification. Email messages An email transaction. Deprecated: use NETWORK_HTTP instead. An email URL click event. A network event that does not fit into one of the other event types. Aggregated flow stats like netflow. Network connection details like from a FW. FTP telemetry. DHCP payload. DNS payload. HTTP telemetry. SMTP telemetry. A status message that does not fit into one of the other event types. Heartbeat indicating product is alive. An agent startup. An agent shutdown. A software or fingerprint update. Scan item that does not fit into one of the other event types. A file scan. Scan process behaviors. Please use SCAN_PROCESS instead. Scan process. Scan results from scanning an entire host device for threats/sensitive documents. Vulnerability scan logs about host vulnerabilities (e.g., out of date software) and network vulnerabilities (e.g., unprotected service detected via a network scan). Vulnerability scan logs about network vulnerabilities. Scan network for suspicious activity Scheduled task event that does not fall into one of the other event types. Scheduled task creation. Scheduled task deletion. Scheduled task being enabled. Scheduled task being disabled. Scheduled task being modified. A system audit log event that is not a wipe. A system audit log wipe. Service event that does not fit into one of the other event types. A service creation. A service deletion. A service start. A service stop. A service modification. Operating system events that are not described by any of the other event types. Might include uncategorized Microsoft Windows event logs. The resource was created/provisioned. This is equivalent to USER_RESOURCE_CREATION. The resource was deleted/deprovisioned. This is equivalent to USER_RESOURCE_DELETION. The resource had it's permissions or ACLs updated. This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS. The resource was read. This is equivalent to USER_RESOURCE_ACCESS. The resource was written to. This is equivalent to USER_RESOURCE_UPDATE_CONTENT. Firmware update. Configuration update. A program or application uploaded to a device. A program or application downloaded to a device. Analyst update about the Verdict (such as true positive, false positive, or disregard) of a finding. Analyst update about the Reputation (such as useful or not useful) of a finding. Analyst update about the Severity score (0-100) of a finding. Analyst update about the finding status. Analyst addition of a comment for a finding. Analyst update about the priority (such as low, medium, or high) for a finding. Analyst update about the root cause for a finding. Analyst update about the reason (such as malicious or not malicious) for a finding. Analyst update about the risk score (0-100) of a finding. An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. type string id description ID of the UDM event. Can be used for raw and normalized event retrieval. format byte type string ingestedTimestamp description The GMT timestamp when the event was ingested (received) by Chronicle. format google-datetime type string ingestionLabels description User-configured ingestion metadata labels. items $ref Label type array logType description The string value of log type. type string productDeploymentId description The deployment identifier assigned by the vendor for a product deployment. type string productEventType description A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start"). type string productLogId description A vendor-specific event identifier to uniquely identify the event (e.g. a GUID). type string productName description The name of the product. type string productVersion description The version of the product. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Flattened fields extracted from the log. type object tags $ref Tags description Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser. urlBackToProduct description A URL that takes the user to the source product console for this event. type string vendorName description The name of the product vendor. type string type object Metric description Stores precomputed aggregated analytic data for an entity. id Metric properties dimensions description All group by clauses used to calculate the metric. items enum DIMENSION_UNSPECIFIED PRINCIPAL_DEVICE TARGET_USER TARGET_DEVICE PRINCIPAL_USER TARGET_IP PRINCIPAL_FILE_HASH PRINCIPAL_COUNTRY SECURITY_CATEGORY NETWORK_ASN CLIENT_CERTIFICATE_HASH DNS_QUERY_TYPE DNS_DOMAIN HTTP_USER_AGENT EVENT_TYPE PRODUCT_NAME PRODUCT_EVENT_TYPE PARENT_FOLDER_PATH TARGET_RESOURCE_NAME PRINCIPAL_APPLICATION TARGET_APPLICATION EMAIL_TO_ADDRESS EMAIL_FROM_ADDRESS MAIL_ID PRINCIPAL_IP SECURITY_ACTION SECURITY_RULE_ID TARGET_NETWORK_ORGANIZATION_NAME PRINCIPAL_NETWORK_ORGANIZATION_NAME PRINCIPAL_PROCESS_FILE_PATH PRINCIPAL_PROCESS_FILE_HASH SECURITY_RESULT_RULE_NAME TARGET_RESOURCE_LABEL_KEY VENDOR_NAME TARGET_RESOURCE_TYPE TARGET_LOCATION_NAME enumDescriptions Default Principal Device Target User Target Device Principal User Target IP Principal File Hash Principal Country Security Category Network ASN Client Certificate Hash DNS Query Type DNS Domain HTTP User Agent Event Type Product Name Product Event Type Parent Folder Path Target resource Name Principal Application. Target Application. Email To Address. Email From Address. Mail Id. Principal IP. Security Action. Security Rule Id. Target Network Organization name. Principal Network Organization name. Principal Process File Path. Principal Process File SHA256 Hash. Security Result rule name. Target Resource label key. Vendor name. Target Resource type. Target Location name. type string type array exportWindow description Export window for which the metric was exported. format int64 type string firstSeen description Timestamp of the first time the entity was seen in the environment. format google-datetime type string lastSeen description Time stamp of the last time last time the entity was seen in the environment. format google-datetime type string metricName description Name of the analytic. enum METRIC_NAME_UNSPECIFIED NETWORK_BYTES_INBOUND NETWORK_BYTES_OUTBOUND NETWORK_BYTES_TOTAL AUTH_ATTEMPTS_SUCCESS AUTH_ATTEMPTS_FAIL AUTH_ATTEMPTS_TOTAL DNS_BYTES_OUTBOUND NETWORK_FLOWS_INBOUND NETWORK_FLOWS_OUTBOUND NETWORK_FLOWS_TOTAL DNS_QUERIES_SUCCESS DNS_QUERIES_FAIL DNS_QUERIES_TOTAL FILE_EXECUTIONS_SUCCESS FILE_EXECUTIONS_FAIL FILE_EXECUTIONS_TOTAL HTTP_QUERIES_SUCCESS HTTP_QUERIES_FAIL HTTP_QUERIES_TOTAL WORKSPACE_EMAILS_SENT_TOTAL WORKSPACE_TOTAL_DOWNLOAD_ACTIONS WORKSPACE_TOTAL_CHANGE_ACTIONS WORKSPACE_AUTH_ATTEMPTS_TOTAL WORKSPACE_NETWORK_BYTES_OUTBOUND WORKSPACE_NETWORK_BYTES_TOTAL ALERT_EVENT_NAME_COUNT RESOURCE_CREATION_TOTAL RESOURCE_CREATION_SUCCESS RESOURCE_READ_SUCCESS RESOURCE_READ_FAIL RESOURCE_DELETION_SUCCESS enumDescriptions Default Total received network bytes. Total network sent bytes. Total network sent bytes and received bytes. Successful authentication attempts. Failed authentication attempts. Total authentication attempts. Total number of sent bytes for DNS events. Total number of events having non-null received bytes. Total number of events having non-null sent bytes. Total events having non-null sent or received bytes. DNS query success count - Number of events with response_code = 0. Number of events with response_code != 0. Total number of DNS queries made. Number of successfule file executions. Number of failed file executions. Total number file executions. Number of successful HTTP queries. Number of failed HTTP queries. Total number of HTTP queries. Total number of emails sent in Google Workspace. Total number of download actions in Google Workspace. Total number of change actions in Google Workspace. Total number of authentication attempts in Google Workspace. Number of outbound network bytes (total sent) in Google Workspace. Total number of network bytes (both sent and received) in Google Workspace. Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH. First-time analytic tracking successful resource creations. Volume-based analytic tracking successful resource creations. Volume-based analytic tracking successful resource reads. Volume-based analytic tracking failed resource reads. Volume-based analytic tracking successful resource deletions. type string sumMeasure $ref Measure description Sum of all precomputed measures for the given metric. totalEvents description Total number of events used to calculate the given precomputed metric. format int64 type string type object Navigation description Navigation can be used to store the metadata required to navigate the user to a new URL. id Navigation properties targetUri description Output only. The URI to redirect the user to. readOnly True type string type object Network description A network event. id Network properties applicationProtocol description The application protocol. enum UNKNOWN_APPLICATION_PROTOCOL AFP APPC AMQP ATOM BEEP BITCOIN BIT_TORRENT CFDP CIP COAP COTP DCERPC DDS DEVICE_NET DHCP DICOM DNP3 DNS E_DONKEY ENRP FAST_TRACK FINGER FREENET FTAM GOOSE GOPHER GRPC HL7 H323 HTTP HTTPS IEC104 IRCP KADEMLIA KRB5 LDAP LPD MIME MMS MODBUS MQTT NETCONF NFS NIS NNTP NTCIP NTP OSCAR PNRP PTP QUIC RDP RELP RIP RLOGIN RPC RTMP RTP RTPS RTSP SAP SDP SIP SLP SMB SMTP SNMP SNTP SSH SSMS STYX SV TCAP TDS TOR TSP VTP WHOIS WEB_DAV X400 X500 XMPP enumDescriptions The default application protocol. Apple Filing Protocol. Advanced Program-to-Program Communication. Advanced Message Queuing Protocol. Publishing Protocol. Block Extensible Exchange Protocol. Crypto currency protocol. Peer-to-peer file sharing. Coherent File Distribution Protocol. Common Industrial Protocol. Constrained Application Protocol. Connection Oriented Transport Protocol. DCE/RPC. Data Distribution Service. Automation industry protocol. DHCP. Digital Imaging and Communications in Medicine Protocol. Distributed Network Protocol 3 (DNP3) DNS. Classic file sharing protocol. Endpoint Handlespace Redundancy Protocol. Filesharing peer-to-peer protocol. User Information Protocol. Censorship resistant peer-to-peer network. File Transfer Access and Management. GOOSE Protocol. Gopher protocol. gRPC Remote Procedure Call. Health Level Seven. Packet-based multimedia communications system. HTTP. HTTPS. IEC 60870-5-104 (IEC 104) Protocol. Internet Relay Chat Protocol. Peer-to-peer hashtables. Kerberos 5. Lightweight Directory Access Protocol. Line Printer Daemon Protocol. Multipurpose Internet Mail Extensions and Secure MIME. Multimedia Messaging Service. Serial communications protocol. Message Queuing Telemetry Transport. Network Configuration. Network File System. Network Information Service. Network News Transfer Protocol. National Transportation Communications for Intelligent Transportation System. Network Time Protocol. AOL Instant Messenger Protocol. Peer Name Resolution Protocol. Precision Time Protocol. QUIC. Remote Desktop Protocol. Reliable Event Logging Protocol. Routing Information Protocol. Remote Login in UNIX Systems. Remote Procedure Call. Real Time Messaging Protocol. Real-time Transport Protocol. Real Time Publish Subscribe. Real Time Streaming Protocol. Session Announcement Protocol. Session Description Protocol. Session Initiation Protocol. Service Location Protocol. Server Message Block. Simple Mail Transfer Protocol. Simple Network Management Protocol. Simple Network Time Protocol. Secure Shell. Secure SMS Messaging Protocol. Styx/9P - Plan 9 from Bell Labs distributed file system protocol. Sampled Values Protocol. Transaction Capabilities Application Part. Tabular Data Stream. Anonymity network. Time Stamp Protocol. Virtual Terminal Protocol. Remote Directory Access Protocol. Web Distributed Authoring and Versioning. Message Handling Service Protocol. Directory Access Protocol (DAP). Extensible Messaging and Presence Protocol. type string applicationProtocolVersion description The version of the application protocol. e.g. "1.1, 2.0" type string asn description Autonomous system number. type string carrierName description Carrier identification. type string communityId description Community ID network flow value. type string dhcp $ref Dhcp description DHCP info. direction description The direction of network traffic. enum UNKNOWN_DIRECTION INBOUND OUTBOUND BROADCAST enumDescriptions The default direction. An inbound request. An outbound request. A broadcast. type string dns $ref Dns description DNS info. dnsDomain description DNS domain name. type string email $ref Email description Email info for the sender/recipient. ftp $ref Ftp description FTP info. http $ref Http description HTTP info. ipProtocol description The IP protocol. enum UNKNOWN_IP_PROTOCOL ICMP IGMP TCP UDP IP6IN4 GRE ESP ICMP6 EIGRP ETHERIP PIM VRRP SCTP enumDescriptions The default protocol. ICMP. IGMP TCP. UDP. IPv6 Encapsulation Generic Routing Encapsulation Encapsulating Security Payload ICMPv6 Enhanced Interior Gateway Routing Ethernet-within-IP Encapsulation Protocol Independent Multicast Virtual Router Redundancy Protocol Stream Control Transmission Protocol type string ipSubnetRange description Associated human-readable IP subnet range (e.g. 10.1.2.0/24). type string organizationName description Organization name (e.g Google). type string parentSessionId description The ID of the parent network session. type string receivedBytes description The number of bytes received. format uint64 type string receivedPackets description The number of packets received. format int64 type string sentBytes description The number of bytes sent. format uint64 type string sentPackets description The number of packets sent. format int64 type string sessionDuration description The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer. format google-duration type string sessionId description The ID of the network session. type string smtp $ref Smtp description SMTP info. Store fields specific to SMTP not covered by Email. tls $ref Tls description TLS info. type object Noun description The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event. id Noun properties administrativeDomain description Domain which the device belongs to (for example, the Microsoft Windows domain). type string application description The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle". type string artifact $ref Artifact description Information about an artifact. asset $ref Asset description Information about the asset. assetId description The asset ID. This field can be used as an entity indicator for asset entities. type string cloud $ref Cloud deprecated True description Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud). domain $ref Domain description Information about the domain. email description Email address. Only filled in for security_result.about type string file $ref BackstoryFile description Information about the file. group $ref Group description Information about the group. hostname description Client hostname or domain name field. Hostname also doubles as the domain for remote entities. This field can be used as an entity indicator for asset entities. type string investigation $ref Investigation description Analyst feedback/investigation for alerts. ip description A list of IP addresses associated with a network connection. This field can be used as an entity indicator for asset entities. items type string type array ipGeoArtifact description Enriched geographic information corresponding to an IP address. Specifically, location and network data. items $ref Artifact type array ipLocation deprecated True description Deprecated: use ip_geo_artifact.location instead. items $ref Location type array labels deprecated True description Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels). items $ref Label type array location $ref Location description Physical location. For cloud environments, set the region in location.name. mac description List of MAC addresses associated with a device. This field can be used as an entity indicator for asset entities. items type string type array namespace description Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition. This field can be used along with an asset indicator to identify an asset. type string natIp description A list of NAT translated IP addresses associated with a network connection. items type string type array natPort description NAT external network port number when a specific network connection is described within an event. format int32 type integer network $ref Network description Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). objectReference $ref Id description Finding to which the Analyst updated the feedback. platform description Platform. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description Platform patch level. For example, "Build 17134.48" type string platformVersion description Platform version. For example, "Microsoft Windows 1803". type string port description Source or destination network port number when a specific network connection is described within an event. format int32 type integer process $ref Process description Information about the process. processAncestors description Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery. items $ref Process type array registry $ref Registry description Registry information. resource $ref Resource description Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun. resourceAncestors description Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource). items $ref Resource type array securityResult description A list of security results. items $ref SecurityResult type array url description The URL. type string urlMetadata $ref Url description Information about the URL. user $ref User description Information about the user. userManagementChain description Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery. items $ref User type array type object NtfsFileMetadata description NTFS-specific file metadata. id NtfsFileMetadata properties changeTime description NTFS MFT entry changed timestamp. format google-datetime type string filenameAccessTime description NTFS $FILE_NAME attribute accessed timestamp. format google-datetime type string filenameChangeTime description NTFS $FILE_NAME attribute changed timestamp. format google-datetime type string filenameCreateTime description NTFS $FILE_NAME attribute created timestamp. format google-datetime type string filenameModifyTime description NTFS $FILE_NAME attribute modified timestamp. format google-datetime type string type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object Option description DHCP options. id Option properties code description Code. See RFC1533. format uint32 type integer data description Data. format byte type string type object PDFInfo description Information about the PDF file structure. See https://developers.virustotal.com/reference/pdf_info id PDFInfo properties acroform description Number of /AcroForm tags found in the PDF. format int64 type string autoaction description Number of /AA tags found in the PDF. format int64 type string embeddedFile description Number of /EmbeddedFile tags found in the PDF. format int64 type string encrypted description Whether the document is encrypted or not. This is defined by the /Encrypt tag. format int64 type string endobjCount description Number of object definitions (endobj keyword). format int64 type string endstreamCount description Number of defined stream objects (stream keyword). format int64 type string flash description Number of /RichMedia tags found in the PDF. format int64 type string header description PDF version. type string javascript description Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios. format int64 type string jbig2Compression description Number of /JBIG2Decode tags found in the PDF. format int64 type string js description Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios. format int64 type string launchActionCount description Number of /Launch tags found in the PDF file. format int64 type string objCount description Number of objects definitions (obj keyword). format int64 type string objectStreamCount description Number of object streams. format int64 type string openaction description Number of /OpenAction tags found in the PDF. format int64 type string pageCount description Number of pages in the PDF. format int64 type string startxref description Number of startxref keywords in the PDF. format int64 type string streamCount description Number of defined stream objects (stream keyword). format int64 type string suspiciousColors description Number of colors expressed with more than 3 bytes (CVE-2009-3459). format int64 type string trailer description Number of trailer keywords in the PDF. format int64 type string xfa description Number of \XFA tags found in the PDF. format int64 type string xref description Number of xref keywords in the PDF. format int64 type string type object PeFileMetadata description Metadata about a Microsoft Windows Portable Executable. id PeFileMetadata properties importHash description Hash of PE imports. type string type object Permission description System permission for resource access and modification. id Permission properties description description Description of the permission (e.g. 'Ability to update detect rules'). type string name description Name of the permission (e.g. chronicle.analyst.updateRule). type string type description Type of the permission. enum UNKNOWN_PERMISSION_TYPE ADMIN_WRITE ADMIN_READ DATA_WRITE DATA_READ enumDescriptions Default permission type. Administrator write permission. Administrator read permission. Data resource access write permission. Data resource access read permission. type string type object PlatformSoftware description Platform software information about an operating system. id PlatformSoftware properties platform description The platform operating system. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description The platform software patch level ( e.g. "Build 17134.48", "SP1"). type string platformVersion description The platform software version ( e.g. "Microsoft Windows 1803"). type string type object PopularityRank description Domain's position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo. id PopularityRank properties giver description Name of the rank serial number hexdump. type string ingestionTime description Timestamp when the rank was ingested. format google-datetime type string rank description Rank position. format int64 type string type object Prevalence description The prevalence of a resource within the customer's environment. This measures how common it is for assets to access the resource. id Prevalence properties dayCount description The number of days over which rolling_max is calculated. format int32 type integer dayMax description The max prevalence score in a day interval window. format int32 type integer dayMaxSubDomains description The max prevalence score in a day interval window across sub-domains. This field is only valid for domains. format int32 type integer rollingMax description The maximum number of assets per day accessing the resource over the trailing day_count days. format int32 type integer rollingMaxSubDomains description The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains. format int32 type integer type object Process description Information about a process. id Process properties accessMask description A bit mask representing the level of access. format uint64 type string commandLine description The command line command that created the process. This field can be used as an entity indicator for process entities. type string commandLineHistory description The command line history of the process. items type string type array egid description The effective group ID of the process. type string euid description The effective user ID of the process. type string file $ref BackstoryFile description Information about the file in use by the process. integrityLevelRid description The Microsoft Windows integrity level relative ID (RID) of the process. format uint64 type string parentPid deprecated True description The ID of the parent process. Deprecated: use parent_process.pid instead. type string parentProcess $ref Process description Information about the parent process. pgid description The identifier that points to the process group ID leader. type string pid description The process ID. This field can be used as an entity indicator for process entities. type string productSpecificParentProcessId deprecated True description A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. type string productSpecificProcessId description A product specific process id. type string rgid description The real group ID of the process. type string ruid description The real user ID of the process. type string sessionLeaderPid description The process ID of the session leader process. type string tokenElevationType description The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled. enum UNKNOWN TYPE_1 TYPE_2 TYPE_3 enumDescriptions An undetermined token type. A full token with no privileges removed or groups disabled. An elevated token with no privileges removed or groups disabled. Used when running as administrator. A limited token with administrative privileges removed and administrative groups disabled. type string tty description The teletype terminal which the command was executed within. type string type object ProviderMLVerdict description Deprecated. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. id ProviderMLVerdict properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer confidenceScore description Confidence score of the verdict. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer mandiantSources description List of mandiant sources from which the verdict was generated. items $ref Source type array sourceProvider description Source provider giving the ML verdict. type string thirdPartySources description List of third-party sources from which the verdict was generated. items $ref Source type array type object PublicKey description Subject public key info. id PublicKey properties algorithm description Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the certificate. type string rsa $ref RSA description RSA public key information. type object Question description DNS Questions. See RFC1035, section 4.1.2. id Question properties class description The code specifying the class of the query. format uint32 type integer name description The domain name. type string prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. type description The code specifying the type of the query. format uint32 type integer type object RSA description RSA public key information. id RSA properties exponent description Key exponent hexdump. type string keySize description Key size. format int64 type string modulus description Key modulus hexdump. type string type object Reference description Reference to model primatives including event and entity. As support is added for fast retrieval of objects by identifiers, this will be expanded to include ID references rather than full object copies. BEGIN GOOGLE-INTERNAL See go/udm:ids for additional details. END GOOGLE-INTERNAL id Reference properties entity $ref BackstoryEntity description Entity being referenced. End one-of event $ref UDM description Only one of event or entity will be populated for a single reference. Start one-of Event being referenced. id $ref Id description Id being referenced. This field will also be populated for both event and entity with the event id. For detections, only this field will be populated. type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Registry description Information about a registry key or value. id Registry properties registryKey description Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...). type string registryValueData description Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp). type string registryValueName description Name of the registry value associated with an application or system component (e.g. TEMP). type string registryValueType description Type of the registry value. enum TYPE_UNSPECIFIED NONE SZ EXPAND_SZ BINARY DWORD DWORD_LITTLE_ENDIAN DWORD_BIG_ENDIAN LINK MULTI_SZ RESOURCE_LIST QWORD QWORD_LITTLE_ENDIAN enumDescriptions Default registry value type used when the type is unknown. The registry value is not set and only the key exists. A null-terminated string. A null-terminated string that contains unexpanded references to environment variables Binary data in any form. A 32-bit number. A 32-bit number in little-endian format. A 32-bit number in big-endian format. A null-terminated Unicode string that contains the target path of a symbolic link. A sequence of null-terminated strings, terminated by an empty string A device driver resource list. A 64-bit number. A 64-bit number in little-endian format. type string type object Relation description Defines the relationship between the entity (a) and another entity (b). id Relation properties direction description Directionality of relationship between primary entity (a) and the related entity (b). enum DIRECTIONALITY_UNSPECIFIED BIDIRECTIONAL UNIDIRECTIONAL enumDescriptions Default value. Modeled in both directions. Primary entity (a) to related entity (b) and related entity (b) to primary entity (a). Modeled in a single direction. Primary entity (a) to related entity (b). type string entity $ref Noun description Entity (b) that the primary entity (a) is related to. entityLabel description Label to identify the Noun of the relation. enum ENTITY_LABEL_UNSPECIFIED PRINCIPAL TARGET OBSERVER SRC NETWORK SECURITY_RESULT INTERMEDIARY enumDescriptions Default value. The Noun represents a principal type object. The Noun represents a target type object. The Noun represents an observer type object. The Noun represents src type object. The Noun represents a network type object. The Noun represents a SecurityResult object. The Noun represents an intermediary type object. type string entityType description Type of the related entity (b) in this relationship. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string relationship description Type of relationship. enum RELATIONSHIP_UNSPECIFIED OWNS ADMINISTERS MEMBER EXECUTES DOWNLOADED_FROM CONTACTS enumDescriptions Default value Related entity is owned by the primary entity (e.g. user owns device asset). Related entity is administered by the primary entity (e.g. user administers a group). Primary entity is a member of the related entity (e.g. user is a member of a group). Primary entity may have executed the related entity. Primary entity may have been downloaded from the related entity. Primary entity contacts the related entity. type string uid description UID of the relationship. format byte type string type object Resource description Information about a resource such as a task, Cloud Storage bucket, database, disk, logical policy, or something similar. id Resource properties attribute $ref Attribute description Generic entity metadata attributes of the resource. id deprecated True description Deprecated: Use resource.name or resource.product_object_id. type string name description The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. type string parent deprecated True description The parent of the resource. For a database table, the parent is the database. For a storage object, the bucket name. Deprecated: use resource_ancestors.name. type string productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) This field can be used as an entity indicator for a Resource entity. type string resourceSubtype description Resource sub-type (e.g. "BigQuery", "Bigtable"). type string resourceType description Resource type. enum UNSPECIFIED MUTEX TASK PIPE DEVICE FIREWALL_RULE MAILBOX_FOLDER VPC_NETWORK VIRTUAL_MACHINE STORAGE_BUCKET STORAGE_OBJECT DATABASE TABLE CLOUD_PROJECT CLOUD_ORGANIZATION SERVICE_ACCOUNT ACCESS_POLICY CLUSTER SETTING DATASET BACKEND_SERVICE POD CONTAINER FUNCTION RUNTIME IP_ADDRESS DISK VOLUME IMAGE SNAPSHOT REPOSITORY CREDENTIAL LOAD_BALANCER GATEWAY SUBNET USER enumDescriptions Default type. Mutex. Task. Named pipe. Device. Firewall rule. Mailbox folder. VPC Network. Virtual machine. Storage bucket. Storage object. Database. Data table. Cloud project. Cloud organization. Service account. Access policy. Cluster. Settings. Dataset. Endpoint that receive traffic from a load balancer or proxy. Pod, which is a collection of containers. Often used in Kubernetes. Container. Cloud function. Runtime. IP address. Disk. Volume. Machine image. Snapshot. Repository. Credential, e.g. access keys, ssh keys, tokens, certificates. Load balancer. Gateway. Subnet. User. type string type deprecated True description Deprecated: use resource_type instead. type string type object ResourceRecord description DNS Resource Records. See RFC1035, section 4.1.3. id ResourceRecord properties binaryData description The raw bytes of any non-UTF8 strings that might be included as part of a DNS response. format byte type string class description The code specifying the class of the resource record. format uint32 type integer data description The payload or response to the DNS question for all responses encoded in UTF-8 format type string name description The name of the owner of the resource record. type string ttl description The time interval for which the resource record can be cached before the source of the information should again be queried. format uint32 type integer type description The code specifying the type of the resource record. format uint32 type integer type object ResponsePlatformInfo description Related info of an Alert in customer's SOAR platform. id ResponsePlatformInfo properties alertId description Id of the alert in SOAR product. type string responsePlatformType description Type of SOAR product. enum RESPONSE_PLATFORM_TYPE_UNSPECIFIED RESPONSE_PLATFORM_TYPE_SIEMPLIFY enumDescriptions Response platform not specified. Siemplify type string type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object RiskDelta description Describes the difference in risk score between two points in time. id RiskDelta properties previousRangeEndTime description End time of the previous time window. format google-datetime type string previousRiskScore description Risk score from previous risk window format int32 type integer riskScoreDelta description Difference in the normalized risk score from the previous recorded value. format int32 type integer riskScoreNumericDelta description Numeric change between current and previous risk score format int32 type integer type object Role description System role for resource access and modification. id Role properties description description System role description for user. type string name description System role name for user. type string type description System role type for well known roles. enum TYPE_UNSPECIFIED ADMINISTRATOR SERVICE_ACCOUNT enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object RuntimeError id RuntimeError properties errorText type string timeRange $ref Interval type object SSLCertificate description SSL certificate. id SSLCertificate properties certExtensions additionalProperties description Properties of the object. type any description Certificate's extensions. type object certSignature $ref CertSignature description Certificate's signature and algorithm. ec $ref EC description EC public key information. extension $ref Extension deprecated True description (DEPRECATED) certificate's extension. firstSeenTime description Date the certificate was first retrieved by VirusTotal. format google-datetime type string issuer $ref Subject description Certificate's issuer data. publicKey $ref PublicKey description Public key information. serialNumber description Certificate's serial number hexdump. type string signatureAlgorithm description Algorithm used for the signature (for example, "sha1RSA"). type string size description Certificate content length. format int64 type string subject $ref Subject description Certificate's subject data. thumbprint description Certificate's content SHA1 hash. type string thumbprintSha256 description Certificate's content SHA256 hash. type string validity $ref Validity description Certificate's validity period. version description Certificate version (typically "V1", "V2" or "V3"). type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object SearchDataTableColumnInfo id SearchDataTableColumnInfo properties isDefault type boolean originalColumn type string type object SearchDataTableInfo id SearchDataTableInfo properties columnInfo items $ref SearchDataTableColumnInfo type array dataTable type string type object SearchDataTableRow id SearchDataTableRow properties column type string value type string type object SearchDataTableRowInfo id SearchDataTableRowInfo properties dataTable type string rows items $ref SearchDataTableRow type array type object SecurityResult description Security related metadata for the event. A security result might be something like "virus detected and quarantined," "malicious connection blocked," or "sensitive data included in document foo.doc." Each security result, of which there may be more than one, may either pertain to the whole event, or to a specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (such as process, user, IP, domain, URL, IP, or email address) in the about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty. id SecurityResult properties about $ref Noun description If the security result is about a specific entity (Noun), add it here. This field is not populated when the SecurityResult appears in a finding (a detection or alert). action description Actions taken for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_ACTION ALLOW BLOCK ALLOW_WITH_MODIFICATION QUARANTINE FAIL CHALLENGE enumDescriptions The default action. Allowed. Blocked. Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded). Put somewhere for later analysis (does NOT imply block). Failed (e.g. the event was allowed but failed). Challenged (e.g. the user was challenged by a Captcha, 2FA). type string type array actionDetails description The detail of the action taken as provided by the vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string alertState description The alerting types of this security result. This is primarily set for rule-generated detections and alerts. enum UNSPECIFIED NOT_ALERTING ALERTING enumDescriptions The security result type is not known. The security result is not an alert. The security result is an alert. type string analyticsMetadata description Stores metadata about each risk analytic metric the rule uses. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref AnalyticsMetadata type array associations description Associations related to the threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref Association type array attackDetails $ref AttackDetails description MITRE ATT&CK details. This field is not populated when the SecurityResult appears in a finding (a detection or alert). campaigns description Campaigns using this IOC threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array category description The security category. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_CATEGORY SOFTWARE_MALICIOUS SOFTWARE_SUSPICIOUS SOFTWARE_PUA NETWORK_MALICIOUS NETWORK_SUSPICIOUS NETWORK_CATEGORIZED_CONTENT NETWORK_DENIAL_OF_SERVICE NETWORK_RECON NETWORK_COMMAND_AND_CONTROL ACL_VIOLATION AUTH_VIOLATION EXPLOIT DATA_EXFILTRATION DATA_AT_REST DATA_DESTRUCTION TOR_EXIT_NODE MAIL_SPAM MAIL_PHISHING MAIL_SPOOFING POLICY_VIOLATION SOCIAL_ENGINEERING PHISHING enumDescriptions The default category. Malware, spyware, rootkit. Below the conviction threshold; probably bad. Potentially Unwanted App (such as adware). Includes C&C or network exploit. Suspicious activity, such as potential reverse tunnel. Non-security related: URL has category like gambling or porn. DoS, DDoS. Port scan detected by an IDS, probing of web app. If we know this is a C&C channel. Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc. Authentication failed (e.g. bad password or bad 2-factor authentication). Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits. DLP: Sensitive data transmission, copy to thumb drive. DLP: Sensitive data found at rest in a scan. Attempt to destroy/delete data. TOR Exit Nodes. Spam email, message, etc. Phishing email, chat messages, etc. Spoofed source email address, etc. Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action). Threats which manipulate to break normal security procedures. Phishing pages, pops, https phishing etc. type string type array categoryDetails description For vendor-specific categories. For web categorization, put type in here such as "gambling" or "porn". This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array confidence description The confidence level of the result as estimated by the product. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string confidenceDetails description Additional detail with regards to the confidence of a security event as estimated by the product vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string confidenceScore description The confidence score of the security result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format float type number description description A human-readable description (e.g. "user password was wrong"). This can be more detailed than the summary. type string detectionDepth description The depth of the detection chain. Applies only to composite detections. format int64 type string detectionFields description An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (the security result matched variables). This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array firstDiscoveredTime description First time the IoC threat was discovered in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastDiscoveredTime description Last time the IoC was seen in the provider data. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastUpdatedTime description Last time the IoC threat was updated in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string outcomes description A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to a stringified version of their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array priority description The priority of the result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_PRIORITY LOW_PRIORITY MEDIUM_PRIORITY HIGH_PRIORITY enumDescriptions Default priority level. Low priority. Medium priority. High priority. type string priorityDetails description Vendor-specific information about the security result priority. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string reports description Reports that reference this IOC threat. These are the report IDs. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array riskScore description The risk score of the security result. format float type number ruleAuthor description Author of the security rule. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string ruleId description A vendor-specific ID for a rule, varying by observer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe"). type string ruleLabels description A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John"). This is primarily set in rule-generated detections and alerts. items $ref Label type array ruleName description Name of the security rule (e.g. "BlockInboundToOracle"). type string ruleSet description The curated detection's rule set identifier. (for example, "windows-threats") This is primarily set in rule-generated detections and alerts. type string ruleSetDisplayName description The curated detections rule set display name. This is primarily set in rule-generated detections and alerts. type string ruleType description The type of security rule. type string ruleVersion description Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed. type string rulesetCategoryDisplayName description The curated detection rule set category display name. (for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration", the rule_set_category is "Cloud Threats"). This is primarily set in rule-generated detections and alerts. type string severity description The severity of the result. enum UNKNOWN_SEVERITY INFORMATIONAL ERROR NONE LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Info severity. An error. No malicious result. Low-severity malicious result. Medium-severity malicious result. High-severity malicious result. Critical-severity malicious result. type string severityDetails description Vendor-specific severity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string summary description A short human-readable summary (e.g. "failed login occurred") type string threatFeedName description Vendor feed name for a threat indicator feed. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatId description Vendor-specific ID for a threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatIdNamespace description The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string threatName description A vendor-assigned classification common across multiple customers (for example, "W32/File-A", "Slammer"). This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatStatus description Current status of the threat This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_STATUS_UNSPECIFIED ACTIVE CLEARED FALSE_POSITIVE enumDescriptions Default threat status Active threat. Cleared threat. False positive. type string threatVerdict description GCTI threat verdict on the security result entity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_VERDICT_UNSPECIFIED UNDETECTED SUSPICIOUS MALICIOUS enumDescriptions Unspecified threat verdict level. Undetected threat verdict level. Suspicious threat verdict level. Malicious threat verdict level. type string urlBackToProduct description URL that takes the user to the source product console for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string variables additionalProperties $ref FindingVariable description A list of outcomes and match variables that represent the results of this security finding. This list represents a mapping of names of the requested outcomes or match variables, to their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). type object verdict $ref Verdict deprecated True description Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead. verdictInfo description Verdict information about the IoC from the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref VerdictInfo type array type object Server description Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash). id Server properties certificate $ref Certificate description Server certificate. ja3s description JA3 hash from the TLS ServerHello, as a hex-encoded string. type string type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object SignatureInfo description File signature information extracted from different tools. id SignatureInfo properties codesign $ref FileMetadataCodesign description Signature information extracted from the codesign utility. sigcheck $ref FileMetadataSignatureInfo description Signature information extracted from the sigcheck tool. type object SignerInfo description File metadata related to the signer information. id SignerInfo properties certIssuer description Company that issued the certificate. type string name description Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority. type string status description It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid."). type string validUsage description Indicates which situations the certificate is valid for (e.g. "Code Signing"). type string type object Smtp description SMTP info. See RFC 2821. id Smtp properties helo description The client's 'HELO'/'EHLO' string. type string isTls description If the connection switched to TLS. type boolean isWebmail description If the message was sent via a webmail client. type boolean mailFrom description The client's 'MAIL FROM' string. type string messagePath description The message's path (extracted from the headers). type string rcptTo description The client's 'RCPT TO' string(s). items type string type array serverResponse description The server's response(s) to the client. items type string type array type object SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems. id SoarAlertMetadata properties alertId description Alert ID in the source SIEM system. type string product description Name of the product the alert is coming from. type string sourceRule description Name of the rule triggering the alert in the source SIEM. type string sourceSystem description Name of the Source SIEM system. type string sourceSystemTicketId description Ticket id for the alert in the source system. type string sourceSystemUri description Url to the source SIEM system. type string vendor description Name of the vendor. type string type object Software description Information about a software package or application. id Software properties description description The description of the software. type string name description The name of the software. type string permissions description System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE" items $ref Permission type array vendorName description The name of the software vendor. type string version description The version of the software. type string type object Source description Deprecated. Information about the threat intelligence source. These fields are used to model Mandiant sources. id Source properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer name description Name of the IoC source. type string quality description Quality of the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total response count from this source. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer threatIntelligenceSources description Different threat intelligence sources from which IoC info was extracted. items $ref Source type array type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object StringSequence description StringSequence represents a sequence of string. id StringSequence properties stringVals description string sequence. items type string type array type object StringToInt64MapEntry id StringToInt64MapEntry properties key description Key field. type string value description Value field. format int64 type string type object StringValue id StringValue properties displayValue type string rawValue type string type object StringValues id StringValues properties values items $ref StringValue type array type object Subject description Subject data. id Subject properties commonName description CN: CommonName. type string countryName description C: Country name. type string locality description L: Locality. type string organization description O: Organization. type string organizationalUnit description OU: OrganizationalUnit. type string stateOrProvinceName description ST: StateOrProvinceName. type string type object Tactic description Tactic information related to an attack or threat. id Tactic properties id description Tactic ID (e.g. "TA0043"). type string name description Tactic Name (e.g. "Reconnaissance") type string type object Tags description Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenant_id based on certain customer-defined parameters. id Tags properties dataTapConfigName description A list of sink name values defined in DataTap configurations. items type string type array tenantId description A list of subtenant ids that this event belongs to. items format byte type string type array type object Technique description Technique information related to an attack or threat. id Technique properties id description Technique ID (e.g. "T1595"). type string name description Technique Name (e.g. "Active Scanning"). type string subtechniqueId description Subtechnique ID (e.g. "T1595.001"). type string subtechniqueName description Subtechnique Name (e.g. "Scanning IP Blocks"). type string type object TimeOff description System record for leave/time-off from a Human Capital Management (HCM) system. id TimeOff properties description description Description of the leave if available (e.g. 'Vacation'). type string interval $ref Interval description Interval duration of the leave. type object Tls description Transport Layer Security (TLS) information. id Tls properties cipher description Cipher used during the connection. type string client $ref Client description Certificate information for the client certificate. curve description Elliptical curve used for a given cipher. type string established description Indicates whether the TLS negotiation was successful. type boolean nextProtocol description Protocol to be used for tunnel. type string resumed description Indicates whether the TLS connection was resumed from a previous TLS negotiation. type boolean server $ref Server description Certificate information for the server certificate. version description TLS version. type string versionProtocol description Protocol. type string type object Tracker description URL Tracker. id Tracker properties id description Tracker ID, if available. type string timestamp description Tracker ingestion date. format google-datetime type string tracker description Tracker name. type string url description Tracker script URL. type string type object Tunnels description VPN tunnels. id Tunnels properties provider description The provider of the VPN tunnels being used. type string type description The type of the VPN tunnels. type string type object UDM description A Unified Data Model event. id UDM properties about description Represents entities referenced by the event that are not otherwise described in principal, src, target, intermediary or observer. For example, it could be used to track email file attachments, domains/URLs/IPs embedded within an email body, and DLLs that are loaded during a PROCESS_LAUNCH event. items $ref Noun type array additional additionalProperties description Properties of the object. type any description Any important vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model. type object extensions $ref Extensions description All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object intermediary description Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a proxy server or SMTP relay server. If an active event (that has a principal and possibly target) passes through any intermediaries, they're added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that 'principal', 'target', and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C). items $ref Noun type array metadata $ref Metadata description Event metadata such as timestamp, source product, etc. network $ref Network description All network details go here, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). observer $ref Noun description Represents an observer entity (for example, a packet sniffer or network-based vulnerability scanner), which is not a direct intermediary, but which observes and reports on the event in question. principal $ref Noun description Represents the acting entity that originates the activity described in the event. The principal must include at least one machine detail (hostname, MACs, IPs, port, product-specific identifiers like an EDR asset ID) or user detail (for example, username), and optionally include process details. It must NOT include any of the following fields: email, files, registry keys or values. securityResult description A list of security results. items $ref SecurityResult type array src $ref Noun description Represents a source entity being acted upon by the participant along with the device or process context for the source object (the machine where the source object resides). For example, if user U copies file A on machine X to file B on machine Y, both file A and machine X would be specified in the src portion of the UDM event. target $ref Noun description Represents a target entity being referenced by the event or an object on the target entity. For example, in a firewall connection from device A to device B, A is described as the principal and B is described as the target. For a process injection by process C into target process D, process C is described as the principal and process D is described as the target. type object UdmColumnList id UdmColumnList properties values items $ref UdmColumnValue type array type object UdmColumnType id UdmColumnType properties list $ref UdmColumnList value $ref UdmColumnValue type object UdmColumnValue id UdmColumnValue properties boolVal type boolean bytesVal format byte type string dateVal $ref Date doubleVal format double type number int64Val format int64 type string nullVal type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any type object stringVal type string timestampVal format google-datetime type string uint64Val format uint64 type string type object UdmEventInfo id UdmEventInfo properties alertNumber format int32 type integer annotations items enum ANNOTATION_UNSPECIFIED ANNOTATION_ALERT enumDescriptions type string type array chip $ref Chip deprecated True connectedComponentLabel description Optional. format byte type string datatableRowInfo items $ref SearchDataTableRowInfo type array detections items $ref Collection type array displayName deprecated True type string entity $ref BackstoryEntity event $ref UDM eventLogToken type string filterProperties $ref FilterProperties deprecated True outcomes items $ref UdmColumnType type array tenantId description Optional. type string uid format byte type string type object UdmEventList id UdmEventList properties columnNames $ref ColumnNames complete type boolean datatableInfo items $ref SearchDataTableInfo type array events items $ref UdmEventInfo type array progress format double type number tooManyEvents type boolean type object UdmFieldAggregation id UdmFieldAggregation properties aggregationType enum UNSPECIFIED_FIELD_AGGREGATION_TYPE UDM_FIELD_AGGREGATION_TYPE ENTITY_FIELD_AGGREGATION_TYPE enumDescriptions type string allValues items $ref UdmValueCount type array baselineEventCount format int32 type integer bottomValues items $ref UdmValueCount type array eventCount format int32 type integer fieldName type string tooManyValues type boolean topValues items $ref UdmValueCount type array valueCount format int32 type integer type object UdmFieldAggregations id UdmFieldAggregations properties complete type boolean fields items $ref UdmFieldAggregation type array groupByFields items $ref GroupAggregationByField type array type object UdmFieldValue id UdmFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string isNull type boolean stringValue type string timestampValue format google-datetime type string uint32Value format uint32 type integer uint64Value format uint64 type string type object UdmPrevalence id UdmPrevalence properties artifacts items $ref FieldAndValue type array prevalence format int32 type integer type object UdmPrevalenceBucket id UdmPrevalenceBucket properties prevalence items $ref UdmPrevalence type array type object UdmPrevalenceResponse id UdmPrevalenceResponse properties buckets items $ref UdmPrevalenceBucket type array partialPrevalence type boolean type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UdmValueCount id UdmValueCount properties baselineEventCount format int32 type integer eventCount format int32 type integer value $ref UdmFieldValue type object Uint64Sequence description Uint64Sequence represents a sequence of uint64s. id Uint64Sequence properties uint64Vals description uint64 sequence. items format uint64 type string type array type object Url description Url. id Url properties categories description Categorisation done by VirusTotal partners. items type string type array favicon $ref Favicon description Difference hash and MD5 hash of the URL's. htmlMeta additionalProperties description Properties of the object. type any description Meta tags (only for URLs downloading HTML). type object lastFinalUrl description If the original URL redirects, where does it end. type string lastHttpResponseCode description HTTP response code of the last response. format int32 type integer lastHttpResponseContentLength description Length in bytes of the content received. format int64 type string lastHttpResponseContentSha256 description URL response body's SHA256 hash. type string lastHttpResponseCookies additionalProperties description Properties of the object. type any description Website's cookies. type object lastHttpResponseHeaders additionalProperties description Properties of the object. type any description Headers and values of the last HTTP response. type object tags description Tags. items type string type array title description Webpage title. type string trackers description Trackers found in the URL in a historical manner. items $ref Tracker type array url description URL. type string type object User description Information about a user. id User properties accountExpirationTime description User account expiration timestamp. format google-datetime type string accountLockoutTime description User account lockout timestamp. format google-datetime type string accountType description Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/ enum ACCOUNT_TYPE_UNSPECIFIED DOMAIN_ACCOUNT_TYPE LOCAL_ACCOUNT_TYPE CLOUD_ACCOUNT_TYPE SERVICE_ACCOUNT_TYPE DEFAULT_ACCOUNT_TYPE enumDescriptions Default user account type. A human account part of some domain in directory services. A local machine account. A SaaS service account type (such as Slack or GitHub). A non-human account for data access. A system built in default account. type string attribute $ref Attribute description Generic entity metadata attributes of the user. companyName description User job company name. type string department description User job department items type string type array emailAddresses description Email addresses of the user. This field can be used as an entity indicator for user entities. items type string type array employeeId description Human capital management identifier. This field can be used as an entity indicator for user entities. type string firstName description First name of the user (e.g. "John"). type string firstSeenTime description The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string groupIdentifiers description Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar). items type string type array groupid deprecated True description The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. type string hireDate description User job employment hire date. format google-datetime type string lastBadPasswordAttemptTime description User last bad password attempt timestamp. format google-datetime type string lastLoginTime description User last login timestamp. format google-datetime type string lastName description Last name of the user (e.g. "Locke"). type string lastPasswordChangeTime description User last password change timestamp. format google-datetime type string managers description User job manager(s). items $ref User type array middleName description Middle name of the user. type string officeAddress $ref Location description User job office location. passwordExpirationTime description User password expiration timestamp. format google-datetime type string personalAddress $ref Location description Personal address of the user. phoneNumbers description Phone numbers for the user. items type string type array productObjectId description A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar). This field can be used as an entity indicator for user entities. type string roleDescription deprecated True description System role description for user. Deprecated: use attribute.roles. type string roleName deprecated True description System role name for user. Deprecated: use attribute.roles. type string terminationDate description User job employment termination date. format google-datetime type string timeOff description User time off leaves from active work. items $ref TimeOff type array title description User job title. type string userAuthenticationStatus description System authentication status for user. enum UNKNOWN_AUTHENTICATION_STATUS ACTIVE SUSPENDED NO_ACTIVE_CREDENTIALS DELETED enumDescriptions The default authentication status. The authentication method is in active state. The authentication method is in suspended/disabled state. The authentication method has no active credentials. The authentication method has been deleted. type string userDisplayName description The display name of the user (e.g. "John Locke"). type string userRole deprecated True description System role for user. Deprecated: use attribute.roles. enum UNKNOWN_ROLE ADMINISTRATOR SERVICE_ACCOUNT enumDeprecated False False True enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. Deprecated: not a role, instead set User.account_type. type string userid description The ID of the user. This field can be used as an entity indicator for user entities. type string windowsSid description The Microsoft Windows SID of the user. This field can be used as an entity indicator for user entities. type string type object UserAgentProto id UserAgentProto properties annotation items $ref Annotation type array browser description Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents. type string browserEngineVersion description Version of the rendering engine e.g. "8.01" for "Opera/8.01" type string browserVersion description Minor and lower versions unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string carrier description Mobile specific: name of mobile carrier type string device description (Usually) Mobile specific: name of hardware device, may or may not contain the full model name. e.g. iPhone, Palm750, SPH-M800. Reduced to "K" for Android devices with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string deviceVersion description (Usually) Mobile specific: version of hardware device Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string family description User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.. enum USER_DEFINED MSIE GECKO APPLEWEBKIT OPERA KHTML OTHER APPLE BLACKBERRY DOCOMO GOOGLE OPENWAVE POLARIS OBIGO TELECA MICROSOFT NOKIA NETFRONT SEMC SMIT KOREAN CLIENT_HINTS enumDescriptions Used to represent new families supported by user-defined parsers Desktop user agent families WebKit based browsers e.g. Safari e.g. Konqueror Mobile and non-browser user agent families UA's w/o enough data to fit into a family Apple apps e.g. YouTube on iPhone Google Earth, Sketchup, UpdateChecker etc... UP.Browser Windows Media Player, RSS platform etc... Sony Ericsson Mobile Communications SKT, LGT Constructed from UA-CH instead of UserAgent string. type string googleToolbarVersion description Version number of GoogleToolbar, if installed. Applies only to MSIE and Firefox at this time. type string javaConfiguration description Mobile specific: e.g. Configuration/CLDC-1.1 type string javaConfigurationVersion type string javaProfile description Mobile specific: e.g. Profile/MIDP-2.0 type string javaProfileVersion type string locale description Locale in which the browser is running as country code and optionally language pair. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string messaging description Mobile specific: e.g. MMP/2.0 type string messagingVersion type string os description Full name of the operating system e.g. "Darwin/9.7.0", "Android 1.5", "Windows 98" Version is reduced, and other data might also be missing, for reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string osVariant description Extra qualifier for the OS e.g. "(i386)", "Build/CUPCAKE", "PalmSource/Palm-D061" Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string platform description The platform describes the environment in which the browser or app runs. For desktop user agents, Platform is a string describing the OS family e.g. Windows, Macintosh, Linux. For mobile user agents, Platform either describes the OS family (if available) or the hardware maker. e.g. Linux, or HTC, LG, Palm. type string security description Security level reported by user agent, either U, I or N. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string subFamily description Sub-family identifies individual regexps when a family has more than 1. This is used to generate the right UA string from a protobuf. Examples in the AppleWebKit family: Chrome and Safari. Can also be an arbitrary identifier. type string type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Validity description Defines certificate's validity period. id Validity properties expiryTime description Expiry date. format google-datetime type string issueTime description Issue date. format google-datetime type string type object Verdict description Deprecated. Encapsulates the threat verdict provided by human analysts and ML models. These fields are used to model Mandiant sources. id Verdict properties analystVerdict $ref AnalystVerdict description Human analyst verdict provided by sources like Mandiant. neighbourInfluence description Describes the neighbour influence of the verdict. type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer verdict $ref ProviderMLVerdict description ML Verdict provided by sources like Mandiant. type object VerdictInfo description Describes the threat verdict provided by human analysts and machine learning models. These fields are used to model Mandiant sources. id VerdictInfo properties benignCount description Count of responses where this IoC was marked as benign. format int32 type integer categoryDetails description Tags related to the verdict. type string confidenceScore description Confidence score of the verdict. format int32 type integer globalCustomerCount description Global customer count over the last 30 days format int32 type integer globalHitsCount description Global hit count over the last 30 days. format int32 type integer iocStats description List of IoCStats from which the verdict was generated. items $ref IoCStats type array maliciousCount description Count of responses where this IoC was marked as malicious. format int32 type integer neighbourInfluence description Describes the near neighbor influence of the verdict. type string pwn description Whether one or more Mandiant incident response customers had this indicator in their environment. type boolean pwnFirstTaggedTime description The timestamp of the first time a pwn was associated to this entity. format google-datetime type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer sourceProvider description Source provider giving the machine learning verdict. type string verdictResponse description Details about the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp when the verdict was generated. format google-datetime type string verdictType description Type of verdict. enum VERDICT_TYPE_UNSPECIFIED PROVIDER_ML_VERDICT ANALYST_VERDICT enumDescriptions Verdict category not specified. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. Verdict provided by the human analyst. These fields are used to model Mandiant sources. type string type object Vulnerabilities description The Vulnerabilities extension captures details on observed/detected vulnerabilities. id Vulnerabilities properties vulnerabilities description A list of vulnerabilities. items $ref Vulnerability type array type object Vulnerability description A vulnerability. id Vulnerability properties about $ref Noun description If the vulnerability is about a specific noun (e.g. executable), then add it here. cveDescription description Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record type string cveId description Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id type string cvssBaseScore description CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting. format float type number cvssVector description Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator type string cvssVersion description Version of CVSS Vector/Score. type string description description Description of the vulnerability. type string firstFound description Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset. format google-datetime type string lastFound description Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset. format google-datetime type string name description Name of the vulnerability (e.g. "Unsupported OS Version detected"). type string scanEndTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable. format google-datetime type string scanStartTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable. format google-datetime type string severity description The severity of the vulnerability. enum UNKNOWN_SEVERITY LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Low severity. Medium severity. High severity. Critical severity. type string severityDetails description Vendor-specific severity type string vendor description Vendor of scan that discovered vulnerability. type string vendorKnowledgeBaseArticleId description Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase type string vendorVulnerabilityId description Vendor specific vulnerability id (e.g. Microsoft security bulletin id). type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object X509 description File certificate. id X509 properties algorithm description Certificate algorithm. type string certIssuer description Issuer of the certificate. type string name description Certificate name. type string serialNumber description Certificate serial number. type string thumbprint description Certificate thumbprint. type string type object old_value CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{region}/instances/{instance} readOnly True type string type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Manual description Entities are added manually. id Manual properties type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object
prod/northamerica-northeast2-chronicle-v1alpha	dictionary_item_added root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['delete'] root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['undelete'] root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['legacy']['methods']['legacyCreateOrUpdateCase'] root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['legacy']['methods']['legacyCreateSoarAlert'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue'] root['schemas']['GoogleCloudStorageEventDrivenSettings'] root['schemas']['InstanceUdmSearchResponse'] root['schemas']['LegacyCreateOrUpdateCaseRequest'] root['schemas']['LegacyCreateSoarAlertRequest'] root['schemas']['LegacyFederatedUdmSearchViewResponse'] root['schemas']['LegacySoarAlert'] root['schemas']['SQSV2AccessKeySecretAuth'] root['schemas']['SoarEvent'] root['schemas']['UndeleteInstanceRequest'] root['schemas']['BackstoryFile']['properties']['symhash'] root['schemas']['ColumnMetadata']['properties']['latitude'] root['schemas']['ColumnMetadata']['properties']['longitude'] root['schemas']['EntityRisk']['properties']['riskWindowHasNewDetections'] root['schemas']['Extensions']['properties']['entityRisk'] root['schemas']['FeedDetails']['properties']['googleCloudStorageEventDrivenSettings'] root['schemas']['Instance']['properties']['customerCode'] root['schemas']['Instance']['properties']['deleteTime'] root['schemas']['Instance']['properties']['purgeTime'] root['schemas']['Instance']['properties']['wipeoutStatus'] root['schemas']['SQSAuthV2']['properties']['sqsV2AccessKeySecretAuth'] dictionary_item_removed root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['findings'] root['schemas']['FetchSimilarFindingsResponse'] root['schemas']['OmniflowAmazonS3Settings'] root['schemas']['OmniflowAmazonSQSSettings'] root['schemas']['OmniflowGoogleCloudStorageSettings'] root['schemas']['OmniflowS3Auth'] root['schemas']['FeedDetails']['properties']['omniflowAmazonS3Settings'] root['schemas']['FeedDetails']['properties']['omniflowAmazonSqsSettings'] root['schemas']['FeedDetails']['properties']['omniflowGcsSettings'] root['schemas']['FeedDetails']['properties']['feedSourceType']['enumDeprecated'] root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enumDeprecated'] root['schemas']['PackLogType']['properties']['recommendedSourceType']['enumDeprecated'] values_changed root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['generateCollectionAgentAuth']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to generate a collection agent auth json file for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to generate a collection agent auth json file for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['generateSoarAuthJwt']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['generateWorkspaceConnectionToken']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to create workspace token for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to create workspace token for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['get']['parameters']['name']['description'] new_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['report']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['legacy']['methods']['legacyBatchGetCases']['parameters']['instance']['description'] new_value Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}/legacy old_value Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}/legacy root['revision'] new_value 20250310 old_value 20250227 root['schemas']['EntityRisk']['description'] new_value Stores information related to the risk score of an entity. Next ID: 15 old_value Stores information related to the risk score of an entity. Next ID: 14 root['schemas']['EntityRisk']['properties']['riskWindowSize']['description'] new_value Risk window duration for the entity. old_value Risk window duration for the Entity. root['schemas']['Instance']['properties']['name']['description'] new_value Output only. The resource name of this instance. Format: projects/{project}/locations/{location}/instances/{instance} old_value Output only. The resource name of this instance. Format: projects/{project}/locations/{region}/instances/{instance} root['schemas']['SQSAuthV2']['properties']['additionalS3AccessKeySecretAuth']['description'] new_value Required. Deprecated. If the S3 objects referred to by the SQS queue require different auth info other than the SQS auth, that can be specified here. Additional S3AccessKeySecret. Required. old_value Required. If the S3 objects referred to by the SQS queue require different auth info other than the SQS auth, that can be specified here. Additional S3AccessKeySecret. Required. root['schemas']['StatusProto']['properties']['canonicalCode']['description'] new_value copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional int32 canonical_code = 6; old_value The canonical error code (see codes.proto) that most closely corresponds to this status. This may be missing, and in the common case of the generic space, it definitely will be. copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional int32 canonical_code = 6; root['schemas']['StatusProto']['properties']['space']['description'] new_value copybara:strip_begin(b/383363683) Space to which this status belongs copybara:strip_end_and_replace optional string space = 2; // Space to which this status belongs old_value The following are usually only present when code != 0 Space to which this status belongs copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional string space = 2; iterable_item_added root['schemas']['AnalyticValue']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['AnalyticValue']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['EnrichmentDisablementTarget']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['EnrichmentDisablementTarget']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['EventTypesSuggestion']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['EventTypesSuggestion']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][19] GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN root['schemas']['FeedDetails']['properties']['feedSourceType']['enumDescriptions'][19] Google Cloud Storage Feed backed by Omniflow STS driven by pubsub events. root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][19] GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enumDescriptions'][19] Google Cloud Storage Feed backed by Omniflow STS driven by pubsub events. root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][1412] BLOCKDAEMON_METOMIC root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2124] JIT root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2125] PROCORE root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2126] HP_INC_MFP root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2127] MERU_CONTENTKEEPER_PROXY root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2128] KPMG_JAPAN_HR root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2129] FORD_ADFS_IDP root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2130] FORD_BLUE_DNS root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2131] TSA_VMS root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2132] ALLIANZ_CPAM root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2133] HKBK_ASE1_DIGITALGUARDIAN_NDLP root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2134] PANORAYS root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2135] BBVA_BAEMPRE root['schemas']['Metadata']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['Metadata']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][19] GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN root['schemas']['PackLogType']['properties']['recommendedSourceType']['enumDescriptions'][19] Google Cloud Storage Feed backed by Omniflow STS driven by pubsub events. root['schemas']['RawLog']['properties']['type']['enum'][1412] BLOCKDAEMON_METOMIC root['schemas']['RawLog']['properties']['type']['enum'][2124] JIT root['schemas']['RawLog']['properties']['type']['enum'][2125] PROCORE root['schemas']['RawLog']['properties']['type']['enum'][2126] HP_INC_MFP root['schemas']['RawLog']['properties']['type']['enum'][2127] MERU_CONTENTKEEPER_PROXY root['schemas']['RawLog']['properties']['type']['enum'][2128] KPMG_JAPAN_HR root['schemas']['RawLog']['properties']['type']['enum'][2129] FORD_ADFS_IDP root['schemas']['RawLog']['properties']['type']['enum'][2130] FORD_BLUE_DNS root['schemas']['RawLog']['properties']['type']['enum'][2131] TSA_VMS root['schemas']['RawLog']['properties']['type']['enum'][2132] ALLIANZ_CPAM root['schemas']['RawLog']['properties']['type']['enum'][2133] HKBK_ASE1_DIGITALGUARDIAN_NDLP root['schemas']['RawLog']['properties']['type']['enum'][2134] PANORAYS root['schemas']['RawLog']['properties']['type']['enum'][2135] BBVA_BAEMPRE root['schemas']['RawLogEventInformation']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['RawLogEventInformation']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['SIEventData']['properties']['rawLogType']['enum'][1412] BLOCKDAEMON_METOMIC root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2124] JIT root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2125] PROCORE root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2126] HP_INC_MFP root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2127] MERU_CONTENTKEEPER_PROXY root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2128] KPMG_JAPAN_HR root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2129] FORD_ADFS_IDP root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2130] FORD_BLUE_DNS root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2131] TSA_VMS root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2132] ALLIANZ_CPAM root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2133] HKBK_ASE1_DIGITALGUARDIAN_NDLP root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2134] PANORAYS root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2135] BBVA_BAEMPRE iterable_item_removed root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][14] OMNIFLOW_GOOGLE_CLOUD_STORAGE root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][15] OMNIFLOW_AMAZON_S3 root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][16] OMNIFLOW_AMAZON_SQS root['schemas']['FeedDetails']['properties']['feedSourceType']['enumDescriptions'][14] root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][14] OMNIFLOW_GOOGLE_CLOUD_STORAGE root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][15] OMNIFLOW_AMAZON_S3 root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][16] OMNIFLOW_AMAZON_SQS root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enumDescriptions'][14] root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][14] OMNIFLOW_GOOGLE_CLOUD_STORAGE root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][15] OMNIFLOW_AMAZON_S3 root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][16] OMNIFLOW_AMAZON_SQS root['schemas']['PackLogType']['properties']['recommendedSourceType']['enumDescriptions'][14]
prod/northamerica-northeast2-chronicle-v1beta	values_changed root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['get']['parameters']['name']['description'] new_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{region}/instances/{instance} root['revision'] new_value 20250310 old_value 20250227 root['schemas'] new_value AIOverview description AI generated overview for the search results. id AIOverview properties aiSummary description AI summary for the search results. Markdown formatted. type string complete description Whether AI overview generation is complete. type boolean suggestions description Suggested actions to continue the investigation in chat. items $ref Action type array type object Action description Action represents an action that can be performed in the host UI. id Action properties actionType description Output only. Type of action. enum ACTION_TYPE_UNSPECIFIED FOLLOW_UP NAVIGATION EXECUTION enumDescriptions The action type is unspecified. The action is a follow up action. The action is a navigation action. The action is an execution action. readOnly True type string displayText description Output only. The text that'll be displayed to the user if this is rendered in the UI as a suggested action. readOnly True type string execution $ref Execution description Metadata for execution action. followUp $ref FollowUp description Metadata for follow up action. navigation $ref Navigation description Metadata for navigation action. useCaseId description Output only. The use case ID of the action. It's used internally to identify in which context the action is used. readOnly True type string type object AlertFieldAggregation id AlertFieldAggregation properties alertCount format int32 type integer allValues items $ref AlertFieldValueCount type array baselineAlertCount format int32 type integer bottomValues items $ref AlertFieldValueCount type array fieldName type string tooManyValues type boolean topValues items $ref AlertFieldValueCount type array valueCount format int32 type integer type object AlertFieldAggregations id AlertFieldAggregations properties fields items $ref AlertFieldAggregation type array type object AlertFieldValue id AlertFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string stringValue type string uint32Value format uint32 type integer uint64Value format uint64 type string type object AlertFieldValueCount id AlertFieldValueCount properties alertCount format int32 type integer baselineAlertCount format int32 type integer value $ref AlertFieldValue type object AnalystVerdict description Verdict provided by the human analyst. These fields are used to model Mandiant sources. id AnalystVerdict properties confidenceScore description Confidence score of the verdict. format int32 type integer verdictResponse description Details of the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp at which the verdict was generated. format google-datetime type string type object AnalyticsMetadata description Stores information about an analytics metric used in a rule. id AnalyticsMetadata properties analytic description Name of the analytic. type string type object Annotation description Extra parameters that don't fit anywhere else, captured as key/value. For example "VendorID/42" in BlackBerry user agents. The following keys are modified with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference): * "Chrome" (see `browser_version`) * "ChromiumBrowser" (unavailable) * "ChromeWebview" (unavailable) * "OS_VERSION" (see `os`) * "Rest" (unavailable) * "misc" (see `device`) id Annotation properties key type string value type string type object Artifact description Information about an artifact. The artifact can only be an IP. id Artifact properties anonymous description Whether the VPN tunnels are configured for anonymous browsing or not. type boolean artifactClient $ref ArtifactClient description Entity or software accessing or utilizing network resources. asOwner description Owner of the Autonomous System to which the IP address belongs. type string asn description Autonomous System Number to which the IP address belongs. format int64 type string firstSeenTime description First seen timestamp of the IP in the customer's environment. format google-datetime type string ip description IP address of the artifact. This field can be used as an entity indicator for an external destination IP entity. type string jarm description The JARM hash for the IP address. (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a). type string lastHttpsCertificate $ref SSLCertificate description SSL certificate information about the IP address. lastHttpsCertificateDate description Most recent date for the certificate in VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the IP address in the customer's environment. format google-datetime type string location $ref Location description Location of the Artifact's IP address. network $ref Network description Network information related to the Artifact's IP address. prevalence $ref Prevalence description The prevalence of the artifact within the customer's environment. regionalInternetRegistry description RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC). type string risks description This field lists potential risks associated with the network activity. items type string type array tags description Identification attributes items type string type array tunnels description VPN tunnels. items $ref Tunnels type array whois description WHOIS information as returned from the pertinent WHOIS server. type string whoisDate description Date of the last update of the WHOIS record in VirusTotal. format google-datetime type string type object ArtifactClient description Entity or software accessing or utilizing network resources. id ArtifactClient properties behaviors description The behaviors of the client accessing the network. items type string type array proxies description The type of proxies used by the client. items type string type array type object Asset description Information about a compute asset such as a workstation, laptop, phone, virtual desktop, or VM. id Asset properties assetId description The asset ID. Value must contain the ':' character. For example, cs:abcdd23434. This field can be used as an entity indicator for asset entities. type string attribute $ref Attribute description Generic entity metadata attributes of the asset. category description The category of the asset (e.g. "End User Asset", "Workstation", "Server"). type string creationTime deprecated True description Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. format google-datetime type string deploymentStatus description The deployment status of the asset for device lifecycle purposes. enum DEPLOYMENT_STATUS_UNSPECIFIED ACTIVE PENDING_DECOMISSION DECOMISSIONED enumDescriptions Unspecified deployment status. Asset is active, functional and deployed. Asset is pending decommission and no longer deployed. Asset is decommissioned. type string firstDiscoverTime description Time the asset was first discovered (by asset management/discoverability software). format google-datetime type string firstSeenTime description The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string hardware description The asset hardware specifications. items $ref Hardware type array hostname description Asset hostname or domain name field. This field can be used as an entity indicator for asset entities. type string ip description A list of IP addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array labels deprecated True description Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata. items $ref Label type array lastBootTime description Time the asset was last boot started. format google-datetime type string lastDiscoverTime description Time the asset was last discovered (by asset management/discoverability software). format google-datetime type string location $ref Location description Location of the asset. mac description List of MAC addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array natIp description List of NAT IP addresses associated with an asset. items type string type array networkDomain description The network domain of the asset (e.g. "corp.acme.com") type string platformSoftware $ref PlatformSoftware description The asset operating system platform software. productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID or similar). This field can be used as an entity indicator for asset entities. type string software description The asset software details. items $ref Software type array systemLastUpdateTime description Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a VM), use Attribute.last_update_time. format google-datetime type string type description The type of the asset (e.g. workstation or laptop or server). enum ROLE_UNSPECIFIED WORKSTATION LAPTOP IOT NETWORK_ATTACHED_STORAGE PRINTER SCANNER SERVER TAPE_LIBRARY MOBILE enumDescriptions Unspecified asset role. A workstation or desktop. A laptop computer. An IOT asset. A network attached storage device. A printer. A scanner. A server. A tape library device. A mobile device such as a mobile phone or PDA. type string vulnerabilities description Vulnerabilities discovered on asset. items $ref Vulnerability type array type object Association description Associations represents different metadata about malware and threat actors involved with an IoC. id Association properties alias description Different aliases of the threat actor given by different sources. items $ref AssociationAlias type array associatedActors description List of associated threat actors for a malware. Not applicable for threat actors. items $ref Association type array countryCode description Country from which the threat actor/ malware is originated. items type string type array description description Human readable description about the association. type string firstReferenceTime description First time the threat actor was referenced or seen. format google-datetime type string id description Unique association id generated by mandiant. type string industriesAffected description List of industries the threat actor affects. items type string type array lastReferenceTime description Last time the threat actor was referenced or seen. format google-datetime type string name description Name of the threat actor/malware. type string regionCode $ref Location description Name of the country, the threat is originating from. role description Role of the malware. Not applicable for threat actor. type string sourceCountry deprecated True description Name of the country the threat originated from. type string sponsorRegion $ref Location description Sponsor region of the threat actor. tags description Tags. items type string type array targetedRegions description Targeted regions. items $ref Location type array type description Signifies the type of association. enum ASSOCIATION_TYPE_UNSPECIFIED THREAT_ACTOR MALWARE enumDescriptions The default Association Type. Association type Threat actor. Association type Malware. type string type object AssociationAlias description Association Alias used to represent Mandiant Threat Intelligence. id AssociationAlias properties company description Name of the provider who gave the association's name. type string name description Name of the alias. type string type object AttackDetails description MITRE ATT&CK details. id AttackDetails properties tactics description Tactics employed. items $ref Tactic type array techniques description Techniques employed. items $ref Technique type array version description ATT&CK version (e.g. 12.1). type string type object Attribute description Attribute is a container for generic entity attributes including common attributes across core entities (such as, user or asset). For example, Cloud is a generic entity attribute since it can apply to an asset (for example, a VM) or a user (for example, an identity service account). id Attribute properties cloud $ref Cloud description Cloud metadata attributes such as project ID, account ID, or organizational hierarchy. creationTime description Time the resource or entity was created or provisioned. format google-datetime type string labels description Set of labels for the entity. Should only be used for product labels (for example, Google Cloud resource labels or Azure AD sensitivity labels. Should not be used for arbitrary key-value mappings. items $ref Label type array lastUpdateTime description Time the resource or entity was last updated. format google-datetime type string permissions description System permissions for IAM entity (human principal, service account, group). items $ref Permission type array roles description System IAM roles to be assumed by resources to use the role's permissions for access control. items $ref Role type array type object Authentication description The Authentication extension captures details specific to authentication events. General guidelines for authentication events: * Details about the source of the authentication event (for example, client IP or hostname), should be captured in principal. The principal may be empty if we have no details about the source of the login. * Details about the target of the authentication event (for example, details about the machine that is being logged into or logged out of) should be captured in target. * Some authentication events may involve a third-party. For example, a user logs into a cloud service (for example, Chronicle) via their company's SSO (the event is logged by their SSO solution). In this case, the principal captures information about the user's device, the target captures details about the cloud service they logged into, and the intermediary captures details about the SSO solution. id Authentication properties authDetails description The vendor defined details of the authentication. type string mechanism description The authentication mechanism. items enum MECHANISM_UNSPECIFIED USERNAME_PASSWORD OTP HARDWARE_KEY LOCAL REMOTE REMOTE_INTERACTIVE MECHANISM_OTHER BADGE_READER NETWORK BATCH SERVICE UNLOCK NETWORK_CLEAR_TEXT NEW_CREDENTIALS INTERACTIVE CACHED_INTERACTIVE CACHED_REMOTE_INTERACTIVE CACHED_UNLOCK BIOMETRIC WEARABLE enumDescriptions The default mechanism. Username + password authentication. OTP authentication. Hardware key authentication. Local authentication. Remote authentication. RDP, Terminal Services, or VNC. Some other mechanism that is not defined here. Badge reader authentication Network authentication. Batch authentication. Service authentication Direct human-interactive unlock authentication. Network clear text authentication. Authentication with new credentials. Interactive authentication. Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Biometric device such as a fingerprint reader. Wearable such as an Apple Watch. type string type array type description The type of authentication. enum AUTHTYPE_UNSPECIFIED MACHINE SSO VPN PHYSICAL TACACS enumDescriptions The default type. A machine authentication. An SSO authentication. A VPN authentication. A Physical authentication (e.g. "Badge reader"). A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+). type string type object AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. id AuthorityKeyId properties keyid description Key hexdump. type string serialNumber description Serial number hexdump. type string type object BackstoryEntity description An Entity provides additional context about an item in a UDM event. For example, a PROCESS_LAUNCH event describes that user 'abc@example.corp' launched process 'shady.exe'. The event does not include information that user 'abc@example.com' is a recently terminated employee who administers a server storing finance data. Information stored in one or more Entities can add this additional context. id BackstoryEntity properties additional additionalProperties description Properties of the object. type any description Important entity data that cannot be adequately represented within the formal sections of the Entity. type object entity $ref Noun description Noun in the UDM event that this entity represents. metadata $ref EntityMetadata description Entity metadata such as timestamp, product, etc. metric $ref Metric description Stores statistical metrics about the entity. Used if metadata.entity_type is METRIC. relations description One or more relationships between the entity (a) and other entities, including the relationship type and related entity. items $ref Relation type array riskScore $ref EntityRisk description Stores information related to the entity's risk score. type object BackstoryFile description Information about a file. id BackstoryFile properties ahash deprecated True description Deprecated. Use authentihash instead. type string authentihash description Authentihash of the file. type string capabilitiesTags description Capabilities tags. items type string type array createTime description Timestamp when the file was created. format google-datetime type string embeddedDomains description Embedded domains found in the file. items type string type array embeddedIps description Embedded IP addresses found in the file. items type string type array embeddedUrls description Embedded urls found in the file. items type string type array exifInfo $ref ExifInfo description Exif metadata from different file formats extracted by exiftool. fileMetadata $ref FileMetadata deprecated True description Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File. fileType description FileType field. enum FILE_TYPE_UNSPECIFIED FILE_TYPE_PE_EXE FILE_TYPE_PE_DLL FILE_TYPE_MSI FILE_TYPE_NE_EXE FILE_TYPE_NE_DLL FILE_TYPE_DOS_EXE FILE_TYPE_DOS_COM FILE_TYPE_COFF FILE_TYPE_ELF FILE_TYPE_LINUX_KERNEL FILE_TYPE_RPM FILE_TYPE_LINUX FILE_TYPE_MACH_O FILE_TYPE_JAVA_BYTECODE FILE_TYPE_DMG FILE_TYPE_DEB FILE_TYPE_PKG FILE_TYPE_PYC FILE_TYPE_LNK FILE_TYPE_DESKTOP_ENTRY FILE_TYPE_JPEG FILE_TYPE_TIFF FILE_TYPE_GIF FILE_TYPE_PNG FILE_TYPE_BMP FILE_TYPE_GIMP FILE_TYPE_IN_DESIGN FILE_TYPE_PSD FILE_TYPE_TARGA FILE_TYPE_XWD FILE_TYPE_DIB FILE_TYPE_JNG FILE_TYPE_ICO FILE_TYPE_FPX FILE_TYPE_EPS FILE_TYPE_SVG FILE_TYPE_EMF FILE_TYPE_WEBP FILE_TYPE_DWG FILE_TYPE_DXF FILE_TYPE_THREEDS FILE_TYPE_OGG FILE_TYPE_FLC FILE_TYPE_FLI FILE_TYPE_MP3 FILE_TYPE_FLAC FILE_TYPE_WAV FILE_TYPE_MIDI FILE_TYPE_AVI FILE_TYPE_MPEG FILE_TYPE_QUICKTIME FILE_TYPE_ASF FILE_TYPE_DIVX FILE_TYPE_FLV FILE_TYPE_WMA FILE_TYPE_WMV FILE_TYPE_RM FILE_TYPE_MOV FILE_TYPE_MP4 FILE_TYPE_T3GP FILE_TYPE_WEBM FILE_TYPE_MKV FILE_TYPE_PDF FILE_TYPE_PS FILE_TYPE_DOC FILE_TYPE_DOCX FILE_TYPE_PPT FILE_TYPE_PPTX FILE_TYPE_XLS FILE_TYPE_XLSX FILE_TYPE_RTF FILE_TYPE_PPSX FILE_TYPE_ODP FILE_TYPE_ODS FILE_TYPE_ODT FILE_TYPE_HWP FILE_TYPE_GUL FILE_TYPE_ODF FILE_TYPE_ODG FILE_TYPE_ONE_NOTE FILE_TYPE_OOXML FILE_TYPE_SLK FILE_TYPE_EBOOK FILE_TYPE_LATEX FILE_TYPE_TTF FILE_TYPE_EOT FILE_TYPE_WOFF FILE_TYPE_CHM FILE_TYPE_ZIP FILE_TYPE_GZIP FILE_TYPE_BZIP FILE_TYPE_RZIP FILE_TYPE_DZIP FILE_TYPE_SEVENZIP FILE_TYPE_CAB FILE_TYPE_JAR FILE_TYPE_RAR FILE_TYPE_MSCOMPRESS FILE_TYPE_ACE FILE_TYPE_ARC FILE_TYPE_ARJ FILE_TYPE_ASD FILE_TYPE_BLACKHOLE FILE_TYPE_KGB FILE_TYPE_ZLIB FILE_TYPE_TAR FILE_TYPE_ZST FILE_TYPE_LZFSE FILE_TYPE_PYTHON_WHL FILE_TYPE_PYTHON_PKG FILE_TYPE_MSIX FILE_TYPE_TEXT FILE_TYPE_SCRIPT FILE_TYPE_PHP FILE_TYPE_PYTHON FILE_TYPE_PERL FILE_TYPE_RUBY FILE_TYPE_C FILE_TYPE_CPP FILE_TYPE_JAVA FILE_TYPE_SHELLSCRIPT FILE_TYPE_PASCAL FILE_TYPE_AWK FILE_TYPE_DYALOG FILE_TYPE_FORTRAN FILE_TYPE_JAVASCRIPT FILE_TYPE_POWERSHELL FILE_TYPE_VBA FILE_TYPE_M4 FILE_TYPE_OBJETIVEC FILE_TYPE_JMOD FILE_TYPE_MAKEFILE FILE_TYPE_INI FILE_TYPE_CLJ FILE_TYPE_PDB FILE_TYPE_SQL FILE_TYPE_NEKO FILE_TYPE_WER FILE_TYPE_GOLANG FILE_TYPE_M3U FILE_TYPE_BAT FILE_TYPE_MSC FILE_TYPE_RDP FILE_TYPE_SYMBIAN FILE_TYPE_PALMOS FILE_TYPE_WINCE FILE_TYPE_ANDROID FILE_TYPE_IPHONE FILE_TYPE_HTML FILE_TYPE_XML FILE_TYPE_SWF FILE_TYPE_FLA FILE_TYPE_COOKIE FILE_TYPE_TORRENT FILE_TYPE_EMAIL_TYPE FILE_TYPE_OUTLOOK FILE_TYPE_SGML FILE_TYPE_JSON FILE_TYPE_CSV FILE_TYPE_HTA FILE_TYPE_INTERNET_SHORTCUT FILE_TYPE_CAP FILE_TYPE_ISOIMAGE FILE_TYPE_SQUASHFS FILE_TYPE_VHD FILE_TYPE_APPLE FILE_TYPE_MACINTOSH FILE_TYPE_APPLESINGLE FILE_TYPE_APPLEDOUBLE FILE_TYPE_MACINTOSH_HFS FILE_TYPE_APPLE_PLIST FILE_TYPE_MACINTOSH_LIB FILE_TYPE_APPLESCRIPT FILE_TYPE_APPLESCRIPT_COMPILED FILE_TYPE_CRX FILE_TYPE_XPI FILE_TYPE_ROM FILE_TYPE_IPS FILE_TYPE_PEM FILE_TYPE_PGP FILE_TYPE_CRT enumDescriptions File type is UNSPECIFIED. File type is PE_EXE. Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL. File type is MSI. File type is NE_EXE. File type is NE_DLL. File type is DOS_EXE. File type is DOS_COM. File type is COFF. File type is ELF. File type is LINUX_KERNEL. File type is RPM. File type is LINUX. File type is MACH_O. File type is JAVA_BYTECODE. File type is DMG. File type is DEB. File type is PKG. File type is PYC. File type is LNK. File type is DESKTOP_ENTRY. File type is JPEG. File type is TIFF. File type is GIF. File type is PNG. File type is BMP. File type is GIMP. File type is Adobe InDesign. File type is PSD. Adobe Photoshop. File type is TARGA. File type is XWD. File type is DIB. File type is JNG. File type is ICO. File type is FPX. File type is EPS. File type is SVG. File type is EMF. File type is WEBP. File type is DWG. File type is DXF. File type is 3DS. File type is OGG. File type is FLC. File type is FLI. File type is MP3. File type is FLAC. File type is WAV. File type is MIDI. File type is AVI. File type is MPEG. File type is QUICKTIME. File type is ASF. File type is DIVX. File type is FLV. File type is WMA. File type is WMV. File type is RM. RealMedia type. File type is MOV. File type is MP4. File type is T3GP. File type is WEBM. File type is MKV. File type is PDF. File type is PS. File type is DOC. File type is DOCX. File type is PPT. File type is PPTX. File type is XLS. File type is XLSX. File type is RTF. File type is PPSX. File type is ODP. File type is ODS. File type is ODT. File type is HWP. File type is GUL. File type is ODF. File type is ODG. File type is ONE_NOTE. File type is OOXML. File type is SLK. File type is EBOOK. File type is LATEX. File type is TTF. File type is EOT. File type is WOFF. File type is CHM. File type is ZIP. File type is GZIP. File type is BZIP. File type is RZIP. File type is DZIP. File type is SEVENZIP. File type is CAB. File type is JAR. File type is RAR. File type is MSCOMPRESS. File type is ACE. File type is ARC. File type is ARJ. File type is ASD. File type is BLACKHOLE. File type is KGB. File type is ZLIB. File type is TAR. File type is ZST. File type is LZFSE. File type is PYTHON_WHL. File type is PYTHON_PKG. File type is MSIX, new Windows app package format. File type is TEXT. File type is SCRIPT. File type is PHP. File type is PYTHON. File type is PERL. File type is RUBY. File type is C. File type is CPP. File type is JAVA. File type is SHELLSCRIPT. File type is PASCAL. File type is AWK. File type is DYALOG. File type is FORTRAN. File type is JAVASCRIPT. File type is POWERSHELL. File type is VBA. File type is M4. File type is OBJETIVEC. File type is JMOD. File type is MAKEFILE. File type is INI. File type is CLJ. File type is PDB. File type is SQL. File type is NEKO. File type is WER. File type is GOLANG. File type is M3U. File type is BAT, Windows .bat/.cmd (old files are tagged as SHELLSCRIPT). File type is MSC, Microsoft Management Console (MMC). File type is RDP, Microsoft Remote Desktop Protocol (RDP) file. File type is SYMBIAN. File type is PALMOS. File type is WINCE. File type is ANDROID. File type is IPHONE. File type is HTML. File type is XML. File type is SWF. File type is FLA. File type is COOKIE. File type is TORRENT. File type is EMAIL_TYPE. File type is OUTLOOK. File type is SGML. File type is JSON. File type is CSV. File type is HTA (HTML Application). File type is MSHTML .url. File type is CAP. File type is ISOIMAGE. File type is SQUASHFS. File type is VHD. File type is APPLE. File type is MACINTOSH. File type is APPLESINGLE. File type is APPLEDOUBLE. File type is MACINTOSH_HFS. File type is APPLE_PLIST. File type is MACINTOSH_LIB. File type is APPLESCRIPT. File type is APPLESCRIPT_COMPILED . File type is CRX. File type is XPI. File type is ROM. File type is IPS. File type is PEM. File type is PGP. File type is CRT. type string firstSeenTime description Timestamp the file was first seen in the customer's environment. format google-datetime type string firstSubmissionTime description First submission time of the file. format google-datetime type string fullPath description The full path identifying the location of the file on the system. This field can be used as an entity indicator for file entities. type string lastAccessTime description Timestamp when the file was accessed. format google-datetime type string lastAnalysisTime description Timestamp the file was last analysed. format google-datetime type string lastModificationTime description Timestamp when the file was last updated. format google-datetime type string lastSeenTime description Timestamp the file was last seen in the customer's environment. format google-datetime type string lastSubmissionTime description Last submission time of the file. format google-datetime type string mainIcon $ref Favicon description Icon's relevant hashes. md5 description The MD5 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string mimeType description The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script". type string names description Names fields. items type string type array ntfs $ref NtfsFileMetadata description NTFS metadata. pdfInfo $ref PDFInfo description Information about the PDF file structure. peFile $ref FileMetadataPE description Metadata about the Portable Executable (PE) file. prevalence $ref Prevalence description Prevalence of the file hash in the customer's environment. securityResult $ref SecurityResult description Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata. sha1 description The SHA1 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string sha256 description The SHA256 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string signatureInfo $ref SignatureInfo description File signature information extracted from different tools. size description The size of the file in bytes. format uint64 type string ssdeep description Ssdeep of the file type string statDev description The file system identifier to which the object belongs. format uint64 type string statFlags description User defined flags for file. format uint32 type integer statInode description The file identifier. Unique identifier of object within a file system. format uint64 type string statMode description The mode of the file. A bit string indicating the permissions and privileges of the file. format uint64 type string statNlink description Number of links to file. format uint64 type string symhash description SymHash of the file. Used for Mach-O (e.g. MacOS) binaries, to identify similar files based on their symbol table. type string tags description Tags for the file. items type string type array vhash description Vhash of the file. type string type object BoolSequence description BoolSequence represents a sequence of bools. id BoolSequence properties boolVals description bool sequence. items type boolean type array type object BytesSequence description BytesSequence represents a sequence of bytes. id BytesSequence properties bytesVals description bytes sequence. items format byte type string type array type object CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CertSignature description Certificate's signature and algorithm. id CertSignature properties signature description Signature. type string signatureAlgorithm description Algorithm. type string type object Certificate description Certificate information id Certificate properties issuer description Issuer of the certificate. type string md5 description The MD5 hash of the certificate, as a hex-encoded string. type string notAfter description Indicates when the certificate is no longer valid. format google-datetime type string notBefore description Indicates when the certificate is first valid. format google-datetime type string serial description Certificate serial number. type string sha1 description The SHA1 hash of the certificate, as a hex-encoded string. type string sha256 description The SHA256 hash of the certificate, as a hex-encoded string. type string subject description Subject of the certificate. type string version description Certificate version. type string type object Chip id Chip properties text type string type enum UNSPECIFIED ALERT NETWORK_CONNECTION EDR UNPARSED_RAW_LOG LOGIN_EVENT EMAIL_EVENT GENERIC TELEMETRY enumDescriptions type string type object Client description Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash). id Client properties certificate $ref Certificate description Client certificate. ja3 description JA3 hash from the TLS ClientHello, as a hex-encoded string. type string serverName description Host name of the server, that the client is connecting to. type string supportedCiphers description Ciphers supported by the client during client hello. items type string type array type object Cloud description Metadata related to the cloud environment. id Cloud properties availabilityZone description The cloud environment availability zone (different from region which is location.name). type string environment description The Cloud environment. enum UNSPECIFIED_CLOUD_ENVIRONMENT GOOGLE_CLOUD_PLATFORM AMAZON_WEB_SERVICES MICROSOFT_AZURE enumDescriptions Default. Google Cloud Platform. Amazon Web Services. Microsoft Azure. type string project $ref Resource deprecated True description The cloud environment project information. Deprecated: Use Resource.resource_ancestors vpc $ref Resource deprecated True description The cloud environment VPC. Deprecated. type object Collection description Collection represents a container of objects (such as events, entity context metadata, detection finding metadata) and state (such as investigation details). BEGIN GOOGLE-INTERNAL See go/udm:collections for additional details. END GOOGLE-INTERNAL An example use case for Collection is to model a detection and investigation from detection finding metadata to investigative state collected in the course of the investigation. For more complex investigation and response workflows a Collection could represent an incident consisting of multiple child findings or incidents. This can be expanded on to model remediation elements of a full detection and response workflow. NEXT TAG: 20 id Collection properties caseName description The resource name of the Case that this collection belongs to. Example: projects/{project id}/locations/{region}/chronicle/cases/{internal_case_id} type string collectionElements description Constituent elements of the collection. Each element shares an association that groups it together and is a component of the overall collection. For example, a detection collection may have several constituent elements that each share a correlation association that together represent a particular pattern or behavior. items $ref Element type array createdTime description Time the collection was created. format google-datetime type string dataAccessScope description The resource name of the DataAccessScope of this collection. BEGIN GOOGLE-INTERNAL We may change this name based on the final resource design of the scope. END GOOGLE-INTERNAL type string detection description Detection metadata for findings that represent detections, can include rule details, machine learning model metadata, and indicators implicated in the detection (using the .about field). items $ref SecurityResult type array detectionTime description Timestamp within the time_window related to the time of the collection_elements. For Rule Detections, this timestamp is the end of the the time_window for multi-event rules or the time of the event for single event rules. For late-arriving events that trigger new alerts, the detection_time will be the event time of the event. format google-datetime type string feedbackHistory description The history of feedback submitted by analysts for this finding, in descending order by timestamp. This field is limited to the most recent 1000 feedback events. The primary feedback will also be included in this list. items $ref Feedback type array feedbackSummary $ref Feedback description The current primary analyst feedback. This does not include the history of feedback given, which may be supplied in `feedback`. id description Unique ID for the collection. The ID is specific to the type of collection. For example, with rule detections this is the detection ID. type string idNamespace description The ID namespace used for the Collection. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string investigation $ref Investigation description Consolidated investigation details (categorization, status, etc) typically for collections that begin as detection findings and then evolve with analyst action and feedback into investigations around the detection output. lastUpdatedTime description Time the collection was last updated. format google-datetime type string responsePlatformInfo $ref ResponsePlatformInfo description Alert related info of this same alert in customer's SOAR platform. soarAlert description A boolean field indicating that the alert is present in SOAR. type boolean soarAlertMetadata $ref SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems via SOAR. tags description Tags set by UC/DSML/RE for the Finding during creation. items type string type array timeWindow $ref Interval description Time interval that the collection represents. type description What the collection represents. enum COLLECTION_TYPE_UNSPECIFIED TELEMETRY_ALERT GCTI_FINDING UPPERCASE_ALERT RULE_DETECTION MACHINE_INTELLIGENCE_ALERT SOAR_ALERT enumDescriptions An unspecified collection type. An alert reported in customer telemetry. A finding from the Uppercase team. A detection found by applying a rule. An alert generated by Chronicle machine learning models. An alert coming from other SIEMs via Chronicle SOAR. type string type object ColumnNames id ColumnNames properties names items type string type array type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DNSRecord description DNS record. id DNSRecord properties expire description Expire. format google-duration type string minimum description Minimum. format google-duration type string priority description Priority. format int64 type string refresh description Refresh. format google-duration type string retry description Retry. format int64 type string rname description Rname. type string serial description Serial. format int64 type string ttl description Time to live. format google-duration type string type description Type. type string value description Value. type string type object DataAccessIngestionLabel id DataAccessIngestionLabel properties key description The key. type string value description The value. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessLabels id DataAccessLabels properties allowScopedAccess description Are the labels ready for scoped access type boolean customLabels description All the complex labels (UDM search syntax based). items type string type array ingestionKvLabels description All the ingestion labels (key/value pairs). items $ref DataAccessIngestionLabel type array ingestionLabels deprecated True description All the ingestion labels. items type string type array logTypes description All the LogType labels. items type string type array namespaces description All the namespaces. items type string type array type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Date description Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values. * A month and day, with a zero year (for example, an anniversary). * A year on its own, with a zero month and a zero day. * A year and month, with a zero day (for example, a credit card expiration date). Related types: * google.type.TimeOfDay * google.type.DateTime * google.protobuf.Timestamp id Date properties day description Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. format int32 type integer month description Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. format int32 type integer year description Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. format int32 type integer type object Detections id Detections properties baselineAlertsCount format int32 type integer complete type boolean detectionFieldAggregations $ref AlertFieldAggregations detections items $ref Collection type array filteredAlertsCount format int32 type integer tooManyDetections type boolean validSnapshotQuery type boolean type object Dhcp description DHCP information. id Dhcp properties chaddr description Client hardware address (chaddr). type string ciaddr description Client IP address (ciaddr). type string clientHostname description Client hostname. See RFC2132, section 3.14. type string clientIdentifier description Client identifier. See RFC2132, section 9.14. Note: Make sure to update the client_identifier_string field as well if you update this field. format byte type string clientIdentifierString description Client identifier as string. See RFC2132, section 9.14. This field holds the string value of the client_identifier. type string file description Boot image filename. type string flags description Flags. format uint32 type integer giaddr description Relay agent IP address (giaddr). type string hlen description Hardware address length. format uint32 type integer hops description Hardware ops. format uint32 type integer htype description Hardware address type. format uint32 type integer leaseTimeSeconds description Lease time in seconds. See RFC2132, section 9.2. format uint32 type integer opcode description The BOOTP op code. enum UNKNOWN_OPCODE BOOTREQUEST BOOTREPLY enumDescriptions Default opcode. Request. Reply. type string options description List of DHCP options. items $ref Option type array requestedAddress description Requested IP address. See RFC2132, section 9.1. type string seconds description Seconds elapsed since client began address acquisition/renewal process. format uint32 type integer siaddr description IP address of the next bootstrap server. type string sname description Server name that the client wishes to boot from. type string transactionId description Transaction ID. format uint32 type integer type description DHCP message type. enum UNKNOWN_MESSAGE_TYPE DISCOVER OFFER REQUEST DECLINE ACK NAK RELEASE INFORM WIN_DELETED WIN_EXPIRED enumDescriptions Default message type. DHCPDISCOVER. DHCPOFFER. DHCPREQUEST. DHCPDECLINE. DHCPACK. DHCPNAK. DHCPRELEASE. DHCPINFORM. Microsoft Windows DHCP "lease deleted". Microsoft Windows DHCP "lease expired". type string yiaddr description Your IP address (yiaddr). type string type object Dns description DNS information. id Dns properties additional description A list of additional domain name servers that can be used to verify the answer to the domain. items $ref ResourceRecord type array answers description A list of answers to the domain name query. items $ref ResourceRecord type array authoritative description Other DNS header flags. See RFC1035, section 4.1.1. type boolean authority description A list of domain name servers which verified the answers to the domain name queries. items $ref ResourceRecord type array id description DNS query id. format uint32 type integer opcode description The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS). format uint32 type integer questions description A list of domain protocol message questions. items $ref Question type array recursionAvailable description Whether a recursive DNS lookup is available. type boolean recursionDesired description Whether a recursive DNS lookup is desired. type boolean response description Set to true if the event is a DNS response. See QR field from RFC1035. type boolean responseCode description Response code. See RCODE from RFC1035. format uint32 type integer truncated description Whether the DNS response was truncated. type boolean type object Domain description Information about a domain. id Domain properties admin $ref User description Parsed contact information for the administrative contact for the domain. auditUpdateTime description Audit updated time. format google-datetime type string billing $ref User description Parsed contact information for the billing contact of the domain. categories description Categories assign to the domain as retrieved from VirusTotal. items type string type array contactEmail description Contact email address. type string creationTime description Domain creation time. format google-datetime type string expirationTime description Expiration time. format google-datetime type string favicon $ref Favicon description Includes difference hash and MD5 hash of the domain's favicon. firstSeenTime description First seen timestamp of the domain in the customer's environment. format google-datetime type string ianaRegistrarId description IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml format int32 type integer jarm description Domain's JARM hash. type string lastDnsRecords description Domain's DNS records from the last scan. items $ref DNSRecord type array lastDnsRecordsTime description Date when the DNS records list was retrieved by VirusTotal. format google-datetime type string lastHttpsCertificate $ref SSLCertificate description SSL certificate object retrieved last time the domain was analyzed. lastHttpsCertificateTime description When the certificate was retrieved by VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the domain in the customer's environment. format google-datetime type string name description The domain name. This field can be used as an entity indicator for Domain entities. type string nameServer description Repeated list of name servers. items type string type array popularityRanks description Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc items $ref PopularityRank type array prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. privateRegistration description Indicates whether the domain appears to be using a private registration service to mask the owner's contact information. type boolean registrant $ref User description Parsed contact information for the registrant of the domain. registrar description Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM". type string registryDataRawText description Registry Data raw text. format byte type string status description Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values type string tags description List of representative attributes. items type string type array tech $ref User description Parsed contact information for the technical contact for the domain updateTime description Last updated time. format google-datetime type string whoisRecordRawText description WHOIS raw text. format byte type string whoisServer description Whois server name. type string whoisTime description Date of the last update of the WHOIS record. format google-datetime type string zone $ref User description Parsed contact information for the zone. type object DoubleSequence description DoubleSequence represents a sequence of doubles. id DoubleSequence properties doubleVals description double sequence. items format double type number type array type object EC description EC public key information. id EC properties oid description Curve name. type string pub description Public key hexdump. type string type object Element description NEXT TAG: 5 id Element properties association $ref SecurityResult description Metadata that provides the relevant association for the references in the element. For a detection, this can be the correlated aspect of the references that contributed to the overall detection. For example, may include sub-rule condition, machine learning model metadata, and/or indicators implicated in this component of the detection (using the .about field). label description A name that labels the entire references group. type string references description References to model primatives including events and entities that share a common association. Even though a reference can have both UDM and entity, a collection of references (of a single element) will only have one type of message in it (either UDM / Entity). items $ref Reference type array referencesSampled description Copied from the detection event_sample.too_many_event_samples field. If true, the number of references will be capped at the sample limit (set at rule service). This is applicable to both UDM references and Entity references. type boolean type object Email description Email info. id Email properties bcc description A list of 'bcc' addresses. items type string type array bounceAddress description The envelope from address. https://en.wikipedia.org/wiki/Bounce_address type string cc description A list of 'cc' addresses. items type string type array from description The 'from' address. type string mailId description The mail (or message) ID. type string replyTo description The 'reply to' address. type string subject description The subject line(s) of the email. items type string type array to description A list of 'to' addresses. items type string type array type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityChangedCountTimelineBucket id EntityChangedCountTimelineBucket properties entityChangedInfo items $ref EntityChangedInfo type array totalChangedEntitiesCount format int32 type integer type object EntityChangedInfo id EntityChangedInfo properties artifacts $ref FieldAndValue entityCount format int32 type integer type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityMetadata description Information about the Entity and the product where the entity was created. Next Tag: 17 id EntityMetadata properties collectedTimestamp description GMT timestamp when the entity information was collected by the vendor's local collection infrastructure. format google-datetime type string creationTimestamp description GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected. format google-datetime type string description description Human-readable description of the entity. type string entityType description Entity type. If an entity has multiple possible types, this specifies the most specific type. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string eventMetadata $ref Metadata description Metadata field from the event. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object feed description Vendor feed name for a threat indicator feed. type string interval $ref Interval description Valid existence time range for the version of the entity represented by this entity data. productEntityId description A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar). type string productName description Product name that produced the entity information. type string productVersion description Version of the product that produced the entity information. type string sourceLabels description Entity source metadata labels. items $ref Label type array sourceType description The source of the entity. enum SOURCE_TYPE_UNSPECIFIED ENTITY_CONTEXT DERIVED_CONTEXT GLOBAL_CONTEXT enumDescriptions Default source type Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT) Entities derived from customer data such as prevalence, artifact first/last seen, or asset/user first seen stats. Global contextual entities such as WHOIS or Safe Browsing. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Structured fields extracted from the log. type object threat description Metadata provided by a threat intelligence feed that identified the entity as malicious. items $ref SecurityResult type array vendorName description Vendor name of the product that produced the entity information. type string type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object EntityRisk description Stores information related to the risk score of an entity. Next ID: 15 id EntityRisk properties DEPRECATEDRiskScore deprecated True description Deprecated risk score. format int32 type integer detailUri description Link to the Google Security Operations UI with information about the entity risk score. If the SecOps instance has multiple frontend paths configured, this will be a relative path that can be used to construct the full URL. type string detectionsCount description Number of detections that make up the risk score within the time window. format int32 type integer firstDetectionTime description Timestamp of the first detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastDetectionTime description Timestamp of the last detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastResetTime description Timestamp for UEBA risk score reset based deduplication. Used specifically for risk based meta rules. format google-datetime type string normalizedRiskScore description Normalized risk score for the entity. This value is between 0-1000. format int32 type integer rawRiskDelta $ref RiskDelta description Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window. riskDelta $ref RiskDelta description Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window. riskScore description Raw risk score for the entity. format float type number riskVersion description Version of the risk score calculation algorithm. type string riskWindow $ref Interval description Time window used when computing the risk score for an entity, for example 24 hours or 7 days. riskWindowHasNewDetections description Whether there are new detections for the risk window. type boolean riskWindowSize description Risk window duration for the entity. format google-duration type string type object ErrorMessage id ErrorMessage properties errorText type string type enum UNDEFINED_ERROR_TYPE INVALID_QUERY_TYPE INVALID_FIELD_PATH_TYPE UNCLOSED_BRACKET_TYPE BACKEND_ERROR_TYPE UNCLOSED_QUOTES_TYPE QUERY_TOO_LARGE_TYPE enumDescriptions type string type object EventCountTimeline id EventCountTimeline properties buckets items $ref EventCountTimelineBucket type array sizeOfBucketMs format int64 type string type object EventCountTimelineBucket id EventCountTimelineBucket properties alertCount format int32 type integer baselineAlertCount format int32 type integer baselineEventCount format int32 type integer baselineTimedEntityCount format int32 type integer entityChangedCount $ref EntityChangedCountTimelineBucket eventCount format int32 type integer filteredTimedEntityCount format int32 type integer type object Execution description Execution can be used to store metadata required for what action the UI should execute. id Execution properties metadata additionalProperties type string description Output only. The payload to use when executing the action. readOnly True type object type object ExifInfo description Exif information. id ExifInfo properties company description company name. type string compilationTime description Compilation time. format google-datetime type string entryPoint description entry point. format int64 type string fileDescription description description of a file. type string originalFile description original file name. type string product description product name. type string type object Extension description Certificate's extensions. id Extension properties authorityKeyId $ref AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. ca description Whether the subject acts as a certificate authority (CA) or not. type boolean caInfoAccess description Authority information access locations are URLs that are added to a certificate in its authority information access extension. type string certTemplateNameDc description BMP data value "DomainController". See MS Q291010. type string certificatePolicies description Different certificate policies will relate to different applications which may use the certified key. type string crlDistributionPoints description CRL distribution points to which a certificate user should refer to ascertain if the certificate has been revoked. type string extendedKeyUsage description One or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field. type string keyUsage description The purpose for which the certified public key is used. type string netscapeCertComment description Used to include free-form text comments inside certificates. type string netscapeCertificate description Identify whether the certificate subject is an SSL client, an SSL server, or a CA. type boolean oldAuthorityKeyId description Whether the certificate has an old authority key identifier extension. type boolean peLogotype description Whether the certificate includes a logotype. type boolean subjectAlternativeName description Contains one or more alternative names, using any of a variety of name forms, for the entity that is bound by the CA to the certified public key. type string subjectKeyId description Identifies the public key being certified. type string type object Extensions description Extensions to a UDM event. id Extensions properties auth $ref Authentication description An authentication extension. entityRisk $ref EntityRisk description An entity risk change extension. vulns $ref Vulnerabilities description A vulnerability extension. type object Favicon description Difference hash and MD5 hash of the domain's favicon. id Favicon properties dhash description Difference hash. type string rawMd5 description Favicon's MD5 hash. type string type object Feedback id Feedback properties comment description Optional. type string confidenceScore format int32 type integer createdTime format google-datetime type string disregarded type boolean idpUserId type string priority description Optional. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string priorityDisplay description Optional. type string reason description Optional. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore format int32 type integer rootCause description Optional. type string severity format int32 type integer severityDisplay description Optional. type string status description Optional. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object FieldAndValue id FieldAndValue properties entityNamespace type string fieldPath type string kvalueType enum UNKNOWN COLLECTOR_ID EVENT_SHARD ASSET_IP_ADDRESS MAC HOSTNAME PRODUCT_SPECIFIC_ID NAMESPACE DOMAIN_NAME RESOLVED_IP_ADDRESS STEMMED_DOMAIN_NAME PROCESS_ID FULL_COMMAND_LINE FILE_NAME FILE_PATH HASH_MD5 HASH_SHA256 HASH_SHA1 RAW_PID PARENT_PROCESS_ID EMAIL USERNAME WINDOWS_SID EMPLOYEE_ID PRODUCT_OBJECT_ID USER_DISPLAY_NAME CLOUD_RESOURCE_NAME REGISTRY_KEY REGISTRY_VALUE_DATA REGISTRY_VALUE_NAME enumDescriptions type string value type string type object FileMetadata description Metadata about a file. Place metadata about different file types here, for example data from the Microsoft Windows VersionInfo block or digital signer details. Use a different sub-message per file type. id FileMetadata properties pe $ref PeFileMetadata deprecated True description Metadata for Microsoft Windows PE files. Deprecate PeFileMetadata in favor of single File proto. type object FileMetadataCodesign description File metadata from the codesign utility. id FileMetadataCodesign properties compilationTime description Code sign timestamp format google-datetime type string format description Code sign format. type string id description Code sign identifier. type string teamId description The assigned team identifier of the developer who signed the application. type string type object FileMetadataImports description File metadata imports. id FileMetadataImports properties functions description Function field. items type string type array library description Library field. type string type object FileMetadataPE description Metadata about the Portable Executable (PE) file. id FileMetadataPE properties compilationExiftoolTime description info.exiftool.TimeStamp. format google-datetime type string compilationTime description info.pe-timestamp. format google-datetime type string entryPoint description info.pe-entry-point. format int64 type string entryPointExiftool description info.exiftool.EntryPoint. format int64 type string imphash description Imphash of the file. type string imports description FilemetadataImports fields. items $ref FileMetadataImports type array resource description FilemetadataPeResourceInfo fields. items $ref FileMetadataPeResourceInfo type array resourcesLanguageCount deprecated True description Deprecated: use resources_language_count_str. items $ref StringToInt64MapEntry type array resourcesLanguageCountStr description Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10 items $ref Label type array resourcesTypeCount deprecated True description Deprecated: use resources_type_count_str. items $ref StringToInt64MapEntry type array resourcesTypeCountStr description Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5 items $ref Label type array section description FilemetadataSection fields. items $ref FileMetadataSection type array signatureInfo $ref FileMetadataSignatureInfo deprecated True description FilemetadataSignatureInfo field. deprecated, user File.signature_info instead. type object FileMetadataPeResourceInfo description File metadata for PE resource. id FileMetadataPeResourceInfo properties entropy description Entropy of the resource. format double type number fileType description File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum. type string filetypeMagic description Type of resource content, as identified by the magic Python module. type string languageCode description Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US | type string sha256Hex description SHA256_hex field.. type string type object FileMetadataSection description File metadata section. id FileMetadataSection properties entropy description Entropy of the section. format double type number md5Hex description MD5 hex of the file. type string name description Name of the section. type string rawSizeBytes description Raw file size in bytes. format int64 type string virtualSizeBytes description Virtual file size in bytes. format int64 type string type object FileMetadataSignatureInfo description Signature information. id FileMetadataSignatureInfo properties signer deprecated True description Deprecated: use signers field. items type string type array signers description File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority. items $ref SignerInfo type array verificationMessage description Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found. type string verified description True if verification_message == "Signed" type boolean x509 description List of certificates. items $ref X509 type array type object FilterProperties id FilterProperties properties hidden type boolean stringProperties additionalProperties $ref StringValues type object type object FindingVariable description A structure that holds the value and associated metadata for values extracted while producing a Finding. id FindingVariable properties boolSeq $ref BoolSequence description The value in boolsequence format. boolVal description The value in boolean format. type boolean bytesSeq $ref BytesSequence description The value in bytessequence format. bytesVal description The value in bytes format. format byte type string doubleSeq $ref DoubleSequence description The value in doublesequence format. doubleVal description The value in double format. format double type number int64Seq $ref Int64Sequence description The value in int64sequence format. int64Val description The value in int64 format. format int64 type string nullVal description Whether the value is null. type boolean sourcePath description The UDM field path for the field which this value was derived from. Example: `principal.user.username` type string stringSeq $ref StringSequence description The value in stringsequence format. stringVal description The value in string format. Enum values are returned as strings. type string type description The type of the variable. enum TYPE_UNSPECIFIED MATCH OUTCOME enumDescriptions An unspecified variable type. A variable coming from the match conditions. A variable representing significant data that was found in the detection logic. type string uint64Seq $ref Uint64Sequence description The value in uint64sequence format. uint64Val description The value in uint64 format. format uint64 type string value description The value in string form. type string type object FollowUp description FollowUp can be used to store metadata required to send a follow up message by the UI. id FollowUp properties followUp description Output only. The text to use as input when generating the follow up message. readOnly True type string type object Ftp description FTP info. id Ftp properties command description The FTP command. type string type object FunctionResponse id FunctionResponse properties rows items $ref FunctionResponseRow type array tooManyRows type boolean type object FunctionResponseRow id FunctionResponseRow properties values items $ref UdmFieldValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description LINT.IfChange(stats_data) Stats results when the query is for statistics NEXT TAG = 6; id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats properties dataQueryExpression description Expression that represent the subset of the requested query used to filter data. The expression will be used to enable features such as drill-down from stats results to UDM events. In that case, the new query will be composed by this expression and the expression related to a stats result. type string results description Result rows that are queried. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData type array sortOrder description Indicates the columns used for sorting and the order in which they are sorted. If no ORDER section is specified in the query, this will be empty. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort type array tooManyResults description If true, there are too many results to return and some have been omitted. type boolean totalResults description The total number of results returned. format int32 type integer type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData description Represents a single column in the set of columns returned as the stats query result. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData properties column description Used to store column names. type string filterExpression description Expression used to compose a query for filtering/drill-downs related to the data in this column. type string filterable description To identify if the column can be used for filtering/drill-downs. type boolean values description To store store column data. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort description Contains the column name and which direction the column is sorted (ascending or descenging). id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort properties descending description Whether the column is sorted in descending order (ascending by default); type boolean name description Name of the column. type string type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType description Singular vs list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType properties list $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description List of values in a column e.g. IPs value $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Single value in a column. type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description Store list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList properties values description List of values in one cell of the column. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Value of the column based on data type id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue properties boolVal description Boolean value. type boolean bytesVal description Bytes value. format byte type string dateVal $ref Date description Date values. doubleVal description Double value. format double type number int64Val description Integer value (signed). format int64 type string nullVal description True if the value is NULL. type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any description For any proto values that are not any of the above. type object stringVal description String value. Enum values are returned as strings. type string timestampVal description Timestamp values. format google-datetime type string uint64Val description Un-signed integer value. format uint64 type string type object Group description Information about an organizational group. id Group properties attribute $ref Attribute description Generic entity metadata attributes of the group. creationTime deprecated True description Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata. format google-datetime type string emailAddresses description Email addresses of the group. items type string type array groupDisplayName description Group display name. e.g. "Finance". type string productObjectId description Product globally unique user object identifier, such as an LDAP Object Identifier. type string windowsSid description Microsoft Windows SID of the group. type string type object GroupAggregationByField id GroupAggregationByField properties baselineEventCount format int32 type integer eventCount format int32 type integer fieldName type string fieldValue $ref UdmFieldValue fields items $ref UdmFieldAggregation type array valueCount format int32 type integer type object Hardware description Hardware specification details for a resource, including both physical and virtual hardware. id Hardware properties cpuClockSpeed description Clock speed of the hardware CPU in MHz. format uint64 type string cpuMaxClockSpeed description Maximum possible clock speed of the hardware CPU in MHz. format uint64 type string cpuModel description Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5"). type string cpuNumberCores description Number of CPU cores. format uint64 type string cpuPlatform description Platform of the hardware CPU (e.g. "Intel Broadwell"). type string manufacturer description Hardware manufacturer. type string model description Hardware model. type string ram description Amount of the hardware ramdom access memory (RAM) in Mb. format uint64 type string serialNumber description Hardware serial number. type string type object Http description Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target". id Http properties method description The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE"). type string parsedUserAgent $ref UserAgentProto description The parsed user_agent string. referralUrl description The URL for the HTTP referer. type string responseCode description The response status code, for example 200, 302, 404, or 500. format int32 type integer userAgent description The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent. type string type object Id description Identifier to identify a UDM object like a UDM event, Entity, Collection. The full identifier for persistence is created by setting the 32 most significant bits as the Id.Namespace enum and the rest according to go/udm:ids. This is a convenience wrapper to define the id space enum values and provide an easy interface for RPCs, most persistence use cases should use a denormalized form. See go/udm:ids for background and details. id Id properties id description Full raw ID. format byte type string namespace description Namespace the id belongs to. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string stringId description Some ids are stored as strings that are not able to be translated to bytes, so store these separately. Ex. detection id of the form de_aaaaaaaa-aaaa... type string type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{location}/instances/{instance} readOnly True type string type object InstanceUdmSearchResponse id InstanceUdmSearchResponse properties baselineEventsCount format int32 type integer complete type boolean detections $ref Detections filteredEventsCount format int32 type integer instanceId type string prevalence $ref UdmPrevalenceResponse progress format double type number runtimeErrors $ref RuntimeError timeline $ref EventCountTimeline tooManyEvents type boolean type object Int64Sequence description Int64Sequence represents a sequence of int64s. id Int64Sequence properties int64Vals description int64 sequence. items format int64 type string type array type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object Investigation description Represents the aggregated state of an investigation such as categorization, severity, and status. Can be expanded to include analyst assignment details and more. id Investigation properties comments description Comment added by the Analyst. items type string type array priority description Priority of the Alert or Finding set by analyst. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string reason description Reason for closing the Case or Alert. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation description Describes whether a finding was useful or not-useful. enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore description Risk score for a finding set by an analyst. format uint32 type integer rootCause description Root cause of the Alert or Finding set by analyst. type string severityScore description Severity score for a finding set by an analyst. format uint32 type integer status description Describes the workflow status of a finding. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict description Describes reason a finding investigation was resolved. enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object IoCStats description Information about the threat intelligence source. These fields are used to model Mandiant sources. id IoCStats properties benignCount description Count of responses where the IoC was identified as benign. format int32 type integer firstLevelSource description Name of first level IoC source, for example Mandiant or a third-party. type string iocStatsType description Describes the source of the IoCStat. enum UNSPECIFIED_IOC_STATS_TYPE MANDIANT_SOURCES THIRD_PARTY_SOURCES THREAT_INTELLIGENCE_IOC_STATS enumDescriptions IoCStat source is unidentified. IoCStat is from a Mandiant Source. IoCStat is from a third-party source. IoCStat is from a threat intelligence feed. type string maliciousCount description Count of responses where the IoC was identified as malicious. format int32 type integer quality description Level of confidence in the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total number of response from the source. format int32 type integer secondLevelSource description Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph. type string sourceCount description Number of sources from which information was extracted. format int32 type integer type object Label description Key value labels. id Label properties key description The key. type string rbacEnabled description Indicates whether this label can be used for Data RBAC type boolean source description Where the label is derived from. type string value description The value. type string type object LatLng description An object that represents a latitude/longitude pair. This is expressed as a pair of doubles to represent degrees latitude and degrees longitude. Unless specified otherwise, this object must conform to the WGS84 standard. Values must be within normalized ranges. id LatLng properties latitude description The latitude in degrees. It must be in the range [-90.0, +90.0]. format double type number longitude description The longitude in degrees. It must be in the range [-180.0, +180.0]. format double type number type object LegacyFederatedUdmSearchViewResponse description Response to a Federated UDM Search query. This will be used by StreamSearchOperation RPC to return the results of a federated search operation. id LegacyFederatedUdmSearchViewResponse properties activityTimeline $ref EventCountTimeline description Timeline of event counts broken into hourly/daily buckets to identify activity. aiOverview $ref AIOverview description LINT.ThenChange( //depot/google3/google/cloud/chronicle/v1main/dashboard_query.proto:data_sources, //depot/google3/googlex/security/malachite/proto/udm_search.proto:data_sources ) AI generated overview for the search results. Only populated if the AI features are enabled for the customer and generate_ai_overview is set to true in the request. baselineEventsCount description The number of events in the baseline query. format int32 type integer complete description Streaming for this response is done. There will be no additional updates. type boolean dataSources description Datasource of the query and results in case of a statistics query items enum SEARCH_DATA_SOURCE_UNSPECIFIED SEARCH_UDM SEARCH_ENTITY SEARCH_RULE_DETECTIONS SEARCH_RULESETS enumDescriptions Unspecified data source. Events Entities To be used for detections data source. To be used for ruleset with detections datasource. type string type array detectionFieldAggregations $ref AlertFieldAggregations description List of detection fields with aggregated values. This enabled filtering in the Alerts panel for federated search. events $ref UdmEventList description List of UDM events. NOTE: After complete is set to true, the `UdmEventList` message will be omitted from the response. The latest message should be used as reference. If the `UdmEventList` message is returned again, then it should replace the previous value. fieldAggregations $ref UdmFieldAggregations description List of UDM fields with aggregated values. filteredEventsCount description The number of events in the snapshot that match the snapshot_query. This is <= `baseline_events_count`. If the snapshot query is empty this will be equivalent to `baseline_events_count`. format int32 type integer groupedFieldAggregations $ref UdmFieldAggregations description List of grouped fields with aggregated values. instanceAggregations $ref UdmFieldAggregations description Instance aggregations for the search results. Provides information on the number of events per instance for the aggregations panel in the UI. This allows users to easily drill-down into the individual instances. instanceUdmSearchResponses description All the instance specific UDM search responses. items $ref InstanceUdmSearchResponse type array operation description The name of the operation resource representing the UDM Search operation. This can be passed to `StreamSearchOperation` to fetch stored results or stream the results of an in-progress operation. The metadata type of the operation is `UdmSearchMetadata`. The response type is `LegacyFetchUdmSearchViewResponse`. Format: projects/{project}/locations/{location}/instances/{instance}/operations/{operation} type string progress description Progress of the query represented as a double between 0 and 1. format double type number queryValidationErrors description Parse error for the baseline_query and/or the snapshot_query. items $ref ErrorMessage type array runtimeErrors description Runtime errors. items $ref RuntimeError type array stats $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description Stats results when the query is for statistics statsFunctionParameterValidationErrorMessage description If the request's stats_function_parameter` is invalid, this field will contain the detailed error message. type string statsFunctionResponse $ref FunctionResponse description Result for statistical function. timeline $ref EventCountTimeline description Timeline of event counts broken into buckets. This populates the trend-over-time chart in the UI. tooLargeResponse description If true, the response to be returned to the UI is too large and some events have been omitted. type boolean tooManyEvents description If true, there are too many events to return and some have been omitted. type boolean validBaselineQuery description Indicates whether the request baseline_query is a valid structured query or not. If not, `query_validation_errors` will include the parse error. type boolean validSnapshotQuery description Indicates whether the request baseline and snapshot queries are valid. If not, `query_validation_errors` will include the parse error. type boolean type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Location description Information about a location. id Location properties city description The city. type string countryOrRegion description The country or region. type string deskName description Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D"). type string floorName description Floor name, number or a combination of the two for a building. (e.g. "1-A"). type string name description Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2"). type string regionCoordinates $ref LatLng description Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. regionLatitude deprecated True description Deprecated: use region_coordinates. format float type number regionLongitude deprecated True description Deprecated: use region_coordinates. format float type number state description The state. type string type object Manual description Entities are added manually. id Manual properties type object Measure description Describes the precomputed measure. id Measure properties aggregateFunction description Function used to calculate the aggregated measure. enum AGGREGATE_FUNCTION_UNSPECIFIED MIN MAX COUNT SUM AVG STDDEV enumDescriptions Default value. Minimum. Maximum. Count. Sum. Average. Standard Deviation. type string value description Value of the aggregated measure. format double type number type object Metadata description General information associated with a UDM event. id Metadata properties baseLabels $ref DataAccessLabels description Data access labels on the base event. collectedTimestamp description The GMT timestamp when the event was collected by the vendor's local collection infrastructure. format google-datetime type string description description A human-readable unparsable description of the event. type string enrichmentLabels $ref DataAccessLabels description Data access labels from all the contextual events used to enrich the base event. enrichmentState description The enrichment state. enum ENRICHMENT_STATE_UNSPECIFIED ENRICHED UNENRICHED enumDescriptions Unspecified. The event has been enriched by Chronicle. The event has not been enriched by Chronicle. type string eventTimestamp description The GMT timestamp when the event was generated. format google-datetime type string eventType description The event type. If an event has multiple possible types, this specifies the most specific type. enum EVENTTYPE_UNSPECIFIED PROCESS_UNCATEGORIZED PROCESS_LAUNCH PROCESS_INJECTION PROCESS_PRIVILEGE_ESCALATION PROCESS_TERMINATION PROCESS_OPEN PROCESS_MODULE_LOAD REGISTRY_UNCATEGORIZED REGISTRY_CREATION REGISTRY_MODIFICATION REGISTRY_DELETION SETTING_UNCATEGORIZED SETTING_CREATION SETTING_MODIFICATION SETTING_DELETION MUTEX_UNCATEGORIZED MUTEX_CREATION FILE_UNCATEGORIZED FILE_CREATION FILE_DELETION FILE_MODIFICATION FILE_READ FILE_COPY FILE_OPEN FILE_MOVE FILE_SYNC USER_UNCATEGORIZED USER_LOGIN USER_LOGOUT USER_CREATION USER_CHANGE_PASSWORD USER_CHANGE_PERMISSIONS USER_STATS USER_BADGE_IN USER_DELETION USER_RESOURCE_CREATION USER_RESOURCE_UPDATE_CONTENT USER_RESOURCE_UPDATE_PERMISSIONS USER_COMMUNICATION USER_RESOURCE_ACCESS USER_RESOURCE_DELETION GROUP_UNCATEGORIZED GROUP_CREATION GROUP_DELETION GROUP_MODIFICATION EMAIL_UNCATEGORIZED EMAIL_TRANSACTION EMAIL_URL_CLICK NETWORK_UNCATEGORIZED NETWORK_FLOW NETWORK_CONNECTION NETWORK_FTP NETWORK_DHCP NETWORK_DNS NETWORK_HTTP NETWORK_SMTP STATUS_UNCATEGORIZED STATUS_HEARTBEAT STATUS_STARTUP STATUS_SHUTDOWN STATUS_UPDATE SCAN_UNCATEGORIZED SCAN_FILE SCAN_PROCESS_BEHAVIORS SCAN_PROCESS SCAN_HOST SCAN_VULN_HOST SCAN_VULN_NETWORK SCAN_NETWORK SCHEDULED_TASK_UNCATEGORIZED SCHEDULED_TASK_CREATION SCHEDULED_TASK_DELETION SCHEDULED_TASK_ENABLE SCHEDULED_TASK_DISABLE SCHEDULED_TASK_MODIFICATION SYSTEM_AUDIT_LOG_UNCATEGORIZED SYSTEM_AUDIT_LOG_WIPE SERVICE_UNSPECIFIED SERVICE_CREATION SERVICE_DELETION SERVICE_START SERVICE_STOP SERVICE_MODIFICATION GENERIC_EVENT RESOURCE_CREATION RESOURCE_DELETION RESOURCE_PERMISSIONS_CHANGE RESOURCE_READ RESOURCE_WRITTEN DEVICE_FIRMWARE_UPDATE DEVICE_CONFIG_UPDATE DEVICE_PROGRAM_UPLOAD DEVICE_PROGRAM_DOWNLOAD ANALYST_UPDATE_VERDICT ANALYST_UPDATE_REPUTATION ANALYST_UPDATE_SEVERITY_SCORE ANALYST_UPDATE_STATUS ANALYST_ADD_COMMENT ANALYST_UPDATE_PRIORITY ANALYST_UPDATE_ROOT_CAUSE ANALYST_UPDATE_REASON ANALYST_UPDATE_RISK_SCORE ENTITY_RISK_CHANGE enumDeprecated False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False enumDescriptions Default event type Activity related to a process which does not match any other event types. Process launch. Process injecting into another process. Process privilege escalation. Process termination. Process being opened. Process loading a module. Registry event which does not match any of the other event types. Registry creation. Registry modification. Registry deletion. Settings-related event which does not match any of the other event types. Setting creation. Setting modification. Setting deletion. Any mutex event other than creation. Mutex creation. File event which does not match any of the other event types. File created. File deleted. File modified. File read. File copied. Used for file copies, for example, to a thumb drive. File opened. File moved or renamed. File synced (for example, Google Drive, Dropbox, backup). User activity which does not match any of the other event types. User login. User logout. User creation. User password change event. Change in user permissions. Deprecated. Used to update user info for an LDAP dump. User physically badging into a location. User deletion. User creating a virtual resource. This is equivalent to RESOURCE_CREATION. User updating content of a virtual resource. This is equivalent to RESOURCE_WRITTEN. User updating permissions of a virtual resource. This is equivalent to RESOURCE_PERMISSIONS_CHANGE. User initiating communication through a medium (for example, video). User accessing a virtual resource. This is equivalent to RESOURCE_READ. User deleting a virtual resource. This is equivalent to RESOURCE_DELETION. A group activity that does not fall into one of the other event types. A group creation. A group deletion. A group modification. Email messages An email transaction. Deprecated: use NETWORK_HTTP instead. An email URL click event. A network event that does not fit into one of the other event types. Aggregated flow stats like netflow. Network connection details like from a FW. FTP telemetry. DHCP payload. DNS payload. HTTP telemetry. SMTP telemetry. A status message that does not fit into one of the other event types. Heartbeat indicating product is alive. An agent startup. An agent shutdown. A software or fingerprint update. Scan item that does not fit into one of the other event types. A file scan. Scan process behaviors. Please use SCAN_PROCESS instead. Scan process. Scan results from scanning an entire host device for threats/sensitive documents. Vulnerability scan logs about host vulnerabilities (e.g., out of date software) and network vulnerabilities (e.g., unprotected service detected via a network scan). Vulnerability scan logs about network vulnerabilities. Scan network for suspicious activity Scheduled task event that does not fall into one of the other event types. Scheduled task creation. Scheduled task deletion. Scheduled task being enabled. Scheduled task being disabled. Scheduled task being modified. A system audit log event that is not a wipe. A system audit log wipe. Service event that does not fit into one of the other event types. A service creation. A service deletion. A service start. A service stop. A service modification. Operating system events that are not described by any of the other event types. Might include uncategorized Microsoft Windows event logs. The resource was created/provisioned. This is equivalent to USER_RESOURCE_CREATION. The resource was deleted/deprovisioned. This is equivalent to USER_RESOURCE_DELETION. The resource had it's permissions or ACLs updated. This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS. The resource was read. This is equivalent to USER_RESOURCE_ACCESS. The resource was written to. This is equivalent to USER_RESOURCE_UPDATE_CONTENT. Firmware update. Configuration update. A program or application uploaded to a device. A program or application downloaded to a device. Analyst update about the Verdict (such as true positive, false positive, or disregard) of a finding. Analyst update about the Reputation (such as useful or not useful) of a finding. Analyst update about the Severity score (0-100) of a finding. Analyst update about the finding status. Analyst addition of a comment for a finding. Analyst update about the priority (such as low, medium, or high) for a finding. Analyst update about the root cause for a finding. Analyst update about the reason (such as malicious or not malicious) for a finding. Analyst update about the risk score (0-100) of a finding. An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. type string id description ID of the UDM event. Can be used for raw and normalized event retrieval. format byte type string ingestedTimestamp description The GMT timestamp when the event was ingested (received) by Chronicle. format google-datetime type string ingestionLabels description User-configured ingestion metadata labels. items $ref Label type array logType description The string value of log type. type string productDeploymentId description The deployment identifier assigned by the vendor for a product deployment. type string productEventType description A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start"). type string productLogId description A vendor-specific event identifier to uniquely identify the event (e.g. a GUID). type string productName description The name of the product. type string productVersion description The version of the product. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Flattened fields extracted from the log. type object tags $ref Tags description Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser. urlBackToProduct description A URL that takes the user to the source product console for this event. type string vendorName description The name of the product vendor. type string type object Metric description Stores precomputed aggregated analytic data for an entity. id Metric properties dimensions description All group by clauses used to calculate the metric. items enum DIMENSION_UNSPECIFIED PRINCIPAL_DEVICE TARGET_USER TARGET_DEVICE PRINCIPAL_USER TARGET_IP PRINCIPAL_FILE_HASH PRINCIPAL_COUNTRY SECURITY_CATEGORY NETWORK_ASN CLIENT_CERTIFICATE_HASH DNS_QUERY_TYPE DNS_DOMAIN HTTP_USER_AGENT EVENT_TYPE PRODUCT_NAME PRODUCT_EVENT_TYPE PARENT_FOLDER_PATH TARGET_RESOURCE_NAME PRINCIPAL_APPLICATION TARGET_APPLICATION EMAIL_TO_ADDRESS EMAIL_FROM_ADDRESS MAIL_ID PRINCIPAL_IP SECURITY_ACTION SECURITY_RULE_ID TARGET_NETWORK_ORGANIZATION_NAME PRINCIPAL_NETWORK_ORGANIZATION_NAME PRINCIPAL_PROCESS_FILE_PATH PRINCIPAL_PROCESS_FILE_HASH SECURITY_RESULT_RULE_NAME TARGET_RESOURCE_LABEL_KEY VENDOR_NAME TARGET_RESOURCE_TYPE TARGET_LOCATION_NAME enumDescriptions Default Principal Device Target User Target Device Principal User Target IP Principal File Hash Principal Country Security Category Network ASN Client Certificate Hash DNS Query Type DNS Domain HTTP User Agent Event Type Product Name Product Event Type Parent Folder Path Target resource Name Principal Application. Target Application. Email To Address. Email From Address. Mail Id. Principal IP. Security Action. Security Rule Id. Target Network Organization name. Principal Network Organization name. Principal Process File Path. Principal Process File SHA256 Hash. Security Result rule name. Target Resource label key. Vendor name. Target Resource type. Target Location name. type string type array exportWindow description Export window for which the metric was exported. format int64 type string firstSeen description Timestamp of the first time the entity was seen in the environment. format google-datetime type string lastSeen description Time stamp of the last time last time the entity was seen in the environment. format google-datetime type string metricName description Name of the analytic. enum METRIC_NAME_UNSPECIFIED NETWORK_BYTES_INBOUND NETWORK_BYTES_OUTBOUND NETWORK_BYTES_TOTAL AUTH_ATTEMPTS_SUCCESS AUTH_ATTEMPTS_FAIL AUTH_ATTEMPTS_TOTAL DNS_BYTES_OUTBOUND NETWORK_FLOWS_INBOUND NETWORK_FLOWS_OUTBOUND NETWORK_FLOWS_TOTAL DNS_QUERIES_SUCCESS DNS_QUERIES_FAIL DNS_QUERIES_TOTAL FILE_EXECUTIONS_SUCCESS FILE_EXECUTIONS_FAIL FILE_EXECUTIONS_TOTAL HTTP_QUERIES_SUCCESS HTTP_QUERIES_FAIL HTTP_QUERIES_TOTAL WORKSPACE_EMAILS_SENT_TOTAL WORKSPACE_TOTAL_DOWNLOAD_ACTIONS WORKSPACE_TOTAL_CHANGE_ACTIONS WORKSPACE_AUTH_ATTEMPTS_TOTAL WORKSPACE_NETWORK_BYTES_OUTBOUND WORKSPACE_NETWORK_BYTES_TOTAL ALERT_EVENT_NAME_COUNT RESOURCE_CREATION_TOTAL RESOURCE_CREATION_SUCCESS RESOURCE_READ_SUCCESS RESOURCE_READ_FAIL RESOURCE_DELETION_SUCCESS enumDescriptions Default Total received network bytes. Total network sent bytes. Total network sent bytes and received bytes. Successful authentication attempts. Failed authentication attempts. Total authentication attempts. Total number of sent bytes for DNS events. Total number of events having non-null received bytes. Total number of events having non-null sent bytes. Total events having non-null sent or received bytes. DNS query success count - Number of events with response_code = 0. Number of events with response_code != 0. Total number of DNS queries made. Number of successfule file executions. Number of failed file executions. Total number file executions. Number of successful HTTP queries. Number of failed HTTP queries. Total number of HTTP queries. Total number of emails sent in Google Workspace. Total number of download actions in Google Workspace. Total number of change actions in Google Workspace. Total number of authentication attempts in Google Workspace. Number of outbound network bytes (total sent) in Google Workspace. Total number of network bytes (both sent and received) in Google Workspace. Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH. First-time analytic tracking successful resource creations. Volume-based analytic tracking successful resource creations. Volume-based analytic tracking successful resource reads. Volume-based analytic tracking failed resource reads. Volume-based analytic tracking successful resource deletions. type string sumMeasure $ref Measure description Sum of all precomputed measures for the given metric. totalEvents description Total number of events used to calculate the given precomputed metric. format int64 type string type object Navigation description Navigation can be used to store the metadata required to navigate the user to a new URL. id Navigation properties targetUri description Output only. The URI to redirect the user to. readOnly True type string type object Network description A network event. id Network properties applicationProtocol description The application protocol. enum UNKNOWN_APPLICATION_PROTOCOL AFP APPC AMQP ATOM BEEP BITCOIN BIT_TORRENT CFDP CIP COAP COTP DCERPC DDS DEVICE_NET DHCP DICOM DNP3 DNS E_DONKEY ENRP FAST_TRACK FINGER FREENET FTAM GOOSE GOPHER GRPC HL7 H323 HTTP HTTPS IEC104 IRCP KADEMLIA KRB5 LDAP LPD MIME MMS MODBUS MQTT NETCONF NFS NIS NNTP NTCIP NTP OSCAR PNRP PTP QUIC RDP RELP RIP RLOGIN RPC RTMP RTP RTPS RTSP SAP SDP SIP SLP SMB SMTP SNMP SNTP SSH SSMS STYX SV TCAP TDS TOR TSP VTP WHOIS WEB_DAV X400 X500 XMPP enumDescriptions The default application protocol. Apple Filing Protocol. Advanced Program-to-Program Communication. Advanced Message Queuing Protocol. Publishing Protocol. Block Extensible Exchange Protocol. Crypto currency protocol. Peer-to-peer file sharing. Coherent File Distribution Protocol. Common Industrial Protocol. Constrained Application Protocol. Connection Oriented Transport Protocol. DCE/RPC. Data Distribution Service. Automation industry protocol. DHCP. Digital Imaging and Communications in Medicine Protocol. Distributed Network Protocol 3 (DNP3) DNS. Classic file sharing protocol. Endpoint Handlespace Redundancy Protocol. Filesharing peer-to-peer protocol. User Information Protocol. Censorship resistant peer-to-peer network. File Transfer Access and Management. GOOSE Protocol. Gopher protocol. gRPC Remote Procedure Call. Health Level Seven. Packet-based multimedia communications system. HTTP. HTTPS. IEC 60870-5-104 (IEC 104) Protocol. Internet Relay Chat Protocol. Peer-to-peer hashtables. Kerberos 5. Lightweight Directory Access Protocol. Line Printer Daemon Protocol. Multipurpose Internet Mail Extensions and Secure MIME. Multimedia Messaging Service. Serial communications protocol. Message Queuing Telemetry Transport. Network Configuration. Network File System. Network Information Service. Network News Transfer Protocol. National Transportation Communications for Intelligent Transportation System. Network Time Protocol. AOL Instant Messenger Protocol. Peer Name Resolution Protocol. Precision Time Protocol. QUIC. Remote Desktop Protocol. Reliable Event Logging Protocol. Routing Information Protocol. Remote Login in UNIX Systems. Remote Procedure Call. Real Time Messaging Protocol. Real-time Transport Protocol. Real Time Publish Subscribe. Real Time Streaming Protocol. Session Announcement Protocol. Session Description Protocol. Session Initiation Protocol. Service Location Protocol. Server Message Block. Simple Mail Transfer Protocol. Simple Network Management Protocol. Simple Network Time Protocol. Secure Shell. Secure SMS Messaging Protocol. Styx/9P - Plan 9 from Bell Labs distributed file system protocol. Sampled Values Protocol. Transaction Capabilities Application Part. Tabular Data Stream. Anonymity network. Time Stamp Protocol. Virtual Terminal Protocol. Remote Directory Access Protocol. Web Distributed Authoring and Versioning. Message Handling Service Protocol. Directory Access Protocol (DAP). Extensible Messaging and Presence Protocol. type string applicationProtocolVersion description The version of the application protocol. e.g. "1.1, 2.0" type string asn description Autonomous system number. type string carrierName description Carrier identification. type string communityId description Community ID network flow value. type string dhcp $ref Dhcp description DHCP info. direction description The direction of network traffic. enum UNKNOWN_DIRECTION INBOUND OUTBOUND BROADCAST enumDescriptions The default direction. An inbound request. An outbound request. A broadcast. type string dns $ref Dns description DNS info. dnsDomain description DNS domain name. type string email $ref Email description Email info for the sender/recipient. ftp $ref Ftp description FTP info. http $ref Http description HTTP info. ipProtocol description The IP protocol. enum UNKNOWN_IP_PROTOCOL ICMP IGMP TCP UDP IP6IN4 GRE ESP ICMP6 EIGRP ETHERIP PIM VRRP SCTP enumDescriptions The default protocol. ICMP. IGMP TCP. UDP. IPv6 Encapsulation Generic Routing Encapsulation Encapsulating Security Payload ICMPv6 Enhanced Interior Gateway Routing Ethernet-within-IP Encapsulation Protocol Independent Multicast Virtual Router Redundancy Protocol Stream Control Transmission Protocol type string ipSubnetRange description Associated human-readable IP subnet range (e.g. 10.1.2.0/24). type string organizationName description Organization name (e.g Google). type string parentSessionId description The ID of the parent network session. type string receivedBytes description The number of bytes received. format uint64 type string receivedPackets description The number of packets received. format int64 type string sentBytes description The number of bytes sent. format uint64 type string sentPackets description The number of packets sent. format int64 type string sessionDuration description The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer. format google-duration type string sessionId description The ID of the network session. type string smtp $ref Smtp description SMTP info. Store fields specific to SMTP not covered by Email. tls $ref Tls description TLS info. type object Noun description The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event. id Noun properties administrativeDomain description Domain which the device belongs to (for example, the Microsoft Windows domain). type string application description The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle". type string artifact $ref Artifact description Information about an artifact. asset $ref Asset description Information about the asset. assetId description The asset ID. This field can be used as an entity indicator for asset entities. type string cloud $ref Cloud deprecated True description Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud). domain $ref Domain description Information about the domain. email description Email address. Only filled in for security_result.about type string file $ref BackstoryFile description Information about the file. group $ref Group description Information about the group. hostname description Client hostname or domain name field. Hostname also doubles as the domain for remote entities. This field can be used as an entity indicator for asset entities. type string investigation $ref Investigation description Analyst feedback/investigation for alerts. ip description A list of IP addresses associated with a network connection. This field can be used as an entity indicator for asset entities. items type string type array ipGeoArtifact description Enriched geographic information corresponding to an IP address. Specifically, location and network data. items $ref Artifact type array ipLocation deprecated True description Deprecated: use ip_geo_artifact.location instead. items $ref Location type array labels deprecated True description Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels). items $ref Label type array location $ref Location description Physical location. For cloud environments, set the region in location.name. mac description List of MAC addresses associated with a device. This field can be used as an entity indicator for asset entities. items type string type array namespace description Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition. This field can be used along with an asset indicator to identify an asset. type string natIp description A list of NAT translated IP addresses associated with a network connection. items type string type array natPort description NAT external network port number when a specific network connection is described within an event. format int32 type integer network $ref Network description Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). objectReference $ref Id description Finding to which the Analyst updated the feedback. platform description Platform. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description Platform patch level. For example, "Build 17134.48" type string platformVersion description Platform version. For example, "Microsoft Windows 1803". type string port description Source or destination network port number when a specific network connection is described within an event. format int32 type integer process $ref Process description Information about the process. processAncestors description Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery. items $ref Process type array registry $ref Registry description Registry information. resource $ref Resource description Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun. resourceAncestors description Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource). items $ref Resource type array securityResult description A list of security results. items $ref SecurityResult type array url description The URL. type string urlMetadata $ref Url description Information about the URL. user $ref User description Information about the user. userManagementChain description Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery. items $ref User type array type object NtfsFileMetadata description NTFS-specific file metadata. id NtfsFileMetadata properties changeTime description NTFS MFT entry changed timestamp. format google-datetime type string filenameAccessTime description NTFS $FILE_NAME attribute accessed timestamp. format google-datetime type string filenameChangeTime description NTFS $FILE_NAME attribute changed timestamp. format google-datetime type string filenameCreateTime description NTFS $FILE_NAME attribute created timestamp. format google-datetime type string filenameModifyTime description NTFS $FILE_NAME attribute modified timestamp. format google-datetime type string type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object Option description DHCP options. id Option properties code description Code. See RFC1533. format uint32 type integer data description Data. format byte type string type object PDFInfo description Information about the PDF file structure. See https://developers.virustotal.com/reference/pdf_info id PDFInfo properties acroform description Number of /AcroForm tags found in the PDF. format int64 type string autoaction description Number of /AA tags found in the PDF. format int64 type string embeddedFile description Number of /EmbeddedFile tags found in the PDF. format int64 type string encrypted description Whether the document is encrypted or not. This is defined by the /Encrypt tag. format int64 type string endobjCount description Number of object definitions (endobj keyword). format int64 type string endstreamCount description Number of defined stream objects (stream keyword). format int64 type string flash description Number of /RichMedia tags found in the PDF. format int64 type string header description PDF version. type string javascript description Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios. format int64 type string jbig2Compression description Number of /JBIG2Decode tags found in the PDF. format int64 type string js description Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios. format int64 type string launchActionCount description Number of /Launch tags found in the PDF file. format int64 type string objCount description Number of objects definitions (obj keyword). format int64 type string objectStreamCount description Number of object streams. format int64 type string openaction description Number of /OpenAction tags found in the PDF. format int64 type string pageCount description Number of pages in the PDF. format int64 type string startxref description Number of startxref keywords in the PDF. format int64 type string streamCount description Number of defined stream objects (stream keyword). format int64 type string suspiciousColors description Number of colors expressed with more than 3 bytes (CVE-2009-3459). format int64 type string trailer description Number of trailer keywords in the PDF. format int64 type string xfa description Number of \XFA tags found in the PDF. format int64 type string xref description Number of xref keywords in the PDF. format int64 type string type object PeFileMetadata description Metadata about a Microsoft Windows Portable Executable. id PeFileMetadata properties importHash description Hash of PE imports. type string type object Permission description System permission for resource access and modification. id Permission properties description description Description of the permission (e.g. 'Ability to update detect rules'). type string name description Name of the permission (e.g. chronicle.analyst.updateRule). type string type description Type of the permission. enum UNKNOWN_PERMISSION_TYPE ADMIN_WRITE ADMIN_READ DATA_WRITE DATA_READ enumDescriptions Default permission type. Administrator write permission. Administrator read permission. Data resource access write permission. Data resource access read permission. type string type object PlatformSoftware description Platform software information about an operating system. id PlatformSoftware properties platform description The platform operating system. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description The platform software patch level ( e.g. "Build 17134.48", "SP1"). type string platformVersion description The platform software version ( e.g. "Microsoft Windows 1803"). type string type object PopularityRank description Domain's position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo. id PopularityRank properties giver description Name of the rank serial number hexdump. type string ingestionTime description Timestamp when the rank was ingested. format google-datetime type string rank description Rank position. format int64 type string type object Prevalence description The prevalence of a resource within the customer's environment. This measures how common it is for assets to access the resource. id Prevalence properties dayCount description The number of days over which rolling_max is calculated. format int32 type integer dayMax description The max prevalence score in a day interval window. format int32 type integer dayMaxSubDomains description The max prevalence score in a day interval window across sub-domains. This field is only valid for domains. format int32 type integer rollingMax description The maximum number of assets per day accessing the resource over the trailing day_count days. format int32 type integer rollingMaxSubDomains description The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains. format int32 type integer type object Process description Information about a process. id Process properties accessMask description A bit mask representing the level of access. format uint64 type string commandLine description The command line command that created the process. This field can be used as an entity indicator for process entities. type string commandLineHistory description The command line history of the process. items type string type array egid description The effective group ID of the process. type string euid description The effective user ID of the process. type string file $ref BackstoryFile description Information about the file in use by the process. integrityLevelRid description The Microsoft Windows integrity level relative ID (RID) of the process. format uint64 type string parentPid deprecated True description The ID of the parent process. Deprecated: use parent_process.pid instead. type string parentProcess $ref Process description Information about the parent process. pgid description The identifier that points to the process group ID leader. type string pid description The process ID. This field can be used as an entity indicator for process entities. type string productSpecificParentProcessId deprecated True description A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. type string productSpecificProcessId description A product specific process id. type string rgid description The real group ID of the process. type string ruid description The real user ID of the process. type string sessionLeaderPid description The process ID of the session leader process. type string tokenElevationType description The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled. enum UNKNOWN TYPE_1 TYPE_2 TYPE_3 enumDescriptions An undetermined token type. A full token with no privileges removed or groups disabled. An elevated token with no privileges removed or groups disabled. Used when running as administrator. A limited token with administrative privileges removed and administrative groups disabled. type string tty description The teletype terminal which the command was executed within. type string type object ProviderMLVerdict description Deprecated. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. id ProviderMLVerdict properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer confidenceScore description Confidence score of the verdict. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer mandiantSources description List of mandiant sources from which the verdict was generated. items $ref Source type array sourceProvider description Source provider giving the ML verdict. type string thirdPartySources description List of third-party sources from which the verdict was generated. items $ref Source type array type object PublicKey description Subject public key info. id PublicKey properties algorithm description Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the certificate. type string rsa $ref RSA description RSA public key information. type object Question description DNS Questions. See RFC1035, section 4.1.2. id Question properties class description The code specifying the class of the query. format uint32 type integer name description The domain name. type string prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. type description The code specifying the type of the query. format uint32 type integer type object RSA description RSA public key information. id RSA properties exponent description Key exponent hexdump. type string keySize description Key size. format int64 type string modulus description Key modulus hexdump. type string type object Reference description Reference to model primatives including event and entity. As support is added for fast retrieval of objects by identifiers, this will be expanded to include ID references rather than full object copies. BEGIN GOOGLE-INTERNAL See go/udm:ids for additional details. END GOOGLE-INTERNAL id Reference properties entity $ref BackstoryEntity description Entity being referenced. End one-of event $ref UDM description Only one of event or entity will be populated for a single reference. Start one-of Event being referenced. id $ref Id description Id being referenced. This field will also be populated for both event and entity with the event id. For detections, only this field will be populated. type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Registry description Information about a registry key or value. id Registry properties registryKey description Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...). type string registryValueData description Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp). type string registryValueName description Name of the registry value associated with an application or system component (e.g. TEMP). type string registryValueType description Type of the registry value. enum TYPE_UNSPECIFIED NONE SZ EXPAND_SZ BINARY DWORD DWORD_LITTLE_ENDIAN DWORD_BIG_ENDIAN LINK MULTI_SZ RESOURCE_LIST QWORD QWORD_LITTLE_ENDIAN enumDescriptions Default registry value type used when the type is unknown. The registry value is not set and only the key exists. A null-terminated string. A null-terminated string that contains unexpanded references to environment variables Binary data in any form. A 32-bit number. A 32-bit number in little-endian format. A 32-bit number in big-endian format. A null-terminated Unicode string that contains the target path of a symbolic link. A sequence of null-terminated strings, terminated by an empty string A device driver resource list. A 64-bit number. A 64-bit number in little-endian format. type string type object Relation description Defines the relationship between the entity (a) and another entity (b). id Relation properties direction description Directionality of relationship between primary entity (a) and the related entity (b). enum DIRECTIONALITY_UNSPECIFIED BIDIRECTIONAL UNIDIRECTIONAL enumDescriptions Default value. Modeled in both directions. Primary entity (a) to related entity (b) and related entity (b) to primary entity (a). Modeled in a single direction. Primary entity (a) to related entity (b). type string entity $ref Noun description Entity (b) that the primary entity (a) is related to. entityLabel description Label to identify the Noun of the relation. enum ENTITY_LABEL_UNSPECIFIED PRINCIPAL TARGET OBSERVER SRC NETWORK SECURITY_RESULT INTERMEDIARY enumDescriptions Default value. The Noun represents a principal type object. The Noun represents a target type object. The Noun represents an observer type object. The Noun represents src type object. The Noun represents a network type object. The Noun represents a SecurityResult object. The Noun represents an intermediary type object. type string entityType description Type of the related entity (b) in this relationship. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string relationship description Type of relationship. enum RELATIONSHIP_UNSPECIFIED OWNS ADMINISTERS MEMBER EXECUTES DOWNLOADED_FROM CONTACTS enumDescriptions Default value Related entity is owned by the primary entity (e.g. user owns device asset). Related entity is administered by the primary entity (e.g. user administers a group). Primary entity is a member of the related entity (e.g. user is a member of a group). Primary entity may have executed the related entity. Primary entity may have been downloaded from the related entity. Primary entity contacts the related entity. type string uid description UID of the relationship. format byte type string type object Resource description Information about a resource such as a task, Cloud Storage bucket, database, disk, logical policy, or something similar. id Resource properties attribute $ref Attribute description Generic entity metadata attributes of the resource. id deprecated True description Deprecated: Use resource.name or resource.product_object_id. type string name description The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. type string parent deprecated True description The parent of the resource. For a database table, the parent is the database. For a storage object, the bucket name. Deprecated: use resource_ancestors.name. type string productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) This field can be used as an entity indicator for a Resource entity. type string resourceSubtype description Resource sub-type (e.g. "BigQuery", "Bigtable"). type string resourceType description Resource type. enum UNSPECIFIED MUTEX TASK PIPE DEVICE FIREWALL_RULE MAILBOX_FOLDER VPC_NETWORK VIRTUAL_MACHINE STORAGE_BUCKET STORAGE_OBJECT DATABASE TABLE CLOUD_PROJECT CLOUD_ORGANIZATION SERVICE_ACCOUNT ACCESS_POLICY CLUSTER SETTING DATASET BACKEND_SERVICE POD CONTAINER FUNCTION RUNTIME IP_ADDRESS DISK VOLUME IMAGE SNAPSHOT REPOSITORY CREDENTIAL LOAD_BALANCER GATEWAY SUBNET USER enumDescriptions Default type. Mutex. Task. Named pipe. Device. Firewall rule. Mailbox folder. VPC Network. Virtual machine. Storage bucket. Storage object. Database. Data table. Cloud project. Cloud organization. Service account. Access policy. Cluster. Settings. Dataset. Endpoint that receive traffic from a load balancer or proxy. Pod, which is a collection of containers. Often used in Kubernetes. Container. Cloud function. Runtime. IP address. Disk. Volume. Machine image. Snapshot. Repository. Credential, e.g. access keys, ssh keys, tokens, certificates. Load balancer. Gateway. Subnet. User. type string type deprecated True description Deprecated: use resource_type instead. type string type object ResourceRecord description DNS Resource Records. See RFC1035, section 4.1.3. id ResourceRecord properties binaryData description The raw bytes of any non-UTF8 strings that might be included as part of a DNS response. format byte type string class description The code specifying the class of the resource record. format uint32 type integer data description The payload or response to the DNS question for all responses encoded in UTF-8 format type string name description The name of the owner of the resource record. type string ttl description The time interval for which the resource record can be cached before the source of the information should again be queried. format uint32 type integer type description The code specifying the type of the resource record. format uint32 type integer type object ResponsePlatformInfo description Related info of an Alert in customer's SOAR platform. id ResponsePlatformInfo properties alertId description Id of the alert in SOAR product. type string responsePlatformType description Type of SOAR product. enum RESPONSE_PLATFORM_TYPE_UNSPECIFIED RESPONSE_PLATFORM_TYPE_SIEMPLIFY enumDescriptions Response platform not specified. Siemplify type string type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object RiskDelta description Describes the difference in risk score between two points in time. id RiskDelta properties previousRangeEndTime description End time of the previous time window. format google-datetime type string previousRiskScore description Risk score from previous risk window format int32 type integer riskScoreDelta description Difference in the normalized risk score from the previous recorded value. format int32 type integer riskScoreNumericDelta description Numeric change between current and previous risk score format int32 type integer type object Role description System role for resource access and modification. id Role properties description description System role description for user. type string name description System role name for user. type string type description System role type for well known roles. enum TYPE_UNSPECIFIED ADMINISTRATOR SERVICE_ACCOUNT enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object RuntimeError id RuntimeError properties errorText type string timeRange $ref Interval type object SSLCertificate description SSL certificate. id SSLCertificate properties certExtensions additionalProperties description Properties of the object. type any description Certificate's extensions. type object certSignature $ref CertSignature description Certificate's signature and algorithm. ec $ref EC description EC public key information. extension $ref Extension deprecated True description (DEPRECATED) certificate's extension. firstSeenTime description Date the certificate was first retrieved by VirusTotal. format google-datetime type string issuer $ref Subject description Certificate's issuer data. publicKey $ref PublicKey description Public key information. serialNumber description Certificate's serial number hexdump. type string signatureAlgorithm description Algorithm used for the signature (for example, "sha1RSA"). type string size description Certificate content length. format int64 type string subject $ref Subject description Certificate's subject data. thumbprint description Certificate's content SHA1 hash. type string thumbprintSha256 description Certificate's content SHA256 hash. type string validity $ref Validity description Certificate's validity period. version description Certificate version (typically "V1", "V2" or "V3"). type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object SearchDataTableColumnInfo id SearchDataTableColumnInfo properties isDefault type boolean originalColumn type string type object SearchDataTableInfo id SearchDataTableInfo properties columnInfo items $ref SearchDataTableColumnInfo type array dataTable type string type object SearchDataTableRow id SearchDataTableRow properties column type string value type string type object SearchDataTableRowInfo id SearchDataTableRowInfo properties dataTable type string rows items $ref SearchDataTableRow type array type object SecurityResult description Security related metadata for the event. A security result might be something like "virus detected and quarantined," "malicious connection blocked," or "sensitive data included in document foo.doc." Each security result, of which there may be more than one, may either pertain to the whole event, or to a specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (such as process, user, IP, domain, URL, IP, or email address) in the about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty. id SecurityResult properties about $ref Noun description If the security result is about a specific entity (Noun), add it here. This field is not populated when the SecurityResult appears in a finding (a detection or alert). action description Actions taken for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_ACTION ALLOW BLOCK ALLOW_WITH_MODIFICATION QUARANTINE FAIL CHALLENGE enumDescriptions The default action. Allowed. Blocked. Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded). Put somewhere for later analysis (does NOT imply block). Failed (e.g. the event was allowed but failed). Challenged (e.g. the user was challenged by a Captcha, 2FA). type string type array actionDetails description The detail of the action taken as provided by the vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string alertState description The alerting types of this security result. This is primarily set for rule-generated detections and alerts. enum UNSPECIFIED NOT_ALERTING ALERTING enumDescriptions The security result type is not known. The security result is not an alert. The security result is an alert. type string analyticsMetadata description Stores metadata about each risk analytic metric the rule uses. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref AnalyticsMetadata type array associations description Associations related to the threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref Association type array attackDetails $ref AttackDetails description MITRE ATT&CK details. This field is not populated when the SecurityResult appears in a finding (a detection or alert). campaigns description Campaigns using this IOC threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array category description The security category. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_CATEGORY SOFTWARE_MALICIOUS SOFTWARE_SUSPICIOUS SOFTWARE_PUA NETWORK_MALICIOUS NETWORK_SUSPICIOUS NETWORK_CATEGORIZED_CONTENT NETWORK_DENIAL_OF_SERVICE NETWORK_RECON NETWORK_COMMAND_AND_CONTROL ACL_VIOLATION AUTH_VIOLATION EXPLOIT DATA_EXFILTRATION DATA_AT_REST DATA_DESTRUCTION TOR_EXIT_NODE MAIL_SPAM MAIL_PHISHING MAIL_SPOOFING POLICY_VIOLATION SOCIAL_ENGINEERING PHISHING enumDescriptions The default category. Malware, spyware, rootkit. Below the conviction threshold; probably bad. Potentially Unwanted App (such as adware). Includes C&C or network exploit. Suspicious activity, such as potential reverse tunnel. Non-security related: URL has category like gambling or porn. DoS, DDoS. Port scan detected by an IDS, probing of web app. If we know this is a C&C channel. Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc. Authentication failed (e.g. bad password or bad 2-factor authentication). Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits. DLP: Sensitive data transmission, copy to thumb drive. DLP: Sensitive data found at rest in a scan. Attempt to destroy/delete data. TOR Exit Nodes. Spam email, message, etc. Phishing email, chat messages, etc. Spoofed source email address, etc. Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action). Threats which manipulate to break normal security procedures. Phishing pages, pops, https phishing etc. type string type array categoryDetails description For vendor-specific categories. For web categorization, put type in here such as "gambling" or "porn". This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array confidence description The confidence level of the result as estimated by the product. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string confidenceDetails description Additional detail with regards to the confidence of a security event as estimated by the product vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string confidenceScore description The confidence score of the security result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format float type number description description A human-readable description (e.g. "user password was wrong"). This can be more detailed than the summary. type string detectionDepth description The depth of the detection chain. Applies only to composite detections. format int64 type string detectionFields description An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (the security result matched variables). This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array firstDiscoveredTime description First time the IoC threat was discovered in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastDiscoveredTime description Last time the IoC was seen in the provider data. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastUpdatedTime description Last time the IoC threat was updated in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string outcomes description A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to a stringified version of their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array priority description The priority of the result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_PRIORITY LOW_PRIORITY MEDIUM_PRIORITY HIGH_PRIORITY enumDescriptions Default priority level. Low priority. Medium priority. High priority. type string priorityDetails description Vendor-specific information about the security result priority. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string reports description Reports that reference this IOC threat. These are the report IDs. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array riskScore description The risk score of the security result. format float type number ruleAuthor description Author of the security rule. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string ruleId description A vendor-specific ID for a rule, varying by observer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe"). type string ruleLabels description A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John"). This is primarily set in rule-generated detections and alerts. items $ref Label type array ruleName description Name of the security rule (e.g. "BlockInboundToOracle"). type string ruleSet description The curated detection's rule set identifier. (for example, "windows-threats") This is primarily set in rule-generated detections and alerts. type string ruleSetDisplayName description The curated detections rule set display name. This is primarily set in rule-generated detections and alerts. type string ruleType description The type of security rule. type string ruleVersion description Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed. type string rulesetCategoryDisplayName description The curated detection rule set category display name. (for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration", the rule_set_category is "Cloud Threats"). This is primarily set in rule-generated detections and alerts. type string severity description The severity of the result. enum UNKNOWN_SEVERITY INFORMATIONAL ERROR NONE LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Info severity. An error. No malicious result. Low-severity malicious result. Medium-severity malicious result. High-severity malicious result. Critical-severity malicious result. type string severityDetails description Vendor-specific severity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string summary description A short human-readable summary (e.g. "failed login occurred") type string threatFeedName description Vendor feed name for a threat indicator feed. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatId description Vendor-specific ID for a threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatIdNamespace description The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string threatName description A vendor-assigned classification common across multiple customers (for example, "W32/File-A", "Slammer"). This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatStatus description Current status of the threat This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_STATUS_UNSPECIFIED ACTIVE CLEARED FALSE_POSITIVE enumDescriptions Default threat status Active threat. Cleared threat. False positive. type string threatVerdict description GCTI threat verdict on the security result entity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_VERDICT_UNSPECIFIED UNDETECTED SUSPICIOUS MALICIOUS enumDescriptions Unspecified threat verdict level. Undetected threat verdict level. Suspicious threat verdict level. Malicious threat verdict level. type string urlBackToProduct description URL that takes the user to the source product console for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string variables additionalProperties $ref FindingVariable description A list of outcomes and match variables that represent the results of this security finding. This list represents a mapping of names of the requested outcomes or match variables, to their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). type object verdict $ref Verdict deprecated True description Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead. verdictInfo description Verdict information about the IoC from the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref VerdictInfo type array type object Server description Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash). id Server properties certificate $ref Certificate description Server certificate. ja3s description JA3 hash from the TLS ServerHello, as a hex-encoded string. type string type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object SignatureInfo description File signature information extracted from different tools. id SignatureInfo properties codesign $ref FileMetadataCodesign description Signature information extracted from the codesign utility. sigcheck $ref FileMetadataSignatureInfo description Signature information extracted from the sigcheck tool. type object SignerInfo description File metadata related to the signer information. id SignerInfo properties certIssuer description Company that issued the certificate. type string name description Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority. type string status description It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid."). type string validUsage description Indicates which situations the certificate is valid for (e.g. "Code Signing"). type string type object Smtp description SMTP info. See RFC 2821. id Smtp properties helo description The client's 'HELO'/'EHLO' string. type string isTls description If the connection switched to TLS. type boolean isWebmail description If the message was sent via a webmail client. type boolean mailFrom description The client's 'MAIL FROM' string. type string messagePath description The message's path (extracted from the headers). type string rcptTo description The client's 'RCPT TO' string(s). items type string type array serverResponse description The server's response(s) to the client. items type string type array type object SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems. id SoarAlertMetadata properties alertId description Alert ID in the source SIEM system. type string product description Name of the product the alert is coming from. type string sourceRule description Name of the rule triggering the alert in the source SIEM. type string sourceSystem description Name of the Source SIEM system. type string sourceSystemTicketId description Ticket id for the alert in the source system. type string sourceSystemUri description Url to the source SIEM system. type string vendor description Name of the vendor. type string type object Software description Information about a software package or application. id Software properties description description The description of the software. type string name description The name of the software. type string permissions description System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE" items $ref Permission type array vendorName description The name of the software vendor. type string version description The version of the software. type string type object Source description Deprecated. Information about the threat intelligence source. These fields are used to model Mandiant sources. id Source properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer name description Name of the IoC source. type string quality description Quality of the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total response count from this source. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer threatIntelligenceSources description Different threat intelligence sources from which IoC info was extracted. items $ref Source type array type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object StringSequence description StringSequence represents a sequence of string. id StringSequence properties stringVals description string sequence. items type string type array type object StringToInt64MapEntry id StringToInt64MapEntry properties key description Key field. type string value description Value field. format int64 type string type object StringValue id StringValue properties displayValue type string rawValue type string type object StringValues id StringValues properties values items $ref StringValue type array type object Subject description Subject data. id Subject properties commonName description CN: CommonName. type string countryName description C: Country name. type string locality description L: Locality. type string organization description O: Organization. type string organizationalUnit description OU: OrganizationalUnit. type string stateOrProvinceName description ST: StateOrProvinceName. type string type object Tactic description Tactic information related to an attack or threat. id Tactic properties id description Tactic ID (e.g. "TA0043"). type string name description Tactic Name (e.g. "Reconnaissance") type string type object Tags description Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenant_id based on certain customer-defined parameters. id Tags properties dataTapConfigName description A list of sink name values defined in DataTap configurations. items type string type array tenantId description A list of subtenant ids that this event belongs to. items format byte type string type array type object Technique description Technique information related to an attack or threat. id Technique properties id description Technique ID (e.g. "T1595"). type string name description Technique Name (e.g. "Active Scanning"). type string subtechniqueId description Subtechnique ID (e.g. "T1595.001"). type string subtechniqueName description Subtechnique Name (e.g. "Scanning IP Blocks"). type string type object TimeOff description System record for leave/time-off from a Human Capital Management (HCM) system. id TimeOff properties description description Description of the leave if available (e.g. 'Vacation'). type string interval $ref Interval description Interval duration of the leave. type object Tls description Transport Layer Security (TLS) information. id Tls properties cipher description Cipher used during the connection. type string client $ref Client description Certificate information for the client certificate. curve description Elliptical curve used for a given cipher. type string established description Indicates whether the TLS negotiation was successful. type boolean nextProtocol description Protocol to be used for tunnel. type string resumed description Indicates whether the TLS connection was resumed from a previous TLS negotiation. type boolean server $ref Server description Certificate information for the server certificate. version description TLS version. type string versionProtocol description Protocol. type string type object Tracker description URL Tracker. id Tracker properties id description Tracker ID, if available. type string timestamp description Tracker ingestion date. format google-datetime type string tracker description Tracker name. type string url description Tracker script URL. type string type object Tunnels description VPN tunnels. id Tunnels properties provider description The provider of the VPN tunnels being used. type string type description The type of the VPN tunnels. type string type object UDM description A Unified Data Model event. id UDM properties about description Represents entities referenced by the event that are not otherwise described in principal, src, target, intermediary or observer. For example, it could be used to track email file attachments, domains/URLs/IPs embedded within an email body, and DLLs that are loaded during a PROCESS_LAUNCH event. items $ref Noun type array additional additionalProperties description Properties of the object. type any description Any important vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model. type object extensions $ref Extensions description All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object intermediary description Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a proxy server or SMTP relay server. If an active event (that has a principal and possibly target) passes through any intermediaries, they're added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that 'principal', 'target', and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C). items $ref Noun type array metadata $ref Metadata description Event metadata such as timestamp, source product, etc. network $ref Network description All network details go here, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). observer $ref Noun description Represents an observer entity (for example, a packet sniffer or network-based vulnerability scanner), which is not a direct intermediary, but which observes and reports on the event in question. principal $ref Noun description Represents the acting entity that originates the activity described in the event. The principal must include at least one machine detail (hostname, MACs, IPs, port, product-specific identifiers like an EDR asset ID) or user detail (for example, username), and optionally include process details. It must NOT include any of the following fields: email, files, registry keys or values. securityResult description A list of security results. items $ref SecurityResult type array src $ref Noun description Represents a source entity being acted upon by the participant along with the device or process context for the source object (the machine where the source object resides). For example, if user U copies file A on machine X to file B on machine Y, both file A and machine X would be specified in the src portion of the UDM event. target $ref Noun description Represents a target entity being referenced by the event or an object on the target entity. For example, in a firewall connection from device A to device B, A is described as the principal and B is described as the target. For a process injection by process C into target process D, process C is described as the principal and process D is described as the target. type object UdmColumnList id UdmColumnList properties values items $ref UdmColumnValue type array type object UdmColumnType id UdmColumnType properties list $ref UdmColumnList value $ref UdmColumnValue type object UdmColumnValue id UdmColumnValue properties boolVal type boolean bytesVal format byte type string dateVal $ref Date doubleVal format double type number int64Val format int64 type string nullVal type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any type object stringVal type string timestampVal format google-datetime type string uint64Val format uint64 type string type object UdmEventInfo id UdmEventInfo properties alertNumber format int32 type integer annotations items enum ANNOTATION_UNSPECIFIED ANNOTATION_ALERT enumDescriptions type string type array chip $ref Chip deprecated True connectedComponentLabel description Optional. format byte type string datatableRowInfo items $ref SearchDataTableRowInfo type array detections items $ref Collection type array displayName deprecated True type string entity $ref BackstoryEntity event $ref UDM eventLogToken type string filterProperties $ref FilterProperties deprecated True outcomes items $ref UdmColumnType type array tenantId description Optional. type string uid format byte type string type object UdmEventList id UdmEventList properties columnNames $ref ColumnNames complete type boolean datatableInfo items $ref SearchDataTableInfo type array events items $ref UdmEventInfo type array progress format double type number tooManyEvents type boolean type object UdmFieldAggregation id UdmFieldAggregation properties aggregationType enum UNSPECIFIED_FIELD_AGGREGATION_TYPE UDM_FIELD_AGGREGATION_TYPE ENTITY_FIELD_AGGREGATION_TYPE enumDescriptions type string allValues items $ref UdmValueCount type array baselineEventCount format int32 type integer bottomValues items $ref UdmValueCount type array eventCount format int32 type integer fieldName type string tooManyValues type boolean topValues items $ref UdmValueCount type array valueCount format int32 type integer type object UdmFieldAggregations id UdmFieldAggregations properties complete type boolean fields items $ref UdmFieldAggregation type array groupByFields items $ref GroupAggregationByField type array type object UdmFieldValue id UdmFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string isNull type boolean stringValue type string timestampValue format google-datetime type string uint32Value format uint32 type integer uint64Value format uint64 type string type object UdmPrevalence id UdmPrevalence properties artifacts items $ref FieldAndValue type array prevalence format int32 type integer type object UdmPrevalenceBucket id UdmPrevalenceBucket properties prevalence items $ref UdmPrevalence type array type object UdmPrevalenceResponse id UdmPrevalenceResponse properties buckets items $ref UdmPrevalenceBucket type array partialPrevalence type boolean type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UdmValueCount id UdmValueCount properties baselineEventCount format int32 type integer eventCount format int32 type integer value $ref UdmFieldValue type object Uint64Sequence description Uint64Sequence represents a sequence of uint64s. id Uint64Sequence properties uint64Vals description uint64 sequence. items format uint64 type string type array type object Url description Url. id Url properties categories description Categorisation done by VirusTotal partners. items type string type array favicon $ref Favicon description Difference hash and MD5 hash of the URL's. htmlMeta additionalProperties description Properties of the object. type any description Meta tags (only for URLs downloading HTML). type object lastFinalUrl description If the original URL redirects, where does it end. type string lastHttpResponseCode description HTTP response code of the last response. format int32 type integer lastHttpResponseContentLength description Length in bytes of the content received. format int64 type string lastHttpResponseContentSha256 description URL response body's SHA256 hash. type string lastHttpResponseCookies additionalProperties description Properties of the object. type any description Website's cookies. type object lastHttpResponseHeaders additionalProperties description Properties of the object. type any description Headers and values of the last HTTP response. type object tags description Tags. items type string type array title description Webpage title. type string trackers description Trackers found in the URL in a historical manner. items $ref Tracker type array url description URL. type string type object User description Information about a user. id User properties accountExpirationTime description User account expiration timestamp. format google-datetime type string accountLockoutTime description User account lockout timestamp. format google-datetime type string accountType description Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/ enum ACCOUNT_TYPE_UNSPECIFIED DOMAIN_ACCOUNT_TYPE LOCAL_ACCOUNT_TYPE CLOUD_ACCOUNT_TYPE SERVICE_ACCOUNT_TYPE DEFAULT_ACCOUNT_TYPE enumDescriptions Default user account type. A human account part of some domain in directory services. A local machine account. A SaaS service account type (such as Slack or GitHub). A non-human account for data access. A system built in default account. type string attribute $ref Attribute description Generic entity metadata attributes of the user. companyName description User job company name. type string department description User job department items type string type array emailAddresses description Email addresses of the user. This field can be used as an entity indicator for user entities. items type string type array employeeId description Human capital management identifier. This field can be used as an entity indicator for user entities. type string firstName description First name of the user (e.g. "John"). type string firstSeenTime description The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string groupIdentifiers description Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar). items type string type array groupid deprecated True description The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. type string hireDate description User job employment hire date. format google-datetime type string lastBadPasswordAttemptTime description User last bad password attempt timestamp. format google-datetime type string lastLoginTime description User last login timestamp. format google-datetime type string lastName description Last name of the user (e.g. "Locke"). type string lastPasswordChangeTime description User last password change timestamp. format google-datetime type string managers description User job manager(s). items $ref User type array middleName description Middle name of the user. type string officeAddress $ref Location description User job office location. passwordExpirationTime description User password expiration timestamp. format google-datetime type string personalAddress $ref Location description Personal address of the user. phoneNumbers description Phone numbers for the user. items type string type array productObjectId description A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar). This field can be used as an entity indicator for user entities. type string roleDescription deprecated True description System role description for user. Deprecated: use attribute.roles. type string roleName deprecated True description System role name for user. Deprecated: use attribute.roles. type string terminationDate description User job employment termination date. format google-datetime type string timeOff description User time off leaves from active work. items $ref TimeOff type array title description User job title. type string userAuthenticationStatus description System authentication status for user. enum UNKNOWN_AUTHENTICATION_STATUS ACTIVE SUSPENDED NO_ACTIVE_CREDENTIALS DELETED enumDescriptions The default authentication status. The authentication method is in active state. The authentication method is in suspended/disabled state. The authentication method has no active credentials. The authentication method has been deleted. type string userDisplayName description The display name of the user (e.g. "John Locke"). type string userRole deprecated True description System role for user. Deprecated: use attribute.roles. enum UNKNOWN_ROLE ADMINISTRATOR SERVICE_ACCOUNT enumDeprecated False False True enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. Deprecated: not a role, instead set User.account_type. type string userid description The ID of the user. This field can be used as an entity indicator for user entities. type string windowsSid description The Microsoft Windows SID of the user. This field can be used as an entity indicator for user entities. type string type object UserAgentProto id UserAgentProto properties annotation items $ref Annotation type array browser description Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents. type string browserEngineVersion description Version of the rendering engine e.g. "8.01" for "Opera/8.01" type string browserVersion description Minor and lower versions unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string carrier description Mobile specific: name of mobile carrier type string device description (Usually) Mobile specific: name of hardware device, may or may not contain the full model name. e.g. iPhone, Palm750, SPH-M800. Reduced to "K" for Android devices with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string deviceVersion description (Usually) Mobile specific: version of hardware device Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string family description User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.. enum USER_DEFINED MSIE GECKO APPLEWEBKIT OPERA KHTML OTHER APPLE BLACKBERRY DOCOMO GOOGLE OPENWAVE POLARIS OBIGO TELECA MICROSOFT NOKIA NETFRONT SEMC SMIT KOREAN CLIENT_HINTS enumDescriptions Used to represent new families supported by user-defined parsers Desktop user agent families WebKit based browsers e.g. Safari e.g. Konqueror Mobile and non-browser user agent families UA's w/o enough data to fit into a family Apple apps e.g. YouTube on iPhone Google Earth, Sketchup, UpdateChecker etc... UP.Browser Windows Media Player, RSS platform etc... Sony Ericsson Mobile Communications SKT, LGT Constructed from UA-CH instead of UserAgent string. type string googleToolbarVersion description Version number of GoogleToolbar, if installed. Applies only to MSIE and Firefox at this time. type string javaConfiguration description Mobile specific: e.g. Configuration/CLDC-1.1 type string javaConfigurationVersion type string javaProfile description Mobile specific: e.g. Profile/MIDP-2.0 type string javaProfileVersion type string locale description Locale in which the browser is running as country code and optionally language pair. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string messaging description Mobile specific: e.g. MMP/2.0 type string messagingVersion type string os description Full name of the operating system e.g. "Darwin/9.7.0", "Android 1.5", "Windows 98" Version is reduced, and other data might also be missing, for reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string osVariant description Extra qualifier for the OS e.g. "(i386)", "Build/CUPCAKE", "PalmSource/Palm-D061" Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string platform description The platform describes the environment in which the browser or app runs. For desktop user agents, Platform is a string describing the OS family e.g. Windows, Macintosh, Linux. For mobile user agents, Platform either describes the OS family (if available) or the hardware maker. e.g. Linux, or HTC, LG, Palm. type string security description Security level reported by user agent, either U, I or N. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string subFamily description Sub-family identifies individual regexps when a family has more than 1. This is used to generate the right UA string from a protobuf. Examples in the AppleWebKit family: Chrome and Safari. Can also be an arbitrary identifier. type string type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Validity description Defines certificate's validity period. id Validity properties expiryTime description Expiry date. format google-datetime type string issueTime description Issue date. format google-datetime type string type object Verdict description Deprecated. Encapsulates the threat verdict provided by human analysts and ML models. These fields are used to model Mandiant sources. id Verdict properties analystVerdict $ref AnalystVerdict description Human analyst verdict provided by sources like Mandiant. neighbourInfluence description Describes the neighbour influence of the verdict. type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer verdict $ref ProviderMLVerdict description ML Verdict provided by sources like Mandiant. type object VerdictInfo description Describes the threat verdict provided by human analysts and machine learning models. These fields are used to model Mandiant sources. id VerdictInfo properties benignCount description Count of responses where this IoC was marked as benign. format int32 type integer categoryDetails description Tags related to the verdict. type string confidenceScore description Confidence score of the verdict. format int32 type integer globalCustomerCount description Global customer count over the last 30 days format int32 type integer globalHitsCount description Global hit count over the last 30 days. format int32 type integer iocStats description List of IoCStats from which the verdict was generated. items $ref IoCStats type array maliciousCount description Count of responses where this IoC was marked as malicious. format int32 type integer neighbourInfluence description Describes the near neighbor influence of the verdict. type string pwn description Whether one or more Mandiant incident response customers had this indicator in their environment. type boolean pwnFirstTaggedTime description The timestamp of the first time a pwn was associated to this entity. format google-datetime type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer sourceProvider description Source provider giving the machine learning verdict. type string verdictResponse description Details about the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp when the verdict was generated. format google-datetime type string verdictType description Type of verdict. enum VERDICT_TYPE_UNSPECIFIED PROVIDER_ML_VERDICT ANALYST_VERDICT enumDescriptions Verdict category not specified. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. Verdict provided by the human analyst. These fields are used to model Mandiant sources. type string type object Vulnerabilities description The Vulnerabilities extension captures details on observed/detected vulnerabilities. id Vulnerabilities properties vulnerabilities description A list of vulnerabilities. items $ref Vulnerability type array type object Vulnerability description A vulnerability. id Vulnerability properties about $ref Noun description If the vulnerability is about a specific noun (e.g. executable), then add it here. cveDescription description Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record type string cveId description Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id type string cvssBaseScore description CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting. format float type number cvssVector description Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator type string cvssVersion description Version of CVSS Vector/Score. type string description description Description of the vulnerability. type string firstFound description Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset. format google-datetime type string lastFound description Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset. format google-datetime type string name description Name of the vulnerability (e.g. "Unsupported OS Version detected"). type string scanEndTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable. format google-datetime type string scanStartTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable. format google-datetime type string severity description The severity of the vulnerability. enum UNKNOWN_SEVERITY LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Low severity. Medium severity. High severity. Critical severity. type string severityDetails description Vendor-specific severity type string vendor description Vendor of scan that discovered vulnerability. type string vendorKnowledgeBaseArticleId description Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase type string vendorVulnerabilityId description Vendor specific vulnerability id (e.g. Microsoft security bulletin id). type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object X509 description File certificate. id X509 properties algorithm description Certificate algorithm. type string certIssuer description Issuer of the certificate. type string name description Certificate name. type string serialNumber description Certificate serial number. type string thumbprint description Certificate thumbprint. type string type object old_value CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{region}/instances/{instance} readOnly True type string type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Manual description Entities are added manually. id Manual properties type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object
prod/northamerica-northeast2-dataproccontrol-	values_changed root['revision'] new_value 20250306 old_value 20250224
prod/northamerica-northeast2-dataproccontrol-v1	values_changed root['revision'] new_value 20250306 old_value 20250224
prod/notifications-pa-	dictionary_item_added root['schemas']['GoogleLogsTapandpayAndroid__TransitHceSessionEvent']['properties']['isSideloaded'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_IosNotificationPermissions']['properties']['aiPrioritizationSetting'] values_changed root['revision'] new_value 20250309 old_value 20250304 root['schemas']['GoogleLogsTapandpayAndroid__TransitHceSessionEvent']['description'] new_value Event related to communication over NFC using close loop transit tap. Next id: 33 old_value Event related to communication over NFC using close loop transit tap. Next id: 32 root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_IosNotificationPermissions']['properties']['aiSummarizationSetting']['description'] new_value The setting that indicates whether the OS uses Apple Intelligence to summarize notifications for this app. This is currently an undocumented API, so we need to monitor how this is used. old_value The setting that indicates whether the app can uses Apple Intelligence to summarize notifications. This is currently an undocumented API, so we need to monitor how this is used. root['schemas']['Sidekick__Action']['properties']['type']['description'] new_value LINT.ThenChange( //depot/google3/logs/proto/sidekick/sidekicklogs.proto, //depot/google3/geo/sidekick/proto/analysis_action_map.txt, //depot/google3/java/com/google/search/now/common/footprints/NotificationActionTypes.java, ) old_value LINT.ThenChange( //depot/google3/logs/proto/sidekick/sidekicklogs.proto, //depot/google3/geo/sidekick/proto/analysis_action_map.txt, //depot/google3/java/com/google/search/now/common/data/action/ActionUtil.java, ) root['schemas']['Sidekick__ClusterMetadata']['properties'] new_value bottomMarginInDp description Override bottom margin for the given cluster in dp. Only specifiable for Android v6.0+. format int32 type integer clusterType description Type of the cluster. enum OTHER AROUND_YOU UPCOMING UPDATES STORIES TRIP MORE_CARDS WEBKICK_STORIES INTEREST_UPDATE ENTITY_BASED RECOMMENDATION EXPERIMENTAL ELECTION ONBOARDING THIRD_PARTY_APPS_AND_SITES NOW_ON_TAP_STREAM TOP_STORIES_GENERAL AT_A_CONTEXT TOP_STORIES_FOR_YOU DEEP_NOW_SUGGESTED ELECTION_STORIES BEFORE_PLACE IN_VEHICLE DEEP_NOW_WHOLE_CLUSTER OLYMPICS INTERESTS LIGHTYEAR_WEATHER HATS_FEEDBACK WARM_WELCOME ASSISTANT_HQ_HIGHLIGHTS ASSISTANT_HQ_AGENDA ASSISTANT_HQ_TRAVEL ASSISTANT_HQ_REMINDERS ASSISTANT_HQ_ORDERS ASSISTANT_HQ_SHOPPING_LIST ASSISTANT_HQ_PROMO_BANNER ASSISTANT_HQ_SHORTCUT ASSISTANT_HQ_TRIPS NEW_TO_YOU FEED_ADS enumDescriptions All clusters not from types below. This type should be used only for debugging or as a temporary solution. Lotic cluster IDs. Cluster at the bottom of the stream for experimental cards. New cards should start out as experimental, and after approval may move to the "dogfood" stage to show up in other clusters. The cluster is to be shown in the Now on Tap stream. See go/peek-at-now as an example feature. DeepNow is the framework for serving TensorFlow learned models to help in ranking/scoring Now cards. These models are learned using Now logs and intended to be displayed in a separate cluster for the initial live experiments. For more details, deep-now@ and/or jameskunz@. Cluster containing standalone election stories carousel, when there are no civic election cards present. Cluster containing information about the user's next destination. Cluster containing information that a user might need while in a vehicle. Similar to DEEP_NOW_SUGGESTED, but for when a whole cluster is moved. Cluster containing information about the olympics. Keep me updated (KMU) interest clusters. Weather cluster in Lightyear to be ranked at 1. Cluster containing a HaTS survey card. Single view tutorial card position to be ranked at 1 and shown rarely. Clusters for the Assistant HQ. Clusters for the new-to-you content. Ads clusters. type string needBundleType description The type of the NeedBundle that triggers the cluster. enum UNKNOWN CURRENT_LOCATION AT_A_CONTEXT UPCOMING TRIP CURRENT_TRIP UPDATE CONTENT RECOMMENDATION NON_PERSONALIZED ELECTION ELECTION_STORIES ONBOARDING ONBOARDING_MOVIES ONBOARDING_MUSIC ONBOARDING_SPORTS ONBOARDING_STOCKS FULL_PAGE_INTEREST_PICKER_LURE MISC THIRD_PARTY THIRD_PARTY_APPS_AND_SITES CUSTOMIZE INTERNAL INTERNAL_TOP_OF_STREAM INTERNAL_BOTTOM_OF_STREAM INTERNAL_PROMO NOTIFICATION EXPERIMENTAL IOS_PROMO LOBBY IN_VEHICLE OLYMPICS LIGHTYEAR_WEATHER HATS_FEEDBACK WARM_WELCOME TOP_STORIES_GENERAL TOP_STORIES_FOR_YOU DEEP_NOW_SUGGESTED BEFORE_PLACE KMU_MOVIE_WITH_RELEASE_DATE KMU_ACTOR_TO_MOVIE_WITH_RELEASE_DATE KMU_DIRECTOR_TO_MOVIE_WITH_RELEASE_DATE FEED_V2_MOVIE_STREAMING_WITH_RELEASE_DATE FEED_V2_MOVIE_WITH_RELEASE_DATE FEED_V2_YOUTUBE_MUSIC_VIDEOS FEED_V2_YOUTUBE_LIVE_STREAMS FEED_V2_BOLLYWOOD_TO_BOLLYWOOD_UPDATE FEED_ACTOR_TO_MOVIE_TRAILER_WITH_UPLOAD_DATE FEED_ARTIST_TO_ALBUM_WITH_RELEASE_DATE FEED_ARTIST_TO_YT_MUSIC_VIDEO FEED_ATHLETE_TO_TEAM_WITH_JOIN_DATE FEED_BOLLYWOOD_TO_BOLLYWOOD_UPDATE FEED_COACH_TO_TEAM_WITH_JOIN_DATE FEED_DIRECTOR_TO_MOVIE_TRAILER_WITH_UPLOAD_DATE FEED_LOCATION_TO_BOLLYWOOD_UPDATE FEED_MOVIE_SHOWTIMES FEED_MOVIE_TO_MOVIE_SEQUEL_WITH_RELEASE_DATE FEED_MOVIE_TRAILER_WITH_UPLOAD_DATE FEED_SPORTS_ATHLETE_COLLECTION FEED_SPORTS_LEAGUE_STANDING FEED_SPORTS_PRE_GAME_COLLECTION FEED_SPORTS_POST_GAME_COLLECTION FEED_SPORTS_ONGOING_GAME_COLLECTION FEED_SPORTS_PRIMARY_LEAGUE_COLLECTION FEED_SPORTS_SECONDARY_LEAGUE_COLLECTION FEED_SPORTS_TEAM_TO_JOIN_DATE FEED_SUGGESTED_ACTOR_TO_MOVIE_WITH_RELEASE_DATE FEED_SUGGESTED_ARTIST_TO_ALBUM_WITH_RELEASE_DATE FEED_SUGGESTED_DIRECTOR_TO_MOVIE_WITH_RELEASE_DATE FEED_SUGGESTED_MOVIE_WITH_RELEASE_DATE FEED_TV_SERIES_TO_NEW_AIRING_EPISODE FEED_VIEDOGAME_TO_VIDEOGAME_SERIES_WITH_RELEASE_DATE FEED_VIDEOGAME_WITH_RELEASE_DATE FEED_VOTING_REMINDER FEED_ONBOARDING_INTEREST_PICKER FEED_GESTALT_WELCOME_CARD FEED_WEATHER DASHBOARD_STOCK_TICKER_LIST KMU_TRENDING_STORY SEARCH_AWARENESS SPORTS_AWARENESS TV_EPISODE_AWARENESS KMU_HOT_KP KMU_FINANCE KMU_SPORTS_GAME ENHANCED_PERSONAL_DASHBOARD_MY_DAY ENHANCED_PERSONAL_DASHBOARD_AROUND_ME ENHANCED_PERSONAL_DASHBOARD_UPDATES KMU_SMEARED_MOVIE_WITH_RELEASE_DATE ASSISTANT_HQ_HIGHLIGHTS ASSISTANT_HQ_AGENDA ASSISTANT_HQ_TRAVEL ASSISTANT_HQ_REMINDERS ASSISTANT_HQ_ORDERS ASSISTANT_HQ_SHOPPING_LIST ASSISTANT_HQ_SHORTCUT ASSISTANT_HQ_TRIPS ASSISTANT_HQ_HIGHLIGHTS_EVAL ASSISTANT_HQ_AGENDA_EVAL ASSISTANT_HQ_TRAVEL_EVAL ASSISTANT_HQ_REMINDERS_EVAL ASSISTANT_HQ_ORDERS_EVAL ASSISTANT_HQ_SHOPPING_LIST_EVAL ASSISTANT_HQ_PROMO_BANNER TUTORIAL_PROMO_FEED TUTORIAL_PROMO_DASHBOARD FEED_TODAY_IN_HISTORY_BIRTHDAY FEED_TODAY_IN_HISTORY_DEATH_ANNIVERSARY FEED_TODAY_IN_HISTORY_GEO_ESTABLISHED FEED_TODAY_IN_HISTORY_HISTORICAL_EVENT FEED_TODAY_IN_HISTORY_LAW_IN_EFFECT FEED_TODAY_IN_HISTORY_LAW_RATIFIED FEED_TODAY_IN_HISTORY_LEGAL_CASE_DECIDED FEED_TODAY_IN_HISTORY_EVENTS_LOCALIZED FEED_TODAY_IN_HISTORY_BIRTHDAY_LOCALIZED FEED_TODAY_IN_HISTORY_DEATH_ANNIVERSARY_LOCALIZED NEW_TO_YOU NEW_TO_YOU_MOVIE NEW_TO_YOU_VIDEO_PURCHASE NEW_TO_YOU_TRIP NEW_TO_YOU_HOBBY_TRIP NEW_TO_YOU_LANDMARK NEW_TO_YOU_MOVIE_CAST NEW_TO_YOU_REMINDER NEW_TO_YOU_WHILE_TRAVELING NEW_TO_YOU_VASCO_TASK NEW_TO_YOU_VASCO_FRESH_TASK NEW_TO_YOU_VASCO_VIDEO_TASK NEW_TO_YOU_FRESH_INTEREST NEW_TO_YOU_BOOK_PURCHASE NEW_TO_YOU_VIDEO_GAME_PURCHASE NEW_TO_YOU_SOFTWARE_PURCHASE NEW_TO_YOU_LIVE_VIDEO NEW_TO_YOU_TODAY_IN_HISTORY NEW_TO_YOU_EVENT NEW_TO_YOU_LONG_TERM_INTEREST NEW_TO_YOU_PARENTING NEW_TO_YOU_AFTER_A_PLACE LONG_TERM_INTEREST URL_TO_URL_RECOMMENDATION_CROSSPATH URL_TO_URL_RECOMMENDATION_FRESH URL_TO_URL_RECOMMENDATION URL_TO_URL_RECOMMENDATION_RUBY URL_TO_URL_RECOMMENDATION_VIEW URL_TO_URL_RECOMMENDATION_HEART STOCK_END_OF_DAY_NOTIFICATION STOCK_IPO_DAY_OF_NOTIFICATION FEED_AWARDS_TO_AWARDS_CEREMONY_REMINDER FEED_AWARDS_TO_AWARDS_CEREMONY_SUMMARY FEED_AWARDS_NOMINEE_TO_AWARDS_CEREMONY_REMINDER FEED_FILM_FESTIVAL_TO_ONGOING_FILM_FESTIVAL FEED_ARTIST_TO_ONGOING_MUSIC_FESTIVAL FEED_MUSIC_FESTIVAL_TO_ONGOING_MUSIC_FESTIVAL FEED_EPHEMERAL_EVENT_LIVESTREAM FEED_MULTISPORT_EVENT_OPENING_CEREMONY_REMINDER FEED_MULTISPORT_EVENT_GENERAL_INFORMATION FEED_MULTISPORT_EVENT_GAME_WINNER FEED_MULTISPORT_EVENT_END_OF_GAMES FEED_PBX_MOVIE FEED_PBX_TV FEED_AUTHOR_TO_BOOK_WITH_PUBLICATION_DATE FEED_BOOK_TO_BOOK_WITH_PUBLICATION_DATE FEED_BOOK_SERIES_TO_BOOK_WITH_PUBLICATION_DATE FEED_AUTHOR_TO_BOOK_WITH_PUBLICATION_DATE_NOTIFICATION FEED_BOOK_TO_BOOK_WITH_PUBLICATION_DATE_NOTIFICATION FEED_BOOK_SERIES_TO_BOOK_WITH_PUBLICATION_DATE_NOTIFICATION RECENTLY_FOLLOWED RECENTLY_FOLLOWED_N2Y MOST_RECENTLY_FOLLOWED FEED_HEALTH FEED_STORIES_COLLECTION SEARCH_ENGAGEMENT_HIGHLIGHT SEARCH_ENGAGEMENT_ASKJOE VIDYA_ONBOARDING FEED_ADS FEED_ADS_HERO_IMAGE FEED_ADS_SQUARE_IMAGE FEED_ADS_SQUARE_CAROUSEL FEED_ADS_SQUARE_THUMBNAIL FEED_ADS_PORTRAIT_IMAGE FEED_ADS_PORTRAIT_CAROUSEL FEED_ADS_CLICK_TO_DOWNLOAD FEED_ADS_CLICK_TO_DOWNLOAD_SQUARE FEED_ADS_CLICK_TO_DOWNLOAD_PORTRAIT FEED_ADS_CLICK_TO_DOWNLOAD_MULTI_APP FEED_ADS_CLICK_TO_DOWNLOAD_VIDEO FEED_ADS_CLICK_TO_DOWNLOAD_VIDEO_SQUARE FEED_ADS_CLICK_TO_DOWNLOAD_VIDEO_PORTRAIT FEED_ADS_CLICK_TO_DOWNLOAD_VIDEO_VERTICAL FEED_ADS_CLICK_TO_DOWNLOAD_DYNAMIC_SHOPPING FEED_ADS_MULTI_PHOTO FEED_ADS_MULTI_PHOTO_PER_CARD_HEADLINE FEED_ADS_ONO_HERO_IMAGE FEED_ADS_DYNAMIC_SHOPPING FEED_ADS_RATIO_TWEAK FEED_ADS_VIDEO FEED_ADS_VIDEO_SQUARE FEED_ADS_VIDEO_PORTRAIT FEED_ADS_VIDEO_VERTICAL FEED_ADS_CLICK_TO_DOWNLOAD_MULTI_PHOTO FEED_ADS_APP_REENGAGEMENT_HERO_IMAGE FEED_ADS_APP_REENGAGEMENT_SQUARE FEED_HEADLINE_NEWS FEED_NATION_NEWS FEED_WORLD_NEWS FEED_ENTERTAINMENT_NEWS FEED_SPORTS_NEWS FEED_BUSINESS_NEWS FEED_SCITECH_NEWS CONTEXTUAL_NOTIFICATION LOTTERY_RESULT_NOTIFICATION WEBSITE_UPDATE INTENT_ANNOTATION_DEMO FEED_VIDEO DEEP_TRENDS HIDE_INFERRED_LANGUAGE NOW_PERSISTENT_PUSH YOUTUBE_TENNIS_HIGHLIGHTS WEBKICK_TRENDING_STORIES STAMP LOCALLY_TRENDING_STORIES WEBKICK_LOCAL_STORIES WEBKICK_LOCAL_STORIES_GROUPING EXHIBITIONS ISSUE_SEARCH_QUERY KMU_TRENDING_POLITICS_STORY CARDMAKER SPORTS_TEAM_GAME SPORTS_IOS_LIVE_ACTIVITY SPORTS_ATHLETE_GAME SPORTS_ATHLETE_GAME_FOLLOWED SPORTS_LEAGUE_GAME SPORTS_LEAGUE_SCHEDULE SPORTS_LEAGUE_GAME_FOLLOWED SPORTS_MULTI_PARTICIPANT_GAME PUBLIC_ALERT URGENT_PUBLIC_ALERT UPCOMING_TURNDOWN_PROMO GOOGLE_STORIES BROAD_INTEREST_STORIES BROAD_INTEREST_STORIES_RECENTLY_FOLLOWED BROAD_INTEREST_STORIES_THE_MOST_RECENTLY_FOLLOWED BROAD_INTEREST_ECS_STORIES GEO_TARGETING_STORIES EPHEMERAL_EVENT_STORIES FRESH_VIDEOS TICKET_AVAILABILITY_NOTIFICATION TOPIC_FEED_ENTRY_POINTS SIX_PACK_LOW_ENGAGED COVID_19_ENTRY_POINTS MORNING_ENTRY_POINTS IMAGE PANOPTIC_ARTICLE LOCAL_RECOMMENDATION INTEREST_EXPLORATION DISCOVER_VIDEO_GAME_VIDEOS TWITTER_STORIES PODCAST CRISIS_RESPONSE_ALERT URGENT_CRISIS_RESPONSE_ALERT COOKING_VIDEOS FASHION_BEAUTY_VIDEOS ONEOFF_NOTIFICATION NEW_TO_YOU_GROUPING VISTAAR_ARTICLES CLASSIC_CORE_INTEREST_RESULT DEEP_TRENDS_FABLE FEED_VIDEO_DEEP_REC LIVEWEB_STORY FEED_ONBOARDING_INTEREST_PICKER_SPORTS_TEAMS FEED_INTEREST_PICKER_SPORT_CRICKET_IPL_TEAMS FEED_ONBOARDING_INTEREST_PICKER_BROAD_TOPICS CORE_INTEREST_INTEREST_PICKER INTEREST_PICKER_PILLS INTEREST_PICKER_CHANNEL_INTEREST_VOCAB INTEREST_PICKER_CREATORS INTEREST_PICKER_SPORTS_TEAMS GOG_POSTS GOG_CAMEOS MOONSTONE MOONSTONE_PROMOTED MOONSTONE_FRESH_EMBEDDING MOONSTONE_CORE_INTEREST_EMBEDDING MOONSTONE_NOTIFICATION NEW_MUSIC_ALBUM_RELEASE STORYTIME STORYTIME_SINGLETON STORY_RECOMMENDATIONS REAL_TIME_STORYTIME CLASSIC_CORE_INTEREST_FOOD_AND_COOKING CLASSIC_CORE_INTEREST_FASHION_AND_BEAUTY CLASSIC_CORE_INTEREST_TRAVEL CLASSIC_CORE_INTEREST_MUSIC CLASSIC_CORE_INTEREST_VIDEO_GAME CLASSIC_CORE_INTEREST_TV_AND_MOVIE CLASSIC_CORE_INTEREST_TV_AND_MOVIE_CATEGORIES CURATED_VIDEOS NEWS_HEADLINES DEEP_TRENDS_CORE_INTEREST FEED_CHANNELS_CONTENT POST_FOLLOW_GROUPING POST_FOLLOW_SURVEY NEW_FOLLOW CREATOR_FOLLOW_GROUPING CREATOR_FOLLOW_NEW_FOLLOW QUERY_RECOMMENDATIONS_FROM_CREATOR QUERY_RECOMMENDATIONS_ABOUT_CREATOR FEED_INTERESTED_CHANNELS_CONTENT CHANNELS_CONTENT FEED_ONBOARDING_LANGUAGE_PICKER INFEED_GOLD_PRICE_CARD WEB_FORUM EPHEMERAL_EXPERIENCES LOCAL_RECOMMENDATION_UGC_PLACE_REVIEW SIGN_IN_LURE_BUTTON WHAT_TO_STREAM U2U_VASCO_TASK CUTE_VIDEOS COVID19_LURE GOLDEN_URLS WEB_CHANNELS WEB_CHANNELS_ENTRY_POINTS COVID_NEWS_HEADLINES COVID_NEWS_HEADLINES_SINGLETON COVID_LOCAL_HEADLINES_GROUPING COVID_BEYOND_THE_HEADLINES_GROUPING COVID_CHANNEL_GROUPING_MENTAL_HEALTH COVID_CHANNEL_GROUPING_WORKOUT COVID_CHANNEL_GROUPING_WFH COVID_CHANNEL_GROUPING_RECIPE COVID_CHANNEL_GROUPING_PARENTING COVID_CHANNEL_GROUPING_YOGA COVID_CHANNEL_GROUPING_EDUCATION COVID_CHANNEL_GROUPING_GAMING COVID_CHANNEL_GROUPING_TABLETOP_GAME COVID_CHANNEL_GROUPING_STAY_CONNECTED COVID_CHANNEL_GROUPING_COFFEE_AT_HOME COVID_CHANNEL_GROUPING_PROTECT_YOURSELF COVID_CHANNEL_GROUPING_CREATIVITY_AT_HOME COVID_CHANNEL_GROUPING_WELLNESS SAPPHIRE STAMP_SHORT_VIDEO STAMP_SHORT_VIDEO_SINGLETON SHORT_VIDEO_4PACK EXPLORATION_GROUPING_ONE_TOPIC EXPLORATION_GROUPING_MULTI_TOPICS EXPLORE_CHANNEL_EXPLORATION_GROUPING_ONE_TOPIC EXPLORE_CHANNEL_EXPLORATION_GROUPING_MULTI_TOPICS EXPLORE_CHANNEL_BROAD_TOPICS_CHANNEL_PICKER FOLLOWING_FEED_EXPLORATION_GROUPING SHOPPABLE_IMAGE SUBSCRIBE_TO_SEARCH PINNED_CONTENT_FULFILLMENT PINNED_CONTENT_CAROUSEL_FULFILLMENT LOCAL_LIFT_STORIES NEWS_FULL_COVERAGE_ARTICLES NEWS_FULL_COVERAGE_ARTICLES_SINGLETON NEWS_FULL_COVERAGE_TWEETS NEWS_STORIES_HEADLINES NEWS_STORIES_WORLD NEWS_STORIES_REGION NEWS_STORIES_POLITICS NEWS_STORIES_BUSINESS NEWS_STORIES_TECHNOLOGY NEWS_STORIES_SCIENCE NEWS_STORIES_SPORTS NEWS_STORIES_ENTERTAINMENT NEWS_STORIES_OP_EDS NEWS_STORIES_LOCAL NEWS_STORIES_ISSUE_SPOTLIGHT NEWS_STORIES_BEYOND_THE_HEADLINES NEWS_STORIES_PERSONAL_SPOTLIGHT NEWS_STORIES_BREAKING LOCAL_CHANNEL_HEADLINES_GROUPING LOCAL_CHANNEL_HEADLINES_SINGLETONS LOCAL_CHANNEL_FOOD_GROUPING LOCAL_CHANNEL_REGIONAL_GROUPING LOCAL_CHANNEL_LIFESTYLE_GROUPING LOCAL_CHANNEL_VIDEO_GROUPING NEWS_CHANNEL_SINGLETONS LOCAL_CHANNEL_SINGLETONS KOHINOOR_STORIES STORIES_CHANNEL_SINGLETON LOCATION_MANAGEMENT_LURE PRIVACY_NOTICE_CARD SHAREABLE_IMAGES SHAREABLE_IMAGES_CAROUSEL SHAREABLE_IMAGES_FOUR_PACK SHAREABLE_IMAGES_SIX_PACK SHAREABLE_IMAGES_SINGLETON STATEFUL_TASK TRENDING_CHANNELS TRENDING_CHANNELS_SHOPPING TRENDING_CHANNELS_ENTERTAINMENT TRENDING_CHANNELS_BASEBALL TRENDING_CHANNELS_GADGETS TRENDING_CHANNELS_FASHION FIREFLY GARAMOND_DEMO BEYOND_THE_HEADLINES_SINGLETON GARAMOND_RELATED_ARTICLE_GROUPING TOP_SEARCH_INTERACTED INFO_LURE EDITORIAL_STORIES_GROUPING PALATINO_LURE GARAMOND_INTRO LAST_YEAR_TODAY_STORIES DISCOVER_LIGHTWEIGHT_FIRST_PAGE DIVERSE_CONTENT WEB_GAMES FAN_CONTENT_GROUPING RELATED_CONTENT RELATED_CONTENT_RUBY NEW_TO_YOU_MIDNIGHT_TRAIN_TASK HOME_STACK SHOPPING_INSPIRATION SHOPPING_INSPIRATION_DEMO FOLLOWING_FEED WHAT_TO_COOK WEB_CHANNELS_CHANNEL_IN_BAR_LURE AUGMENTED_REALITY HEARTBEAT FOLLOW_INTEREST OLYMPICS_FEATURED_EVENTS CREATOR_CHANNELS_4PACK TAPPABLE_QUERIES PRIVACY_AWARENESS_PROMO CREATOR_CHANNEL_CREATOR_RECOMMENDATIONS CREATOR_CHANNEL_SINGLETON_CONTENT_RECOMMENDATION FLOODS_DATAHUB FOLLOWING_FEED_ENTRY_LURE SOCIAL_PERSPECTIVES SCALABLE_ATTRIBUTE_VIDEOS TRENDING_HASHTAGS IMAGE_GRID SHOPPING_IMAGE_GRID INSPIRING_HASHTAG_IMAGES CONTENT_EXPLORATION CONTENT_EXPLORATION_VIDEOS EPHEMERAL_EVENT EPHEMERAL_EVENT_TWO_PACK MORE_STORIES_LURE WINTER_OLYMPICS WINTER_OLYMPICS_MEDALS WINTER_OLYMPICS_RECAP_VIDEO WINTER_OLYMPICS_LIVE_STORIES DISCOVER_PROMO_CARD DISCOVER_MAGI_PROMO_CARD DAILY_DISCOVER_PROMO_CARD DISCOVER_MAC_GAP_ON_PROMO_CARD DISCOVER_MAC_GAP_OFF_PROMO_CARD DISCOVER_UKRAINE_INFO TRENDING_VIDEOS TRENDING_TOPICS_CLUSTERS MOOD_CLUSTERS FOLLOWING_FEED_ONBOARDING PAGINATION_PANOPTIC FOOD_RECIPES_CLUSTER FOOD_INTERESTING_FINDS_ARTICLE_CLUSTER FOOD_INTERESTING_FINDS_VIDEO_CLUSTER SHOPPING_INSPIRATION_CLUSTER SUPER_INTEREST_ARTICLES_CLUSTER SUPER_INTEREST_SHORT_VIDEOS_CLUSTER CURATED_COLD_USER_ARTICLES_CLUSTER CURATED_COLD_USER_SHORT_VIDEOS_CLUSTER CURATED_GLOYO_ARTICLES_CLUSTER CURATED_GLOYO_SHORT_VIDEOS_CLUSTER THIN_PROFILE_USER_SHORT_VIDEOS_CLUSTER ON_DEVICE_MEDIA_CONTENT_CAROUSEL SEARCH_BASED_FAST_PERSONALIZATION CONTENT_AND_PLACE_MENTIONS_GROUPING SPORTS_ATHLETE_INFO RELATED_VIDEOS WHAT_TO_STREAM_SRP_ACTION_CLUSTER CONTAINER_EXPANSION_CONTRACTION_SWITCH MEDIA_CONTENT_EXPLORE_MORE_BANNER PETACAT_EXPLORATION PETACAT_CHANNEL SHOPPING_HALLOWEEN_PROMO_CARD SHOPPING_HOLIDAY_DEALS_PROMO_CARD ATTRIBUTE_VIDEO LENS_AWARENESS_PROMO_CARD FLAVOR_CORPUS_CHANNELS ON_DEVICE_MEDIA_CONTENT_ERROR NOW_NEW_ROMAN_IMAGE_LURE DISCOVER_YEAR_IN_SEARCH EUROPE_ENERGY_CRISIS_PROMO QUERY_RECOMMENDATIONS_WYWA QUERY_RECOMMENDATIONS_WYWA_PIN_AT_TOP QUERY_RECOMMENDATIONS_SIQE QUERY_RECOMMENDATIONS_TMSN QUERY_RECOMMENDATIONS_TRAVEL QUERY_RECOMMENDATIONS_TOM_RELATED_QUESTIONS QUERY_RECOMMENDATIONS_WEB_ANSWERS QUERY_RECOMMENDATIONS_TOM_Q2Q QUERY_RECOMMENDATIONS_GTQ QUERY_RECOMMENDATIONS_BROAD_LOCAL_NEWS QUERY_RECOMMENDATIONS_SIQE_NUROOT QUERY_RECOMMENDATIONS_NUROOT_SINGLETON QUERY_RECOMMENDATIONS_NUROOT_DOUBLETON QUERY_RECOMMENDATIONS_NUROOT_THREE_PACK QUERY_RECOMMENDATIONS_NUROOT_FOUR_PACK EXAMPLE_DISCOVER_FEATURE UCP_FOUR_PACK UCP_TWO_PACK FOLLOW_IN_MAIN_FEED TRAVEL_TTD_FOUR_PACK TRAVEL_TTD_FOUR_PACK_PREFABS DISCOVER_APP_MEDIA_FOUR_PACK DISCOVER_APP_AUDIO DISCOVER_APP_ON_DEVICE DISCOVER_APP_ON_DEVICE_ONBOARDING TAPPABLE_QUERIES_WITH_RANGE_POS_CONSTRAINTS SPORTS_LEAGUE_CLUSTER_INFO SPORTS_LEAGUE_STANDINGS_INFO TAPPABLE_QUERIES_WITH_CONSERVATIVE_POS_CONSTRAINTS LOCAL_EVENTS LOCAL_EVENTS_WITH_FIXED_POSITION_SPEC SHOPPING_PRODUCT_GRID SHOPPING_PRODUCT_GRID_SHORT_CARDS SHOP_THE_LOOK ASTRIA FP13N_EMBED_RETRIEVAL_CONTENT HEART_RELATED_CONTENT DISCOVER_TVM_VERTICAL UNPLANNED_EVENTS CONTENT_AND_PLACE_ATTACHMENTS HEART_FP13N_EMBED_RETRIEVAL_CONTENT SHOPPING_TASK_PRODUCT_GRID SHOPPING_TASK_PRODUCT_GRID_SHORT_CARDS NOW_NEW_ROMAN_CLUSTER NAV_QUERY_POST_FOLLOW_CONTENT TRANSLATED_CONTENT DISCOVER_VERTICAL GOOGLE_TWENTY_FIVE_PROMO_CARD SHOPPING_PRODUCT_GRID_PERSONALIZED_CATEGORY_SHORT_CARDS SHOPPING_PRODUCT_GRID_POPULAR_CATEGORY_SHORT_CARDS EXPLICIT_INTERESTS_TO_FOLLOWS_INFO_CARD JPS_SENIORS_PROMO_CARD SPORTS_TEAM_GAME_FOLLOWED SPORTS_TEAM_GAME_NEW_FOLLOW ADD_WIDGET_PROMO_CARD UCP_DELAYED_NOTES_CREATION_PROMPT_CARD QUERY_RECOMMENDATIONS_DINING QUERY_RECOMMENDATIONS_MOONSTONE QUERY_RECOMMENDATIONS_BROAD_TOPIC QUERY_RECOMMENDATIONS_FOLLOW_INSPIRED LOCAL_MERCHANT_CONTENT UPSELL_QUERY_PICKER LODGING_FOUR_PACK APP_UPGRADE_PROMO_CARD RAY_PROMO_CARD QUERY_RECOMMENDATIONS_JOURNEY_EXPLORATION QUERY_RECOMMENDATIONS_TVM_WHAT_TO_WATCH QUERY_RECOMMENDATIONS_TRAVEL_TTD VERTICAL_NEWS_DIGEST LOK_SABHA_ELECTION_PROMO QUERY_RECOMMENDATIONS_QUERY_CONTENT_EXPLORATION DEBUG_PROMO_CARD SHOPPING_DEALS_LURE QUERY_RECOMMENDATIONS_USER_BANDIT OLYMIPCS_SEARCH_GENERATIVE_EXPERIENCE_PROMO_CARD EUROPE_ELECTION_PROMO_CARD QUERY_RECOMMENDATIONS_LOCAL_ACTIVITIES EUROPE_ELECTION_RESULTS_PROMO_CARD QUERY_RECOMMENDATIONS_LIMELIGHT_REVIEW QUERY_RECOMMENDATIONS_LIMELIGHT_DISCUSSION QUERY_RECOMMENDATIONS_LOCAL_MERCHANT_CONTENT DISCOVER_LABS_PROMO_CARD OLYMIPCS_SEARCH_PLAYGROUND_PROMO_CARD QUERY_RECOMMENDATIONS_SIQE_RICH_ENTITY QUERY_RECOMMENDATIONS_SIQE_RICH_ENTITY_FILM QUERY_RECOMMENDATIONS_SIQE_RICH_ENTITY_TV_PROGRAM QUERY_RECOMMENDATIONS_SIQE_RICH_ENTITY_PEOPLE QUERY_RECOMMENDATIONS_MOONSTONE_RICH_ENTITY QUERY_RECOMMENDATIONS_WYWA_RICH_ENTITY QUERY_RECOMMENDATIONS_WYWA_RICH_ENTITY_FILM QUERY_RECOMMENDATIONS_WYWA_RICH_ENTITY_TV_PROGRAM QUERY_RECOMMENDATIONS_WYWA_RICH_ENTITY_PEOPLE QUERY_RECOMMENDATIONS_SIQE_RECOMMENDED_ENTITY QUERY_RECOMMENDATIONS_SIQE_RECOMMENDED_ENTITY_FILM QUERY_RECOMMENDATIONS_SIQE_RECOMMENDED_ENTITY_TV_PROGRAM QUERY_RECOMMENDATIONS_SIQE_RECOMMENDED_ENTITY_PEOPLE QUERY_RECOMMENDATIONS_MOONSTONE_RECOMMENDED_ENTITY QUERY_RECOMMENDATIONS_WYWA_RECOMMENDED_ENTITY QUERY_RECOMMENDATIONS_WYWA_RECOMMENDED_ENTITY_FILM QUERY_RECOMMENDATIONS_WYWA_RECOMMENDED_ENTITY_TV_PROGRAM QUERY_RECOMMENDATIONS_WYWA_RECOMMENDED_ENTITY_PEOPLE QUERY_RECOMMENDATIONS_TOM_Q2Q_RECOMMENDED_ENTITY QUERY_RECOMMENDATIONS_MIXED_CONTENT SMARTBOXES COMMUNITY_QNA_PROMO_CARD QUERY_RECOMMENDATIONS_TRENDING_MUSTNT_MISS QUERY_RECOMMENDATIONS_MUSTNT_MISS_IN_VERTICAL QUERY_FOLLOW_EMPTY_INJECTION_NOTICE QUERY_RECOMMENDATIONS_JOURNEY QUERY_RECOMMENDATIONS_HUVO_VIDEO QUERY_RECOMMENDATIONS_HUVO_CAROUSEL DISCOVER_PROMO_CARD_AT_ONE DISCOVER_PROMO_CARD_AT_SEVEN QUERY_RECOMMENDATIONS_SIQE_ACTIVITY QUERY_RECOMMENDATIONS_REPEAT_INFO INDIAN_PREMIER_LEAGUE ANIMA_NOTICE_CARD RWJ_SHORT_VIDEO ENTERTAINMENT_TRAILER_DROP SPORTS_GAME_SCHEDULE TVM_WHAT_TO_WATCH_MOST_SEARCHED_CAROUSEL enumDeprecated False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False enumDescriptions Information about the current location. Specific information for this context. Upcoming events and reminders. Trip information. Ongoing trip information. Updates for the user. Content recommendations. Other recommendations. For cards in non personalized stream. Election information. Onboarding. Everything else. For Shadie demo. Cards that might be needed while in a vehicle. Bundle for feedback requested from user. NeedBundleTypes used in the intent system should appear after this line. See commentary at the start of the enumeration. Information about the user's next destination. Types with KMU/FEED prefix refer to Interest feed. Bundles for movie release related KMU intents. Bundle for stock ticker list card in dashboard. Bundle for trending story. Bundle for search awareness features. Bundle for sports awareness features. Bundle for TV Episodes awareness tips. Bundle for HOT_KP. Bundle for KMU finance intents. Sports game cluster. Personal Dashboard Enhancement. Visit go/personal-dashboard-v1.1 for more details. Experimental bundle for smeared movie clusters. Bundles for Assistant HQ (go/hq-now-integration). Bundles for Assistant HQ Eval (go/hq-now-integration). Bundles for welcome cards. Today in history cards. Bundles of new-to-you cards. More bundles are added to handle dismisses properly as V2 dismiss action is on the collection card and collections are identified with the bundles. Bundles of long term ineterest cards. Bundles of url-to-url Crosspath cards. Bundles of fresh url-to-url cards. Bundles of url-to-url cards. Bundles of url-to-url ruby cards. Bundles of Discover View triggered url-to-url cards. Bundles of Discover Hearts triggered url-to-url cards. Bundles for end-of-day stock notification cards. Bundles for awards ceremony cards. Bundles for film festival cards. Bundles for music festival cards. Bundles for ephemeral event livestream cards. Bundles for multi-sport event (e.g. Asian games) cards. Bundles for popularity based experience Bundles for books cards and notifications. Bundles for recently followed entities. Bundles for health cards and notifications. Bundles of Highlight cards. Bundles of AskJoe cards. Bundles for Vidya language onboarding features. Bundles for Ads -- go/feed-ads-frontend Hard news content types -- go/feed-news Bundle for Contextual notifications. Lottery related. Bundle for website update cards. Bundle for intent annotation offline demo and eval. Video cards. Bundle for DeepTrends stories. Bundle for Language Picker which will allow user to opt out from Bilingual feed. Bundle for notifications that were originally sent via push that need to be re-served during feed refresh. Bundle for tennis highlights. Bundle for webkick trending stories Bundle for STAMPs (go/stamp-feed-design). Locally trending stories are part of zero state content. Bundle for webkick local stories Bundle for museum exhibitions (add go link) User wants to issue a query. Parameterized by the query, itself, as a string. Bundle for politics trending story. Bundle for cardmaker cards. Sports on the intent system. Team game bundle. iOS live activity bundle. Athlete game bundle. Athlete game bundle for followed queries. League game bundle. League schedule bundle. League game bundle for followed queries. Multi participant game bundle. Bundles for Public Alerts cards. Bundle for upcoming turndown promo cards. Bundles for Google Stories Card. Broad interest stories (go/broad-interest-modeling-design). Stories targeted based on the user's city location. Stories based on date/time dependent events such as festivals. See go/festive-feed for festivals design. Videos from panoptic Start of ticket sales notification Topic feed entry points that lead to Topic Feed on a particular topic. Six Pack for users with low Discover engagement. A group of 6 COVID-19 related sub-intents. Using the same UI as the organic 6 Pack. A group of entry points that are triggered only in the morning. Images cluster. For now used for images experience prototyping in Discover. See go/images-in-discover-notes for project notes. Need bundle type corresponding to all Panoptic based fulfillers. Personalized local recommendation by go/local-stream-prd. Bundle for video games for core interests (fulfilled by videoroot). Bundle for Twitter in Discover card. Bundle for Podcast recommendations. Bundles for Crisis Response Alerts cards (SOS Alerts, Public Alerts) Bundle for cooking for core interests (fulfilled by videoroot). Bundle for fashion and beauty for core interests (fulfilled by videoroot). Bundle for One-off Notifications. N2Y content grouped around an interest or attribute (go/n2y-groupings-prd). Indic Articles from Vistaar. Core Interest fulfilled by ECS contents Design doc: (go/ci-content-ecs) Bundle for DeepTrends FaBLE stories. Design doc: (go/deep-trends-fable). Bundle for deep videos retrieval (fulfilled by videoroot). Bundle for liveweb stories. Legacy Interest picker go/follow related Pickers. Bundles for different Get-On-Google contents (go/gog) Bundles for Get-On-Google posts. Bundle for Get-On-Google cameos. Bundle for Moonstone quasi-personalized content. Need bundle type for Moonstone with Monet embedding on fresh content. Need bundle type for Moonstone with Monet embedding on core interest Bundle for Moonstone quasi-personalized content. Bundle for new album release Bundle for STORYTIME using carousel UI (go/storytimesite). Bundle for STORYTIME using the singleton UI (go/storytime-singleton-dd). Bundle for Story Recommendations (go/story-recs-serving-design). Bundle for Real Time P13n STAMPs (go/real-time-stamp-dd). Classic Core Interest food and cooking vertical, fulfilled by ECS contents Classic Core Interest fashion and beauty vertical, fulfilled by ECS contents Classic Core Interest travel vertical, fulfilled by ECS contents Classic Core Interest music vertical, fulfilled by ECS contents Classic Core Interest video game vertical, fulfilled by ECS contents Classic Core Interest tv and movies vertical, fulfilled by ECS contents Classic Core Interest tv and movies categories vertical, fulfilled by ECS contents Bundle for curated videos retrieval Bundle for News Headlines. Bundle for DeepTrends Core Interest stories. Design doc: (go/deep-trends-core-interest). Bundle for content from Topic Feed Channels in the main Discover feed. Bundle for post-follow grouping in the main Discover feed. Bundle for post-follow survey in the Discover feed. Bundle for post-follow grouping targeting new follows. Bundle for creator follows. go/creator-follow-plan Bundle for creator follows made recently. Bundle for creator content. Bundle for creator content. Bundle for content from from user interested channels in Main Feed. Bundle for fulfilling channels requests. Bundle for Inline Language Picker (go/feed-lang-picker) Bundle for gold price in Discover Feed. Bundle for forum content in Discover. Bundle for Ephemeral Experiences notifications. Personalized local recommendation with UGC photos and reviews contents for a single place (go/discover-ugc-review-card-prd) Sign in Lure Button for discover signed out users ( go/iga-signedout-discover ) Intent for Discover What To Watch streaming recommendations card. Intent for U2U content for Vasco tasks. Bundle for videos with cute attributes. Design doc: go/discover-attribute-videos-dd. Bundle for showing a COVID-19 lure card that points to OSRP. Golden URLS to show in discover. Bundle for WebChannels content in Discover. Bundle for WebChannels entry points (i.e., 6-pack) in Discover. go/web-channels-6-pack Covid news headlines in Discover. See go/covid19-headlines-discover-dd. For main feed cluster For landing page singletons For landing page local grouping These channel-specific types are needed to implement channel-specific packing rules (e.g., fixed position). Bundle for interest exploration stories in Discover. Bundle for triggering STAMP short video using a carousel UI on the Discover feed. Contra doc: go/contra_project_plan, go/contra-design Stamp doc: go/stamp_background Bundle for triggering STAMP short video using a singleton UI on the Discover feed. Design doc: go/stampshortvideo-carousel-dd Bundle for triggering STAMP short video using grid (4-pack) UI on the Discover feed. Bundle for exploration groupings. Doc: go/discover-exploration-groupings Bundle for exploration groupings in Explore Channel. Bundle for channel picker in Explore Channel. Bundle for exploration groupings in Following Feed Bundle for shoppable images. go/shoppable-images-in-discover-implementation Bundle of SUBSCRIBE_TO_SEARCH intents. For fulfilling content in the feed from notification click Bundle for local lift stories from panoptic's hivemind channel go/signedout-hivemind Bundles for Full Coverage landing pages. Bundle for the top news headlines from top publishers. Bundle for the top world news headlines from top publishers. Bundle for the top regional (e.g., "US") news headlines from top publishers. Bundle for the top politics news headlines from top publishers. Bundle for the top business news headlines from top publishers. Bundle for the top technology news headlines from top publishers. Bundle for the top science news headlines from top publishers. Bundle for the top sports news headlines from top publishers. Bundle for the top entertainment news headlines from top publishers. Bundle for the top news opinion articles. Bundle for the top local news articles. Bundle for ongoing / long-running news stories. Bundle for articles that provide in-depth reporting on key news topics. Bundle for niche news stories highly specific to the user. Bundle for breaking news articles. Bundle for a group of top local stories Bundle for singleton top local stories Bundle for a group of local food / restaurant stories Bundle for a group of state / county local stories Bundle for a group of local lifestyle stories Bundle for a group of local videos Singleton results for the #News channel. Singleton results for the #Local channel. Bundle for kohinoor content in discover. Bundle for Stories Channel in Discover. See go/serving-stories-channel. Bundle for a card letting the user configure their preferred location(s). Bundle for the privacy notice card. Bundle for Shareable Images Card in Discover. Bundle for Shareable Images in Discover using a Carousel UI on the discover feed. Bundle for Shareable Images in Discover using a Four-Pack UI on the discover feed. Bundle for Shareable Images Card in Discover using a Six-Pack UI on the discover feed. Bundle for Shareable Images Card in Discover using a Singleton UI on the discover feed. Bundle for Stateful Tasks in Discover. Bundle for Trending Channels. Bundle for Trending Channels Shopping card. Bundle for Trending Channels Entertainment card. Bundle for Trending Channels Baseball card. Bundle for Trending Channels Gadgets card. Bundle for Trending Channels Fashion card. Bundle for triggering content from torso/tail publishers. go/fireflyxdiscover-le Bundle for non-organically triggering garamond cards for demo / testing. Bundle for Beyond-the-headlines singletons in Discover. go/bth-discover-dd Bundle for Garamond related article groupings. go/garamond-related-articles Bundle for serving top search interacted urls in discover. go/top-search-interacted Bundle for info lures in Discover. See go/discover-info-lures Bundle for Editorial Curation stories in Discover. See http://go/discover-editorial-collections Bundle for Palatino lure in Discover. Bundle for got-it card to introduce garamond cards. go/garamond-got-it-card-plan Bundle for Lyt (aka last year today) stories for Feed on select dates. See go/lyt-stories-in-feed for more details. Bundle for Discover Lightweight First Page. See: go/lightweight-first-page. Bundles for showing unpersonalised feed in discover. Since we want to show each topic in a separate cluster, we are creating a separate need_bundle_type for each need_type. See: go/gold++-dd Bundle for showing web games in Discover. Bundles for showing Fancast content in discover. See: go/fancasts Need bundle type for related content intents. go/discover-emerald-server-design Need bundle type for related content intents for Discover Ruby. go/discover-ruby-serving Need bundle type for midnight train next step in user journey prediction. go/wa-journey-online Need bundle type for Discover home stack. go/home-stack-discover-dd Need bundle type for Shopping inspiration content go/shopping-inspiration-panoptic Need bundle type for Shopping Inspiration Demo cards. Need bundle type for Discover Following feed. Recipe bundle type in discover go/recipes-in-discover-design Need bundle tyoe for Web Channels Channel-in-bar lure go/discover-webchannels-channel-in-bar-lure-dd Need bundle type for Augmented Reality content. Please take a look at go/o20-athletes-in-ar for more details. Need bundle type for HeartBeat in GeoTargetingStroies. go/heartbeat-dd for more details. Need bundle type for Singleton follow card. go/o20-discover-follow-card Need Bundle for Featured Events Card for Olympics on Discover go/o21-featured-events-in-discover-design Need bundle type for Creator Channel 4-Pack Content go/cc-discover-4pack Need bundle type for engaging tappable queries on Discover. go/tappable-queries-dd Need bundle type for privacy awareness cards. go/discover-privacy-awareness-promos Need bundle type for Creator Channel 6-pack creator recommendation See go/cc-discover-6pack Need bundle type for Creator Channel singleton content recommendation Need bundle type for floods data hub notifications Need bundle type for Discover Following feed. Need bundle type for Social Perspectives content. Social Perspectives aims to organize social media conversations across platforms and surface them to Discover users. See go/fanspeak-social-perspectives-dispur-review-presentation. Need bundle type for Scalable Attribute content. Scalable Attribute content aims to deliver content based on content properties / flavor rather than ties to particular topics or mids. Bundle for trending channels go/discover-trending-hashtags Need bundle type for Image Grid in main feed. go/image-grid-main-feed. Need bundle type for Shopping Image Grid in main feed. go/discover-brand-le Need bundle type for Inspiring Hashtag Images in main feed. go/inspiring-hashtag-serving. For exploring new or tail content/creators. go/next-gen-content-explore. For exploring new video content. go/ce-discover-videos. Need bundle type for Events content in main feed. go/events-in-discover-dd. Need bundle type for Events content served as two pack in main feed. go/events-in-discover-dd. Need bundle type for more_stories (WEBKICK_STORIES_SECONDARY_PAGE_LURE) card. Need bundle type for Winter Olympics features. go/discover-winter-olympics-22-design Deprecated Need bundle type for configurable cards on the Discover feed. go/discover-promo-card-platform Need bundle type for a Magi promo card on the Discover feed using it's promo framework (go/discover-promo-card-platform). Need bundle type for Daily Discover Promo Card. go/daily-discover-promo-impl Need bundle type for a MAC GAP-on promo card on the Discover feed using its promo framework (go/discover-promo-card-platform). Need bundle type for a MAC GAP-off promo card on the Discover feed using its promo framework (go/discover-promo-card-platform). Need bundle type for showing Ukraine Info card. Need bundle type for mood clusters. go/discover-mood-based-cluster-fulfillment Need bundle type for following feed onboarding. go/following-feed-onboarding. Need bundle type for on-the-fly Panoptic content in Pagination. For Food Super-interest vertical go/food-super-interest-cluster go/horizon-3-shopping-experiences-design For generic Super-interests use go/define-discover-super-interests For on-device media content carousel go/media-content-on-discover-dd. For search based fast personalization go/search-based-fp-roadmap. Bundle for a group of article with place mentions. Athlete info for team/athlete games - go/athlete-triggering-dd Related videos - go/related-videos-aga-design Need bundle type for Discover What To Watch streaming srp action cluster. go/stream-srp-action Switch which makes a container expand/collapse. go/tangor-media-card-design 'Explore more' banner for media content on Discover. go/media-content-explore-more-banner Need bundle type for petacat exploration channel. We would like to do quality tuning with things like fixed position, so separate it from CONTENT. go/explore-value-with-multiarm-bandit Need bundle type for shopping halloween promo card. Need bundle type for shopping black friday deals promo card. Need bundle type for Discover Attribute videos. go/lens-awareness-promo Need bundle type for Discover Lens awareness promo card. Need bundle type for Discover flavor corpus project go/discover-corpus-lp Need Bundle type for Media Error states on Discover go/minus-one-tangor-error-states Need bundle type for NewRoman Image Lure card Need bundle type for a year in search info card. Need bundle type for European energy crisis card. Need bundle types for query recommendations. go/query-recommendations:serving-infra Need bundle type for "While you were away" (go/wywa-v0) Need bundle type for "Serendipitous query exploration" (go/siqe-quality) Need bundle type for "Teach Me Something New" (go/tmsn-dd) Need bundle type for Travel (go/travel-inspo-queries-dd) Need bundle type for "WebAnswers in QR" (go/sh-related-query) Need bundle type for "Aquarium WebAnswers in QR" (go/discover-questions-feature-dd) Need bundle type for Top-of-mind Q2Q (go/tom-q2q-infra) Need bundle type for Geo Targeting query recommendation. Need bundle type for broad local news query (go/discover-local-news-dd). Need bundle type for "Serendipitous query exploration" fulfilled via NuRoot backend. Need bundle type for singleton query clusters fulfilled via NuRoot backend. Need bundle type for doubleton query clusters fulfilled via NuRoot backend. Need bundle type for 3-pack query clusters fulfilled via NuRoot backend. Need bundle type for 4-pack query clusters fulfilled via NuRoot backend. Need bundle type for an example discover feature Bundle for UCP using 4-pack UI (go/ucp-discover-design). Bundle for UCP using 2-pack UI (go/ucp-discover-design). Need bundle type for followed content shown in the Main Feed go/follow-boost Need bundle type for Travel Things to Do using 4-pack UI (go/ttd-on-discover-design). Need bundle type for Travel Things to Do using 4-pack UI and prefabs (go/ttd-on-discover-design, go/discover-primitive-sfps). Need bundle type for media app content go/paces-design-doc Need bundle type for listen app content go/paces-listen-dd Need bundle type for on device app content go/discover-on-device-content Need bundle type for on device app content onboarding go/discover-on-device-content Need bundle type for range_position_spec based ranking in packer go/si-ep-delve-dd Need bundle type for sports league experience (go/sports-discover-league-cluster-design-doc). Need bundle type for sports league standings experience (go/standings-card-discover) Need bundle type for conservative adaptive ranking constraints go/si-ep-delve-adaptive-ranking-prd Need bundle type for local events content. go/local-events-on-discover Need bundle type for Shopping Product Grid in main feed. go/productgrid-fe-impl Need bundle type for Shopping Product Grid Short Cards with personalized queries in main feed. go/shoppingmoments-shortcard-fe-impl Need bundle type for Shop The Look in main feed. go/stl-fe-design, go/sda-stl-be Need bundle type for Astria personalized content. Need bundle type for Fast Personalization embedding based retrieval content. go/fp13n-embed Need bundle type for heart related content. go/discover-heart Need bundle type for discover tvm vertical. go/discover-tvm-vertical-dd Need bundle type for unplanned events content. go/events-on-discover For article and place mentions attachments. go/discover-prefabs Need bundle type for heart fast personalization embedding based retrieval content. go/fp13n-embed Need bundle type for Task Product Grid in main feed. go/task-continuation-product-grid-be Need bundle type for Task Product Grid Short Cards in main feed. go/shoppingmoments-shortcard-fe-impl Need bundle type for NewRoman Image Cluster card Need bundle type for Navigational Query source post-follow and query post-follow fulfillment. Currently only used for dark launch LE. go/nav_query_coverage_analysis Need bundle type for translated (Toledo) content on Discover (go/transcend-dd) Need bundle type for discover verticals content and attachments. go/events-using-qr-dd Need bundle type for Google 25th celebratory card on the Discover feed. See go/g25-xga Need bundle type for Shopping Product Grid Short Cards with personalized categories in main feed. go/shoppingmoments-shortcard-fe-impl Need bundle type for Shopping Product Grid Short Cards with popular categories in main feed. go/shoppingmoments-shortcard-fe-impl Need bundle type for info card in Discover main feed educating users that their explicit interests are now follows Need bundle type for promo card run by Japan Search for Seniors team in Discover main feed Need bundle type for followed sports team game cards. Need bundle type for sports team game cards targeting new follows. Need bundle type for followed sports team game cards. Need bundle type for Modern Creators & Formats (go/mcf-pulse) delayed notes creation prompt card. go/link-notes-delayed-creation-in-discover-dd. Need bundle type for Dining (go/disco-dining-dd) Need bundle type for MOONSTONE Targeting query recommendation. Need bundle type for Broad Topic query recommendation. Need bundle type for Follow Inspired query recommendation. Need bundle for Local Merchant Content (go/mcc-discover-le). Need bundle type for upselling a query picker to users more likely to follow queries. Need bundle type for hotel and vacation rental Four-Pack UI on the discover feed. Need bundle type for app upgrade promo card shown to the user. Need bundle type for Results About You promo card shown to the user. Need bundle type for Journey Exploration query recommendation. Need bundle type for "w2w query"(go/w2w-for-discover) Need bundle type for Top Sights on QR (go/top-sights-qr-migration). Need bundle type for a content retriever retrieves hard-coded video game news. This retriever will be used for a signal LE. Bundle for Lok Sabha Promo on Discover Need bundle type for Query Content Exploration query recommendation. Need bundle type for the Discover Debug in-feed opt-in/debug card. go/discover-debug-card-dd. Need bundle type for the Shopping Deals Lure card on Discover. go/shopping-discover-promo-le Need bundle type for User Bandit query recommendation. Need bundle type for olympics SGE promo card. go/discover-olympics-sge Need bundle type for local activities query recommendations. Need bundle type for "LimeLight Review". go/discover-limelight-review-dd Need bundle type for "Limelight Discussions" go/discover-limelight-discussions-dd Need bundle for Local Merchant Content QR (go/mcc-discover-qr) Need bundle for internally used Discover labs promo card. Need bundle type for Olympics Playground promo card. go/olympic-search-playground-promo Need bundle type for rich entity attachment. go/sv-rich-design Need bundle type for recommended entity attachment go/offline-entity-enhancement Need bundle for mixed content query cluster of horizontal and shopping content (go/mixed-content-with-shopping). Need type for Smartboxes content. (go/smartbox-design) Need bundle type for Q&A in Discover LE promo card. go/community-qna-discover-le Need bundle type for Trending Mustn't Miss queries. go/trending-mustnt-miss-dd Need bundle for an empty injection notice. go/no-content-injection-notice-dd Need bundle type for Journey query recommendation. Need bundle type for Huvo video query recommendation. Need bundle type for HuVo clusters using carousel UI. Shared Need bundle type for promos running via the Seaport framework and set at position 1 in the Discover feed. go/discover-promo-in-seaport. Shared Need bundle type for promos running via the Seaport framework and set at position 7 in the Discover feed. go/discover-promo-in-seaport. Need bundle type for SIQE activity based recommendations. Need bundle type for repeat info query recommendation (go/repeat-info-needs). Need bundle type for https://en.wikipedia.org/wiki/Indian_Premier_League. Need bundle type for the Anima notice card Need bundle type for RWJ short video card. Need bundle type for "Entertainment Trailer Drop". go/sv-entertainment Game schedule bundle. Need bundle type for "tvm w2w most searched carousel". type string suppressClusterPadding description If false, clients should not group together content from more than one cluster. Cluster Packer packs each individual card inside its own cluster, and this field determines whether a cluster's contents should be grouped together with the previous cluster irrespective of their entry_update_id, controlling the multi-column layout. type boolean title description Title displayed for the cluster. type string topMarginInDp description Top margin for the cluster, in DP Only specifiable for android v6.0+. format int32 type integer old_value backgroundColor description Color (argb) of background displayed in the cluster header. format uint32 type integer bottomMarginAllCardsInDp deprecated True description This used to override bottom margin for all cards in the given cluster in dp. It is now deprecated and should not be used in any version using Monet. (Do not use after AGSA v7.13) format int32 type integer bottomMarginInDp description Override bottom margin for the given cluster in dp. Only specifiable for Android v6.0+. format int32 type integer cardElevationInDp deprecated True description This used to override elevation for all cards in the given cluster in dp. It is now deprecated and should not be used in any version using Monet. (Do not use after AGSA v7.13) format int32 type integer clientAction deprecated True description This was added to support a drop down menu of actions. This is no longer used. items $ref Sidekick__ClientAction type array clusterType description Type of the cluster. enum OTHER AROUND_YOU UPCOMING UPDATES STORIES TRIP MORE_CARDS WEBKICK_STORIES INTEREST_UPDATE ENTITY_BASED RECOMMENDATION EXPERIMENTAL ELECTION ONBOARDING THIRD_PARTY_APPS_AND_SITES NOW_ON_TAP_STREAM TOP_STORIES_GENERAL AT_A_CONTEXT TOP_STORIES_FOR_YOU DEEP_NOW_SUGGESTED ELECTION_STORIES BEFORE_PLACE IN_VEHICLE DEEP_NOW_WHOLE_CLUSTER OLYMPICS INTERESTS LIGHTYEAR_WEATHER HATS_FEEDBACK WARM_WELCOME ASSISTANT_HQ_HIGHLIGHTS ASSISTANT_HQ_AGENDA ASSISTANT_HQ_TRAVEL ASSISTANT_HQ_REMINDERS ASSISTANT_HQ_ORDERS ASSISTANT_HQ_SHOPPING_LIST ASSISTANT_HQ_PROMO_BANNER ASSISTANT_HQ_SHORTCUT ASSISTANT_HQ_TRIPS NEW_TO_YOU FEED_ADS enumDescriptions All clusters not from types below. This type should be used only for debugging or as a temporary solution. Lotic cluster IDs. Cluster at the bottom of the stream for experimental cards. New cards should start out as experimental, and after approval may move to the "dogfood" stage to show up in other clusters. The cluster is to be shown in the Now on Tap stream. See go/peek-at-now as an example feature. DeepNow is the framework for serving TensorFlow learned models to help in ranking/scoring Now cards. These models are learned using Now logs and intended to be displayed in a separate cluster for the initial live experiments. For more details, deep-now@ and/or jameskunz@. Cluster containing standalone election stories carousel, when there are no civic election cards present. Cluster containing information about the user's next destination. Cluster containing information that a user might need while in a vehicle. Similar to DEEP_NOW_SUGGESTED, but for when a whole cluster is moved. Cluster containing information about the olympics. Keep me updated (KMU) interest clusters. Weather cluster in Lightyear to be ranked at 1. Cluster containing a HaTS survey card. Single view tutorial card position to be ranked at 1 and shown rarely. Clusters for the Assistant HQ. Clusters for the new-to-you content. Ads clusters. type string dividerColor description Color (argb) used for the divider line between clusters. format uint32 type integer emptyClusterCardEntryUpdateId description This is the entry_update_id of the Entry which is considered the empty card for the Cluster, the Card shown if there is no other content. The card will be hidden if other cards are visible in the cluster. It must be in the top level of the children in the cluster. format int64 type string fontColor description Color (argb) of font displayed in the cluster header. format uint32 type integer headerImageUrl description URL of image displayed behind the cluster header. type string isChild description True if the card is inside a cluster. This field is populated only in joined/flattened logs by the joining script. type boolean isDividerVisible description Whether to show the divider type boolean isFullBleed description Whether all contents of the cluster should extend to the container edge. type boolean justification description Justification for why the cluster is being shown. type string needBundleType description The type of the NeedBundle that triggers the cluster. enum UNKNOWN CURRENT_LOCATION AT_A_CONTEXT UPCOMING TRIP CURRENT_TRIP UPDATE CONTENT RECOMMENDATION NON_PERSONALIZED ELECTION ELECTION_STORIES ONBOARDING ONBOARDING_MOVIES ONBOARDING_MUSIC ONBOARDING_SPORTS ONBOARDING_STOCKS FULL_PAGE_INTEREST_PICKER_LURE MISC THIRD_PARTY THIRD_PARTY_APPS_AND_SITES CUSTOMIZE INTERNAL INTERNAL_TOP_OF_STREAM INTERNAL_BOTTOM_OF_STREAM INTERNAL_PROMO NOTIFICATION EXPERIMENTAL IOS_PROMO LOBBY IN_VEHICLE OLYMPICS LIGHTYEAR_WEATHER HATS_FEEDBACK WARM_WELCOME TOP_STORIES_GENERAL TOP_STORIES_FOR_YOU DEEP_NOW_SUGGESTED BEFORE_PLACE KMU_MOVIE_WITH_RELEASE_DATE KMU_ACTOR_TO_MOVIE_WITH_RELEASE_DATE KMU_DIRECTOR_TO_MOVIE_WITH_RELEASE_DATE FEED_V2_MOVIE_STREAMING_WITH_RELEASE_DATE FEED_V2_MOVIE_WITH_RELEASE_DATE FEED_V2_YOUTUBE_MUSIC_VIDEOS FEED_V2_YOUTUBE_LIVE_STREAMS FEED_V2_BOLLYWOOD_TO_BOLLYWOOD_UPDATE FEED_ACTOR_TO_MOVIE_TRAILER_WITH_UPLOAD_DATE FEED_ARTIST_TO_ALBUM_WITH_RELEASE_DATE FEED_ARTIST_TO_YT_MUSIC_VIDEO FEED_ATHLETE_TO_TEAM_WITH_JOIN_DATE FEED_BOLLYWOOD_TO_BOLLYWOOD_UPDATE FEED_COACH_TO_TEAM_WITH_JOIN_DATE FEED_DIRECTOR_TO_MOVIE_TRAILER_WITH_UPLOAD_DATE FEED_LOCATION_TO_BOLLYWOOD_UPDATE FEED_MOVIE_SHOWTIMES FEED_MOVIE_TO_MOVIE_SEQUEL_WITH_RELEASE_DATE FEED_MOVIE_TRAILER_WITH_UPLOAD_DATE FEED_SPORTS_ATHLETE_COLLECTION FEED_SPORTS_LEAGUE_STANDING FEED_SPORTS_PRE_GAME_COLLECTION FEED_SPORTS_POST_GAME_COLLECTION FEED_SPORTS_ONGOING_GAME_COLLECTION FEED_SPORTS_PRIMARY_LEAGUE_COLLECTION FEED_SPORTS_SECONDARY_LEAGUE_COLLECTION FEED_SPORTS_TEAM_TO_JOIN_DATE FEED_SUGGESTED_ACTOR_TO_MOVIE_WITH_RELEASE_DATE FEED_SUGGESTED_ARTIST_TO_ALBUM_WITH_RELEASE_DATE FEED_SUGGESTED_DIRECTOR_TO_MOVIE_WITH_RELEASE_DATE FEED_SUGGESTED_MOVIE_WITH_RELEASE_DATE FEED_TV_SERIES_TO_NEW_AIRING_EPISODE FEED_VIEDOGAME_TO_VIDEOGAME_SERIES_WITH_RELEASE_DATE FEED_VIDEOGAME_WITH_RELEASE_DATE FEED_VOTING_REMINDER FEED_ONBOARDING_INTEREST_PICKER FEED_GESTALT_WELCOME_CARD FEED_WEATHER DASHBOARD_STOCK_TICKER_LIST KMU_TRENDING_STORY SEARCH_AWARENESS SPORTS_AWARENESS TV_EPISODE_AWARENESS KMU_HOT_KP KMU_FINANCE KMU_SPORTS_GAME ENHANCED_PERSONAL_DASHBOARD_MY_DAY ENHANCED_PERSONAL_DASHBOARD_AROUND_ME ENHANCED_PERSONAL_DASHBOARD_UPDATES KMU_SMEARED_MOVIE_WITH_RELEASE_DATE ASSISTANT_HQ_HIGHLIGHTS ASSISTANT_HQ_AGENDA ASSISTANT_HQ_TRAVEL ASSISTANT_HQ_REMINDERS ASSISTANT_HQ_ORDERS ASSISTANT_HQ_SHOPPING_LIST ASSISTANT_HQ_SHORTCUT ASSISTANT_HQ_TRIPS ASSISTANT_HQ_HIGHLIGHTS_EVAL ASSISTANT_HQ_AGENDA_EVAL ASSISTANT_HQ_TRAVEL_EVAL ASSISTANT_HQ_REMINDERS_EVAL ASSISTANT_HQ_ORDERS_EVAL ASSISTANT_HQ_SHOPPING_LIST_EVAL ASSISTANT_HQ_PROMO_BANNER TUTORIAL_PROMO_FEED TUTORIAL_PROMO_DASHBOARD FEED_TODAY_IN_HISTORY_BIRTHDAY FEED_TODAY_IN_HISTORY_DEATH_ANNIVERSARY FEED_TODAY_IN_HISTORY_GEO_ESTABLISHED FEED_TODAY_IN_HISTORY_HISTORICAL_EVENT FEED_TODAY_IN_HISTORY_LAW_IN_EFFECT FEED_TODAY_IN_HISTORY_LAW_RATIFIED FEED_TODAY_IN_HISTORY_LEGAL_CASE_DECIDED FEED_TODAY_IN_HISTORY_EVENTS_LOCALIZED FEED_TODAY_IN_HISTORY_BIRTHDAY_LOCALIZED FEED_TODAY_IN_HISTORY_DEATH_ANNIVERSARY_LOCALIZED NEW_TO_YOU NEW_TO_YOU_MOVIE NEW_TO_YOU_VIDEO_PURCHASE NEW_TO_YOU_TRIP NEW_TO_YOU_HOBBY_TRIP NEW_TO_YOU_LANDMARK NEW_TO_YOU_MOVIE_CAST NEW_TO_YOU_REMINDER NEW_TO_YOU_WHILE_TRAVELING NEW_TO_YOU_VASCO_TASK NEW_TO_YOU_VASCO_FRESH_TASK NEW_TO_YOU_VASCO_VIDEO_TASK NEW_TO_YOU_FRESH_INTEREST NEW_TO_YOU_BOOK_PURCHASE NEW_TO_YOU_VIDEO_GAME_PURCHASE NEW_TO_YOU_SOFTWARE_PURCHASE NEW_TO_YOU_LIVE_VIDEO NEW_TO_YOU_TODAY_IN_HISTORY NEW_TO_YOU_EVENT NEW_TO_YOU_LONG_TERM_INTEREST NEW_TO_YOU_PARENTING NEW_TO_YOU_AFTER_A_PLACE LONG_TERM_INTEREST URL_TO_URL_RECOMMENDATION_CROSSPATH URL_TO_URL_RECOMMENDATION_FRESH URL_TO_URL_RECOMMENDATION URL_TO_URL_RECOMMENDATION_RUBY URL_TO_URL_RECOMMENDATION_VIEW URL_TO_URL_RECOMMENDATION_HEART STOCK_END_OF_DAY_NOTIFICATION STOCK_IPO_DAY_OF_NOTIFICATION FEED_AWARDS_TO_AWARDS_CEREMONY_REMINDER FEED_AWARDS_TO_AWARDS_CEREMONY_SUMMARY FEED_AWARDS_NOMINEE_TO_AWARDS_CEREMONY_REMINDER FEED_FILM_FESTIVAL_TO_ONGOING_FILM_FESTIVAL FEED_ARTIST_TO_ONGOING_MUSIC_FESTIVAL FEED_MUSIC_FESTIVAL_TO_ONGOING_MUSIC_FESTIVAL FEED_EPHEMERAL_EVENT_LIVESTREAM FEED_MULTISPORT_EVENT_OPENING_CEREMONY_REMINDER FEED_MULTISPORT_EVENT_GENERAL_INFORMATION FEED_MULTISPORT_EVENT_GAME_WINNER FEED_MULTISPORT_EVENT_END_OF_GAMES FEED_PBX_MOVIE FEED_PBX_TV FEED_AUTHOR_TO_BOOK_WITH_PUBLICATION_DATE FEED_BOOK_TO_BOOK_WITH_PUBLICATION_DATE FEED_BOOK_SERIES_TO_BOOK_WITH_PUBLICATION_DATE FEED_AUTHOR_TO_BOOK_WITH_PUBLICATION_DATE_NOTIFICATION FEED_BOOK_TO_BOOK_WITH_PUBLICATION_DATE_NOTIFICATION FEED_BOOK_SERIES_TO_BOOK_WITH_PUBLICATION_DATE_NOTIFICATION RECENTLY_FOLLOWED RECENTLY_FOLLOWED_N2Y MOST_RECENTLY_FOLLOWED FEED_HEALTH FEED_STORIES_COLLECTION SEARCH_ENGAGEMENT_HIGHLIGHT SEARCH_ENGAGEMENT_ASKJOE VIDYA_ONBOARDING FEED_ADS FEED_ADS_HERO_IMAGE FEED_ADS_SQUARE_IMAGE FEED_ADS_SQUARE_CAROUSEL FEED_ADS_SQUARE_THUMBNAIL FEED_ADS_PORTRAIT_IMAGE FEED_ADS_PORTRAIT_CAROUSEL FEED_ADS_CLICK_TO_DOWNLOAD FEED_ADS_CLICK_TO_DOWNLOAD_SQUARE FEED_ADS_CLICK_TO_DOWNLOAD_PORTRAIT FEED_ADS_CLICK_TO_DOWNLOAD_MULTI_APP FEED_ADS_CLICK_TO_DOWNLOAD_VIDEO FEED_ADS_CLICK_TO_DOWNLOAD_VIDEO_SQUARE FEED_ADS_CLICK_TO_DOWNLOAD_VIDEO_PORTRAIT FEED_ADS_CLICK_TO_DOWNLOAD_VIDEO_VERTICAL FEED_ADS_CLICK_TO_DOWNLOAD_DYNAMIC_SHOPPING FEED_ADS_MULTI_PHOTO FEED_ADS_MULTI_PHOTO_PER_CARD_HEADLINE FEED_ADS_ONO_HERO_IMAGE FEED_ADS_DYNAMIC_SHOPPING FEED_ADS_RATIO_TWEAK FEED_ADS_VIDEO FEED_ADS_VIDEO_SQUARE FEED_ADS_VIDEO_PORTRAIT FEED_ADS_VIDEO_VERTICAL FEED_ADS_CLICK_TO_DOWNLOAD_MULTI_PHOTO FEED_ADS_APP_REENGAGEMENT_HERO_IMAGE FEED_ADS_APP_REENGAGEMENT_SQUARE FEED_HEADLINE_NEWS FEED_NATION_NEWS FEED_WORLD_NEWS FEED_ENTERTAINMENT_NEWS FEED_SPORTS_NEWS FEED_BUSINESS_NEWS FEED_SCITECH_NEWS CONTEXTUAL_NOTIFICATION LOTTERY_RESULT_NOTIFICATION WEBSITE_UPDATE INTENT_ANNOTATION_DEMO FEED_VIDEO DEEP_TRENDS HIDE_INFERRED_LANGUAGE NOW_PERSISTENT_PUSH YOUTUBE_TENNIS_HIGHLIGHTS WEBKICK_TRENDING_STORIES STAMP LOCALLY_TRENDING_STORIES WEBKICK_LOCAL_STORIES WEBKICK_LOCAL_STORIES_GROUPING EXHIBITIONS ISSUE_SEARCH_QUERY KMU_TRENDING_POLITICS_STORY CARDMAKER SPORTS_TEAM_GAME SPORTS_IOS_LIVE_ACTIVITY SPORTS_ATHLETE_GAME SPORTS_ATHLETE_GAME_FOLLOWED SPORTS_LEAGUE_GAME SPORTS_LEAGUE_SCHEDULE SPORTS_LEAGUE_GAME_FOLLOWED SPORTS_MULTI_PARTICIPANT_GAME PUBLIC_ALERT URGENT_PUBLIC_ALERT UPCOMING_TURNDOWN_PROMO GOOGLE_STORIES BROAD_INTEREST_STORIES BROAD_INTEREST_STORIES_RECENTLY_FOLLOWED BROAD_INTEREST_STORIES_THE_MOST_RECENTLY_FOLLOWED BROAD_INTEREST_ECS_STORIES GEO_TARGETING_STORIES EPHEMERAL_EVENT_STORIES FRESH_VIDEOS TICKET_AVAILABILITY_NOTIFICATION TOPIC_FEED_ENTRY_POINTS SIX_PACK_LOW_ENGAGED COVID_19_ENTRY_POINTS MORNING_ENTRY_POINTS IMAGE PANOPTIC_ARTICLE LOCAL_RECOMMENDATION INTEREST_EXPLORATION DISCOVER_VIDEO_GAME_VIDEOS TWITTER_STORIES PODCAST CRISIS_RESPONSE_ALERT URGENT_CRISIS_RESPONSE_ALERT COOKING_VIDEOS FASHION_BEAUTY_VIDEOS ONEOFF_NOTIFICATION NEW_TO_YOU_GROUPING VISTAAR_ARTICLES CLASSIC_CORE_INTEREST_RESULT DEEP_TRENDS_FABLE FEED_VIDEO_DEEP_REC LIVEWEB_STORY FEED_ONBOARDING_INTEREST_PICKER_SPORTS_TEAMS FEED_INTEREST_PICKER_SPORT_CRICKET_IPL_TEAMS FEED_ONBOARDING_INTEREST_PICKER_BROAD_TOPICS CORE_INTEREST_INTEREST_PICKER INTEREST_PICKER_PILLS INTEREST_PICKER_CHANNEL_INTEREST_VOCAB INTEREST_PICKER_CREATORS INTEREST_PICKER_SPORTS_TEAMS GOG_POSTS GOG_CAMEOS MOONSTONE MOONSTONE_PROMOTED MOONSTONE_FRESH_EMBEDDING MOONSTONE_CORE_INTEREST_EMBEDDING MOONSTONE_NOTIFICATION NEW_MUSIC_ALBUM_RELEASE STORYTIME STORYTIME_SINGLETON STORY_RECOMMENDATIONS REAL_TIME_STORYTIME CLASSIC_CORE_INTEREST_FOOD_AND_COOKING CLASSIC_CORE_INTEREST_FASHION_AND_BEAUTY CLASSIC_CORE_INTEREST_TRAVEL CLASSIC_CORE_INTEREST_MUSIC CLASSIC_CORE_INTEREST_VIDEO_GAME CLASSIC_CORE_INTEREST_TV_AND_MOVIE CLASSIC_CORE_INTEREST_TV_AND_MOVIE_CATEGORIES CURATED_VIDEOS NEWS_HEADLINES DEEP_TRENDS_CORE_INTEREST FEED_CHANNELS_CONTENT POST_FOLLOW_GROUPING POST_FOLLOW_SURVEY NEW_FOLLOW CREATOR_FOLLOW_GROUPING CREATOR_FOLLOW_NEW_FOLLOW QUERY_RECOMMENDATIONS_FROM_CREATOR QUERY_RECOMMENDATIONS_ABOUT_CREATOR FEED_INTERESTED_CHANNELS_CONTENT CHANNELS_CONTENT FEED_ONBOARDING_LANGUAGE_PICKER INFEED_GOLD_PRICE_CARD WEB_FORUM EPHEMERAL_EXPERIENCES LOCAL_RECOMMENDATION_UGC_PLACE_REVIEW SIGN_IN_LURE_BUTTON WHAT_TO_STREAM U2U_VASCO_TASK CUTE_VIDEOS COVID19_LURE GOLDEN_URLS WEB_CHANNELS WEB_CHANNELS_ENTRY_POINTS COVID_NEWS_HEADLINES COVID_NEWS_HEADLINES_SINGLETON COVID_LOCAL_HEADLINES_GROUPING COVID_BEYOND_THE_HEADLINES_GROUPING COVID_CHANNEL_GROUPING_MENTAL_HEALTH COVID_CHANNEL_GROUPING_WORKOUT COVID_CHANNEL_GROUPING_WFH COVID_CHANNEL_GROUPING_RECIPE COVID_CHANNEL_GROUPING_PARENTING COVID_CHANNEL_GROUPING_YOGA COVID_CHANNEL_GROUPING_EDUCATION COVID_CHANNEL_GROUPING_GAMING COVID_CHANNEL_GROUPING_TABLETOP_GAME COVID_CHANNEL_GROUPING_STAY_CONNECTED COVID_CHANNEL_GROUPING_COFFEE_AT_HOME COVID_CHANNEL_GROUPING_PROTECT_YOURSELF COVID_CHANNEL_GROUPING_CREATIVITY_AT_HOME COVID_CHANNEL_GROUPING_WELLNESS SAPPHIRE STAMP_SHORT_VIDEO STAMP_SHORT_VIDEO_SINGLETON SHORT_VIDEO_4PACK EXPLORATION_GROUPING_ONE_TOPIC EXPLORATION_GROUPING_MULTI_TOPICS EXPLORE_CHANNEL_EXPLORATION_GROUPING_ONE_TOPIC EXPLORE_CHANNEL_EXPLORATION_GROUPING_MULTI_TOPICS EXPLORE_CHANNEL_BROAD_TOPICS_CHANNEL_PICKER FOLLOWING_FEED_EXPLORATION_GROUPING SHOPPABLE_IMAGE SUBSCRIBE_TO_SEARCH PINNED_CONTENT_FULFILLMENT PINNED_CONTENT_CAROUSEL_FULFILLMENT LOCAL_LIFT_STORIES NEWS_FULL_COVERAGE_ARTICLES NEWS_FULL_COVERAGE_ARTICLES_SINGLETON NEWS_FULL_COVERAGE_TWEETS NEWS_STORIES_HEADLINES NEWS_STORIES_WORLD NEWS_STORIES_REGION NEWS_STORIES_POLITICS NEWS_STORIES_BUSINESS NEWS_STORIES_TECHNOLOGY NEWS_STORIES_SCIENCE NEWS_STORIES_SPORTS NEWS_STORIES_ENTERTAINMENT NEWS_STORIES_OP_EDS NEWS_STORIES_LOCAL NEWS_STORIES_ISSUE_SPOTLIGHT NEWS_STORIES_BEYOND_THE_HEADLINES NEWS_STORIES_PERSONAL_SPOTLIGHT NEWS_STORIES_BREAKING LOCAL_CHANNEL_HEADLINES_GROUPING LOCAL_CHANNEL_HEADLINES_SINGLETONS LOCAL_CHANNEL_FOOD_GROUPING LOCAL_CHANNEL_REGIONAL_GROUPING LOCAL_CHANNEL_LIFESTYLE_GROUPING LOCAL_CHANNEL_VIDEO_GROUPING NEWS_CHANNEL_SINGLETONS LOCAL_CHANNEL_SINGLETONS KOHINOOR_STORIES STORIES_CHANNEL_SINGLETON LOCATION_MANAGEMENT_LURE PRIVACY_NOTICE_CARD SHAREABLE_IMAGES SHAREABLE_IMAGES_CAROUSEL SHAREABLE_IMAGES_FOUR_PACK SHAREABLE_IMAGES_SIX_PACK SHAREABLE_IMAGES_SINGLETON STATEFUL_TASK TRENDING_CHANNELS TRENDING_CHANNELS_SHOPPING TRENDING_CHANNELS_ENTERTAINMENT TRENDING_CHANNELS_BASEBALL TRENDING_CHANNELS_GADGETS TRENDING_CHANNELS_FASHION FIREFLY GARAMOND_DEMO BEYOND_THE_HEADLINES_SINGLETON GARAMOND_RELATED_ARTICLE_GROUPING TOP_SEARCH_INTERACTED INFO_LURE EDITORIAL_STORIES_GROUPING PALATINO_LURE GARAMOND_INTRO LAST_YEAR_TODAY_STORIES DISCOVER_LIGHTWEIGHT_FIRST_PAGE DIVERSE_CONTENT WEB_GAMES FAN_CONTENT_GROUPING RELATED_CONTENT RELATED_CONTENT_RUBY NEW_TO_YOU_MIDNIGHT_TRAIN_TASK HOME_STACK SHOPPING_INSPIRATION SHOPPING_INSPIRATION_DEMO FOLLOWING_FEED WHAT_TO_COOK WEB_CHANNELS_CHANNEL_IN_BAR_LURE AUGMENTED_REALITY HEARTBEAT FOLLOW_INTEREST OLYMPICS_FEATURED_EVENTS CREATOR_CHANNELS_4PACK TAPPABLE_QUERIES PRIVACY_AWARENESS_PROMO CREATOR_CHANNEL_CREATOR_RECOMMENDATIONS CREATOR_CHANNEL_SINGLETON_CONTENT_RECOMMENDATION FLOODS_DATAHUB FOLLOWING_FEED_ENTRY_LURE SOCIAL_PERSPECTIVES SCALABLE_ATTRIBUTE_VIDEOS TRENDING_HASHTAGS IMAGE_GRID SHOPPING_IMAGE_GRID INSPIRING_HASHTAG_IMAGES CONTENT_EXPLORATION CONTENT_EXPLORATION_VIDEOS EPHEMERAL_EVENT EPHEMERAL_EVENT_TWO_PACK MORE_STORIES_LURE WINTER_OLYMPICS WINTER_OLYMPICS_MEDALS WINTER_OLYMPICS_RECAP_VIDEO WINTER_OLYMPICS_LIVE_STORIES DISCOVER_PROMO_CARD DISCOVER_MAGI_PROMO_CARD DAILY_DISCOVER_PROMO_CARD DISCOVER_MAC_GAP_ON_PROMO_CARD DISCOVER_MAC_GAP_OFF_PROMO_CARD DISCOVER_UKRAINE_INFO TRENDING_VIDEOS TRENDING_TOPICS_CLUSTERS MOOD_CLUSTERS FOLLOWING_FEED_ONBOARDING PAGINATION_PANOPTIC FOOD_RECIPES_CLUSTER FOOD_INTERESTING_FINDS_ARTICLE_CLUSTER FOOD_INTERESTING_FINDS_VIDEO_CLUSTER SHOPPING_INSPIRATION_CLUSTER SUPER_INTEREST_ARTICLES_CLUSTER SUPER_INTEREST_SHORT_VIDEOS_CLUSTER CURATED_COLD_USER_ARTICLES_CLUSTER CURATED_COLD_USER_SHORT_VIDEOS_CLUSTER CURATED_GLOYO_ARTICLES_CLUSTER CURATED_GLOYO_SHORT_VIDEOS_CLUSTER THIN_PROFILE_USER_SHORT_VIDEOS_CLUSTER ON_DEVICE_MEDIA_CONTENT_CAROUSEL SEARCH_BASED_FAST_PERSONALIZATION CONTENT_AND_PLACE_MENTIONS_GROUPING SPORTS_ATHLETE_INFO RELATED_VIDEOS WHAT_TO_STREAM_SRP_ACTION_CLUSTER CONTAINER_EXPANSION_CONTRACTION_SWITCH MEDIA_CONTENT_EXPLORE_MORE_BANNER PETACAT_EXPLORATION PETACAT_CHANNEL SHOPPING_HALLOWEEN_PROMO_CARD SHOPPING_HOLIDAY_DEALS_PROMO_CARD ATTRIBUTE_VIDEO LENS_AWARENESS_PROMO_CARD FLAVOR_CORPUS_CHANNELS ON_DEVICE_MEDIA_CONTENT_ERROR NOW_NEW_ROMAN_IMAGE_LURE DISCOVER_YEAR_IN_SEARCH EUROPE_ENERGY_CRISIS_PROMO QUERY_RECOMMENDATIONS_WYWA QUERY_RECOMMENDATIONS_WYWA_PIN_AT_TOP QUERY_RECOMMENDATIONS_SIQE QUERY_RECOMMENDATIONS_TMSN QUERY_RECOMMENDATIONS_TRAVEL QUERY_RECOMMENDATIONS_TOM_RELATED_QUESTIONS QUERY_RECOMMENDATIONS_WEB_ANSWERS QUERY_RECOMMENDATIONS_TOM_Q2Q QUERY_RECOMMENDATIONS_GTQ QUERY_RECOMMENDATIONS_BROAD_LOCAL_NEWS QUERY_RECOMMENDATIONS_SIQE_NUROOT QUERY_RECOMMENDATIONS_NUROOT_SINGLETON QUERY_RECOMMENDATIONS_NUROOT_DOUBLETON QUERY_RECOMMENDATIONS_NUROOT_THREE_PACK QUERY_RECOMMENDATIONS_NUROOT_FOUR_PACK EXAMPLE_DISCOVER_FEATURE UCP_FOUR_PACK UCP_TWO_PACK FOLLOW_IN_MAIN_FEED TRAVEL_TTD_FOUR_PACK TRAVEL_TTD_FOUR_PACK_PREFABS DISCOVER_APP_MEDIA_FOUR_PACK DISCOVER_APP_AUDIO DISCOVER_APP_ON_DEVICE DISCOVER_APP_ON_DEVICE_ONBOARDING TAPPABLE_QUERIES_WITH_RANGE_POS_CONSTRAINTS SPORTS_LEAGUE_CLUSTER_INFO SPORTS_LEAGUE_STANDINGS_INFO TAPPABLE_QUERIES_WITH_CONSERVATIVE_POS_CONSTRAINTS LOCAL_EVENTS LOCAL_EVENTS_WITH_FIXED_POSITION_SPEC SHOPPING_PRODUCT_GRID SHOPPING_PRODUCT_GRID_SHORT_CARDS SHOP_THE_LOOK ASTRIA FP13N_EMBED_RETRIEVAL_CONTENT HEART_RELATED_CONTENT DISCOVER_TVM_VERTICAL UNPLANNED_EVENTS CONTENT_AND_PLACE_ATTACHMENTS HEART_FP13N_EMBED_RETRIEVAL_CONTENT SHOPPING_TASK_PRODUCT_GRID SHOPPING_TASK_PRODUCT_GRID_SHORT_CARDS NOW_NEW_ROMAN_CLUSTER NAV_QUERY_POST_FOLLOW_CONTENT TRANSLATED_CONTENT DISCOVER_VERTICAL GOOGLE_TWENTY_FIVE_PROMO_CARD SHOPPING_PRODUCT_GRID_PERSONALIZED_CATEGORY_SHORT_CARDS SHOPPING_PRODUCT_GRID_POPULAR_CATEGORY_SHORT_CARDS EXPLICIT_INTERESTS_TO_FOLLOWS_INFO_CARD JPS_SENIORS_PROMO_CARD SPORTS_TEAM_GAME_FOLLOWED SPORTS_TEAM_GAME_NEW_FOLLOW ADD_WIDGET_PROMO_CARD UCP_DELAYED_NOTES_CREATION_PROMPT_CARD QUERY_RECOMMENDATIONS_DINING QUERY_RECOMMENDATIONS_MOONSTONE QUERY_RECOMMENDATIONS_BROAD_TOPIC QUERY_RECOMMENDATIONS_FOLLOW_INSPIRED LOCAL_MERCHANT_CONTENT UPSELL_QUERY_PICKER LODGING_FOUR_PACK APP_UPGRADE_PROMO_CARD RAY_PROMO_CARD QUERY_RECOMMENDATIONS_JOURNEY_EXPLORATION QUERY_RECOMMENDATIONS_TVM_WHAT_TO_WATCH QUERY_RECOMMENDATIONS_TRAVEL_TTD VERTICAL_NEWS_DIGEST LOK_SABHA_ELECTION_PROMO QUERY_RECOMMENDATIONS_QUERY_CONTENT_EXPLORATION DEBUG_PROMO_CARD SHOPPING_DEALS_LURE QUERY_RECOMMENDATIONS_USER_BANDIT OLYMIPCS_SEARCH_GENERATIVE_EXPERIENCE_PROMO_CARD EUROPE_ELECTION_PROMO_CARD QUERY_RECOMMENDATIONS_LOCAL_ACTIVITIES EUROPE_ELECTION_RESULTS_PROMO_CARD QUERY_RECOMMENDATIONS_LIMELIGHT_REVIEW QUERY_RECOMMENDATIONS_LIMELIGHT_DISCUSSION QUERY_RECOMMENDATIONS_LOCAL_MERCHANT_CONTENT DISCOVER_LABS_PROMO_CARD OLYMIPCS_SEARCH_PLAYGROUND_PROMO_CARD QUERY_RECOMMENDATIONS_SIQE_RICH_ENTITY QUERY_RECOMMENDATIONS_SIQE_RICH_ENTITY_FILM QUERY_RECOMMENDATIONS_SIQE_RICH_ENTITY_TV_PROGRAM QUERY_RECOMMENDATIONS_SIQE_RICH_ENTITY_PEOPLE QUERY_RECOMMENDATIONS_MOONSTONE_RICH_ENTITY QUERY_RECOMMENDATIONS_WYWA_RICH_ENTITY QUERY_RECOMMENDATIONS_WYWA_RICH_ENTITY_FILM QUERY_RECOMMENDATIONS_WYWA_RICH_ENTITY_TV_PROGRAM QUERY_RECOMMENDATIONS_WYWA_RICH_ENTITY_PEOPLE QUERY_RECOMMENDATIONS_SIQE_RECOMMENDED_ENTITY QUERY_RECOMMENDATIONS_SIQE_RECOMMENDED_ENTITY_FILM QUERY_RECOMMENDATIONS_SIQE_RECOMMENDED_ENTITY_TV_PROGRAM QUERY_RECOMMENDATIONS_SIQE_RECOMMENDED_ENTITY_PEOPLE QUERY_RECOMMENDATIONS_MOONSTONE_RECOMMENDED_ENTITY QUERY_RECOMMENDATIONS_WYWA_RECOMMENDED_ENTITY QUERY_RECOMMENDATIONS_WYWA_RECOMMENDED_ENTITY_FILM QUERY_RECOMMENDATIONS_WYWA_RECOMMENDED_ENTITY_TV_PROGRAM QUERY_RECOMMENDATIONS_WYWA_RECOMMENDED_ENTITY_PEOPLE QUERY_RECOMMENDATIONS_TOM_Q2Q_RECOMMENDED_ENTITY QUERY_RECOMMENDATIONS_MIXED_CONTENT SMARTBOXES COMMUNITY_QNA_PROMO_CARD QUERY_RECOMMENDATIONS_TRENDING_MUSTNT_MISS QUERY_RECOMMENDATIONS_MUSTNT_MISS_IN_VERTICAL QUERY_FOLLOW_EMPTY_INJECTION_NOTICE QUERY_RECOMMENDATIONS_JOURNEY QUERY_RECOMMENDATIONS_HUVO_VIDEO QUERY_RECOMMENDATIONS_HUVO_CAROUSEL DISCOVER_PROMO_CARD_AT_ONE DISCOVER_PROMO_CARD_AT_SEVEN QUERY_RECOMMENDATIONS_SIQE_ACTIVITY QUERY_RECOMMENDATIONS_REPEAT_INFO INDIAN_PREMIER_LEAGUE ANIMA_NOTICE_CARD RWJ_SHORT_VIDEO ENTERTAINMENT_TRAILER_DROP SPORTS_GAME_SCHEDULE enumDeprecated False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False enumDescriptions Information about the current location. Specific information for this context. Upcoming events and reminders. Trip information. Ongoing trip information. Updates for the user. Content recommendations. Other recommendations. For cards in non personalized stream. Election information. Onboarding. Everything else. For Shadie demo. Cards that might be needed while in a vehicle. Bundle for feedback requested from user. NeedBundleTypes used in the intent system should appear after this line. See commentary at the start of the enumeration. Information about the user's next destination. Types with KMU/FEED prefix refer to Interest feed. Bundles for movie release related KMU intents. Bundle for stock ticker list card in dashboard. Bundle for trending story. Bundle for search awareness features. Bundle for sports awareness features. Bundle for TV Episodes awareness tips. Bundle for HOT_KP. Bundle for KMU finance intents. Sports game cluster. Personal Dashboard Enhancement. Visit go/personal-dashboard-v1.1 for more details. Experimental bundle for smeared movie clusters. Bundles for Assistant HQ (go/hq-now-integration). Bundles for Assistant HQ Eval (go/hq-now-integration). Bundles for welcome cards. Today in history cards. Bundles of new-to-you cards. More bundles are added to handle dismisses properly as V2 dismiss action is on the collection card and collections are identified with the bundles. Bundles of long term ineterest cards. Bundles of url-to-url Crosspath cards. Bundles of fresh url-to-url cards. Bundles of url-to-url cards. Bundles of url-to-url ruby cards. Bundles of Discover View triggered url-to-url cards. Bundles of Discover Hearts triggered url-to-url cards. Bundles for end-of-day stock notification cards. Bundles for awards ceremony cards. Bundles for film festival cards. Bundles for music festival cards. Bundles for ephemeral event livestream cards. Bundles for multi-sport event (e.g. Asian games) cards. Bundles for popularity based experience Bundles for books cards and notifications. Bundles for recently followed entities. Bundles for health cards and notifications. Bundles of Highlight cards. Bundles of AskJoe cards. Bundles for Vidya language onboarding features. Bundles for Ads -- go/feed-ads-frontend Hard news content types -- go/feed-news Bundle for Contextual notifications. Lottery related. Bundle for website update cards. Bundle for intent annotation offline demo and eval. Video cards. Bundle for DeepTrends stories. Bundle for Language Picker which will allow user to opt out from Bilingual feed. Bundle for notifications that were originally sent via push that need to be re-served during feed refresh. Bundle for tennis highlights. Bundle for webkick trending stories Bundle for STAMPs (go/stamp-feed-design). Locally trending stories are part of zero state content. Bundle for webkick local stories Bundle for museum exhibitions (add go link) User wants to issue a query. Parameterized by the query, itself, as a string. Bundle for politics trending story. Bundle for cardmaker cards. Sports on the intent system. Team game bundle. iOS live activity bundle. Athlete game bundle. Athlete game bundle for followed queries. League game bundle. League schedule bundle. League game bundle for followed queries. Multi participant game bundle. Bundles for Public Alerts cards. Bundle for upcoming turndown promo cards. Bundles for Google Stories Card. Broad interest stories (go/broad-interest-modeling-design). Stories targeted based on the user's city location. Stories based on date/time dependent events such as festivals. See go/festive-feed for festivals design. Videos from panoptic Start of ticket sales notification Topic feed entry points that lead to Topic Feed on a particular topic. Six Pack for users with low Discover engagement. A group of 6 COVID-19 related sub-intents. Using the same UI as the organic 6 Pack. A group of entry points that are triggered only in the morning. Images cluster. For now used for images experience prototyping in Discover. See go/images-in-discover-notes for project notes. Need bundle type corresponding to all Panoptic based fulfillers. Personalized local recommendation by go/local-stream-prd. Bundle for video games for core interests (fulfilled by videoroot). Bundle for Twitter in Discover card. Bundle for Podcast recommendations. Bundles for Crisis Response Alerts cards (SOS Alerts, Public Alerts) Bundle for cooking for core interests (fulfilled by videoroot). Bundle for fashion and beauty for core interests (fulfilled by videoroot). Bundle for One-off Notifications. N2Y content grouped around an interest or attribute (go/n2y-groupings-prd). Indic Articles from Vistaar. Core Interest fulfilled by ECS contents Design doc: (go/ci-content-ecs) Bundle for DeepTrends FaBLE stories. Design doc: (go/deep-trends-fable). Bundle for deep videos retrieval (fulfilled by videoroot). Bundle for liveweb stories. Legacy Interest picker go/follow related Pickers. Bundles for different Get-On-Google contents (go/gog) Bundles for Get-On-Google posts. Bundle for Get-On-Google cameos. Bundle for Moonstone quasi-personalized content. Need bundle type for Moonstone with Monet embedding on fresh content. Need bundle type for Moonstone with Monet embedding on core interest Bundle for Moonstone quasi-personalized content. Bundle for new album release Bundle for STORYTIME using carousel UI (go/storytimesite). Bundle for STORYTIME using the singleton UI (go/storytime-singleton-dd). Bundle for Story Recommendations (go/story-recs-serving-design). Bundle for Real Time P13n STAMPs (go/real-time-stamp-dd). Classic Core Interest food and cooking vertical, fulfilled by ECS contents Classic Core Interest fashion and beauty vertical, fulfilled by ECS contents Classic Core Interest travel vertical, fulfilled by ECS contents Classic Core Interest music vertical, fulfilled by ECS contents Classic Core Interest video game vertical, fulfilled by ECS contents Classic Core Interest tv and movies vertical, fulfilled by ECS contents Classic Core Interest tv and movies categories vertical, fulfilled by ECS contents Bundle for curated videos retrieval Bundle for News Headlines. Bundle for DeepTrends Core Interest stories. Design doc: (go/deep-trends-core-interest). Bundle for content from Topic Feed Channels in the main Discover feed. Bundle for post-follow grouping in the main Discover feed. Bundle for post-follow survey in the Discover feed. Bundle for post-follow grouping targeting new follows. Bundle for creator follows. go/creator-follow-plan Bundle for creator follows made recently. Bundle for creator content. Bundle for creator content. Bundle for content from from user interested channels in Main Feed. Bundle for fulfilling channels requests. Bundle for Inline Language Picker (go/feed-lang-picker) Bundle for gold price in Discover Feed. Bundle for forum content in Discover. Bundle for Ephemeral Experiences notifications. Personalized local recommendation with UGC photos and reviews contents for a single place (go/discover-ugc-review-card-prd) Sign in Lure Button for discover signed out users ( go/iga-signedout-discover ) Intent for Discover What To Watch streaming recommendations card. Intent for U2U content for Vasco tasks. Bundle for videos with cute attributes. Design doc: go/discover-attribute-videos-dd. Bundle for showing a COVID-19 lure card that points to OSRP. Golden URLS to show in discover. Bundle for WebChannels content in Discover. Bundle for WebChannels entry points (i.e., 6-pack) in Discover. go/web-channels-6-pack Covid news headlines in Discover. See go/covid19-headlines-discover-dd. For main feed cluster For landing page singletons For landing page local grouping These channel-specific types are needed to implement channel-specific packing rules (e.g., fixed position). Bundle for interest exploration stories in Discover. Bundle for triggering STAMP short video using a carousel UI on the Discover feed. Contra doc: go/contra_project_plan, go/contra-design Stamp doc: go/stamp_background Bundle for triggering STAMP short video using a singleton UI on the Discover feed. Design doc: go/stampshortvideo-carousel-dd Bundle for triggering STAMP short video using grid (4-pack) UI on the Discover feed. Bundle for exploration groupings. Doc: go/discover-exploration-groupings Bundle for exploration groupings in Explore Channel. Bundle for channel picker in Explore Channel. Bundle for exploration groupings in Following Feed Bundle for shoppable images. go/shoppable-images-in-discover-implementation Bundle of SUBSCRIBE_TO_SEARCH intents. For fulfilling content in the feed from notification click Bundle for local lift stories from panoptic's hivemind channel go/signedout-hivemind Bundles for Full Coverage landing pages. Bundle for the top news headlines from top publishers. Bundle for the top world news headlines from top publishers. Bundle for the top regional (e.g., "US") news headlines from top publishers. Bundle for the top politics news headlines from top publishers. Bundle for the top business news headlines from top publishers. Bundle for the top technology news headlines from top publishers. Bundle for the top science news headlines from top publishers. Bundle for the top sports news headlines from top publishers. Bundle for the top entertainment news headlines from top publishers. Bundle for the top news opinion articles. Bundle for the top local news articles. Bundle for ongoing / long-running news stories. Bundle for articles that provide in-depth reporting on key news topics. Bundle for niche news stories highly specific to the user. Bundle for breaking news articles. Bundle for a group of top local stories Bundle for singleton top local stories Bundle for a group of local food / restaurant stories Bundle for a group of state / county local stories Bundle for a group of local lifestyle stories Bundle for a group of local videos Singleton results for the #News channel. Singleton results for the #Local channel. Bundle for kohinoor content in discover. Bundle for Stories Channel in Discover. See go/serving-stories-channel. Bundle for a card letting the user configure their preferred location(s). Bundle for the privacy notice card. Bundle for Shareable Images Card in Discover. Bundle for Shareable Images in Discover using a Carousel UI on the discover feed. Bundle for Shareable Images in Discover using a Four-Pack UI on the discover feed. Bundle for Shareable Images Card in Discover using a Six-Pack UI on the discover feed. Bundle for Shareable Images Card in Discover using a Singleton UI on the discover feed. Bundle for Stateful Tasks in Discover. Bundle for Trending Channels. Bundle for Trending Channels Shopping card. Bundle for Trending Channels Entertainment card. Bundle for Trending Channels Baseball card. Bundle for Trending Channels Gadgets card. Bundle for Trending Channels Fashion card. Bundle for triggering content from torso/tail publishers. go/fireflyxdiscover-le Bundle for non-organically triggering garamond cards for demo / testing. Bundle for Beyond-the-headlines singletons in Discover. go/bth-discover-dd Bundle for Garamond related article groupings. go/garamond-related-articles Bundle for serving top search interacted urls in discover. go/top-search-interacted Bundle for info lures in Discover. See go/discover-info-lures Bundle for Editorial Curation stories in Discover. See http://go/discover-editorial-collections Bundle for Palatino lure in Discover. Bundle for got-it card to introduce garamond cards. go/garamond-got-it-card-plan Bundle for Lyt (aka last year today) stories for Feed on select dates. See go/lyt-stories-in-feed for more details. Bundle for Discover Lightweight First Page. See: go/lightweight-first-page. Bundles for showing unpersonalised feed in discover. Since we want to show each topic in a separate cluster, we are creating a separate need_bundle_type for each need_type. See: go/gold++-dd Bundle for showing web games in Discover. Bundles for showing Fancast content in discover. See: go/fancasts Need bundle type for related content intents. go/discover-emerald-server-design Need bundle type for related content intents for Discover Ruby. go/discover-ruby-serving Need bundle type for midnight train next step in user journey prediction. go/wa-journey-online Need bundle type for Discover home stack. go/home-stack-discover-dd Need bundle type for Shopping inspiration content go/shopping-inspiration-panoptic Need bundle type for Shopping Inspiration Demo cards. Need bundle type for Discover Following feed. Recipe bundle type in discover go/recipes-in-discover-design Need bundle tyoe for Web Channels Channel-in-bar lure go/discover-webchannels-channel-in-bar-lure-dd Need bundle type for Augmented Reality content. Please take a look at go/o20-athletes-in-ar for more details. Need bundle type for HeartBeat in GeoTargetingStroies. go/heartbeat-dd for more details. Need bundle type for Singleton follow card. go/o20-discover-follow-card Need Bundle for Featured Events Card for Olympics on Discover go/o21-featured-events-in-discover-design Need bundle type for Creator Channel 4-Pack Content go/cc-discover-4pack Need bundle type for engaging tappable queries on Discover. go/tappable-queries-dd Need bundle type for privacy awareness cards. go/discover-privacy-awareness-promos Need bundle type for Creator Channel 6-pack creator recommendation See go/cc-discover-6pack Need bundle type for Creator Channel singleton content recommendation Need bundle type for floods data hub notifications Need bundle type for Discover Following feed. Need bundle type for Social Perspectives content. Social Perspectives aims to organize social media conversations across platforms and surface them to Discover users. See go/fanspeak-social-perspectives-dispur-review-presentation. Need bundle type for Scalable Attribute content. Scalable Attribute content aims to deliver content based on content properties / flavor rather than ties to particular topics or mids. Bundle for trending channels go/discover-trending-hashtags Need bundle type for Image Grid in main feed. go/image-grid-main-feed. Need bundle type for Shopping Image Grid in main feed. go/discover-brand-le Need bundle type for Inspiring Hashtag Images in main feed. go/inspiring-hashtag-serving. For exploring new or tail content/creators. go/next-gen-content-explore. For exploring new video content. go/ce-discover-videos. Need bundle type for Events content in main feed. go/events-in-discover-dd. Need bundle type for Events content served as two pack in main feed. go/events-in-discover-dd. Need bundle type for more_stories (WEBKICK_STORIES_SECONDARY_PAGE_LURE) card. Need bundle type for Winter Olympics features. go/discover-winter-olympics-22-design Deprecated Need bundle type for configurable cards on the Discover feed. go/discover-promo-card-platform Need bundle type for a Magi promo card on the Discover feed using it's promo framework (go/discover-promo-card-platform). Need bundle type for Daily Discover Promo Card. go/daily-discover-promo-impl Need bundle type for a MAC GAP-on promo card on the Discover feed using its promo framework (go/discover-promo-card-platform). Need bundle type for a MAC GAP-off promo card on the Discover feed using its promo framework (go/discover-promo-card-platform). Need bundle type for showing Ukraine Info card. Need bundle type for mood clusters. go/discover-mood-based-cluster-fulfillment Need bundle type for following feed onboarding. go/following-feed-onboarding. Need bundle type for on-the-fly Panoptic content in Pagination. For Food Super-interest vertical go/food-super-interest-cluster go/horizon-3-shopping-experiences-design For generic Super-interests use go/define-discover-super-interests For on-device media content carousel go/media-content-on-discover-dd. For search based fast personalization go/search-based-fp-roadmap. Bundle for a group of article with place mentions. Athlete info for team/athlete games - go/athlete-triggering-dd Related videos - go/related-videos-aga-design Need bundle type for Discover What To Watch streaming srp action cluster. go/stream-srp-action Switch which makes a container expand/collapse. go/tangor-media-card-design 'Explore more' banner for media content on Discover. go/media-content-explore-more-banner Need bundle type for petacat exploration channel. We would like to do quality tuning with things like fixed position, so separate it from CONTENT. go/explore-value-with-multiarm-bandit Need bundle type for shopping halloween promo card. Need bundle type for shopping black friday deals promo card. Need bundle type for Discover Attribute videos. go/lens-awareness-promo Need bundle type for Discover Lens awareness promo card. Need bundle type for Discover flavor corpus project go/discover-corpus-lp Need Bundle type for Media Error states on Discover go/minus-one-tangor-error-states Need bundle type for NewRoman Image Lure card Need bundle type for a year in search info card. Need bundle type for European energy crisis card. Need bundle types for query recommendations. go/query-recommendations:serving-infra Need bundle type for "While you were away" (go/wywa-v0) Need bundle type for "Serendipitous query exploration" (go/siqe-quality) Need bundle type for "Teach Me Something New" (go/tmsn-dd) Need bundle type for Travel (go/travel-inspo-queries-dd) Need bundle type for "WebAnswers in QR" (go/sh-related-query) Need bundle type for "Aquarium WebAnswers in QR" (go/discover-questions-feature-dd) Need bundle type for Top-of-mind Q2Q (go/tom-q2q-infra) Need bundle type for Geo Targeting query recommendation. Need bundle type for broad local news query (go/discover-local-news-dd). Need bundle type for "Serendipitous query exploration" fulfilled via NuRoot backend. Need bundle type for singleton query clusters fulfilled via NuRoot backend. Need bundle type for doubleton query clusters fulfilled via NuRoot backend. Need bundle type for 3-pack query clusters fulfilled via NuRoot backend. Need bundle type for 4-pack query clusters fulfilled via NuRoot backend. Need bundle type for an example discover feature Bundle for UCP using 4-pack UI (go/ucp-discover-design). Bundle for UCP using 2-pack UI (go/ucp-discover-design). Need bundle type for followed content shown in the Main Feed go/follow-boost Need bundle type for Travel Things to Do using 4-pack UI (go/ttd-on-discover-design). Need bundle type for Travel Things to Do using 4-pack UI and prefabs (go/ttd-on-discover-design, go/discover-primitive-sfps). Need bundle type for media app content go/paces-design-doc Need bundle type for listen app content go/paces-listen-dd Need bundle type for on device app content go/discover-on-device-content Need bundle type for on device app content onboarding go/discover-on-device-content Need bundle type for range_position_spec based ranking in packer go/si-ep-delve-dd Need bundle type for sports league experience (go/sports-discover-league-cluster-design-doc). Need bundle type for sports league standings experience (go/standings-card-discover) Need bundle type for conservative adaptive ranking constraints go/si-ep-delve-adaptive-ranking-prd Need bundle type for local events content. go/local-events-on-discover Need bundle type for Shopping Product Grid in main feed. go/productgrid-fe-impl Need bundle type for Shopping Product Grid Short Cards with personalized queries in main feed. go/shoppingmoments-shortcard-fe-impl Need bundle type for Shop The Look in main feed. go/stl-fe-design, go/sda-stl-be Need bundle type for Astria personalized content. Need bundle type for Fast Personalization embedding based retrieval content. go/fp13n-embed Need bundle type for heart related content. go/discover-heart Need bundle type for discover tvm vertical. go/discover-tvm-vertical-dd Need bundle type for unplanned events content. go/events-on-discover For article and place mentions attachments. go/discover-prefabs Need bundle type for heart fast personalization embedding based retrieval content. go/fp13n-embed Need bundle type for Task Product Grid in main feed. go/task-continuation-product-grid-be Need bundle type for Task Product Grid Short Cards in main feed. go/shoppingmoments-shortcard-fe-impl Need bundle type for NewRoman Image Cluster card Need bundle type for Navigational Query source post-follow and query post-follow fulfillment. Currently only used for dark launch LE. go/nav_query_coverage_analysis Need bundle type for translated (Toledo) content on Discover (go/transcend-dd) Need bundle type for discover verticals content and attachments. go/events-using-qr-dd Need bundle type for Google 25th celebratory card on the Discover feed. See go/g25-xga Need bundle type for Shopping Product Grid Short Cards with personalized categories in main feed. go/shoppingmoments-shortcard-fe-impl Need bundle type for Shopping Product Grid Short Cards with popular categories in main feed. go/shoppingmoments-shortcard-fe-impl Need bundle type for info card in Discover main feed educating users that their explicit interests are now follows Need bundle type for promo card run by Japan Search for Seniors team in Discover main feed Need bundle type for followed sports team game cards. Need bundle type for sports team game cards targeting new follows. Need bundle type for followed sports team game cards. Need bundle type for Modern Creators & Formats (go/mcf-pulse) delayed notes creation prompt card. go/link-notes-delayed-creation-in-discover-dd. Need bundle type for Dining (go/disco-dining-dd) Need bundle type for MOONSTONE Targeting query recommendation. Need bundle type for Broad Topic query recommendation. Need bundle type for Follow Inspired query recommendation. Need bundle for Local Merchant Content (go/mcc-discover-le). Need bundle type for upselling a query picker to users more likely to follow queries. Need bundle type for hotel and vacation rental Four-Pack UI on the discover feed. Need bundle type for app upgrade promo card shown to the user. Need bundle type for Results About You promo card shown to the user. Need bundle type for Journey Exploration query recommendation. Need bundle type for "w2w query"(go/w2w-for-discover) Need bundle type for Top Sights on QR (go/top-sights-qr-migration). Need bundle type for a content retriever retrieves hard-coded video game news. This retriever will be used for a signal LE. Bundle for Lok Sabha Promo on Discover Need bundle type for Query Content Exploration query recommendation. Need bundle type for the Discover Debug in-feed opt-in/debug card. go/discover-debug-card-dd. Need bundle type for the Shopping Deals Lure card on Discover. go/shopping-discover-promo-le Need bundle type for User Bandit query recommendation. Need bundle type for olympics SGE promo card. go/discover-olympics-sge Need bundle type for local activities query recommendations. Need bundle type for "LimeLight Review". go/discover-limelight-review-dd Need bundle type for "Limelight Discussions" go/discover-limelight-discussions-dd Need bundle for Local Merchant Content QR (go/mcc-discover-qr) Need bundle for internally used Discover labs promo card. Need bundle type for Olympics Playground promo card. go/olympic-search-playground-promo Need bundle type for rich entity attachment. go/sv-rich-design Need bundle type for recommended entity attachment go/offline-entity-enhancement Need bundle for mixed content query cluster of horizontal and shopping content (go/mixed-content-with-shopping). Need type for Smartboxes content. (go/smartbox-design) Need bundle type for Q&A in Discover LE promo card. go/community-qna-discover-le Need bundle type for Trending Mustn't Miss queries. go/trending-mustnt-miss-dd Need bundle for an empty injection notice. go/no-content-injection-notice-dd Need bundle type for Journey query recommendation. Need bundle type for Huvo video query recommendation. Need bundle type for HuVo clusters using carousel UI. Shared Need bundle type for promos running via the Seaport framework and set at position 1 in the Discover feed. go/discover-promo-in-seaport. Shared Need bundle type for promos running via the Seaport framework and set at position 7 in the Discover feed. go/discover-promo-in-seaport. Need bundle type for SIQE activity based recommendations. Need bundle type for repeat info query recommendation (go/repeat-info-needs). Need bundle type for https://en.wikipedia.org/wiki/Indian_Premier_League. Need bundle type for the Anima notice card Need bundle type for RWJ short video card. Need bundle type for "Entertainment Trailer Drop". go/sv-entertainment Game schedule bundle. type string secondaryAccessibilityLabelOnEmptyCluster description The string that should be used by screen readers for secondary_label_on_empty_cluster. If not set, the platform default for the label element should be used. type string secondaryClickAction $ref Sidekick__ClientAction description A secondary action attached to this Cluster header. If this is defined along with the secondary_label, a button like link will be added to the cluster header. secondaryClickActionOnEmptyCluster $ref Sidekick__ClientAction description A secondary action attached to this Cluster header. If this is defined along with the secondary_label_on_empty_cluster, a button like link will be added to the cluster header when the empty card is displayed. secondaryLabel $ref Sidekick__TemplatedString description Text assocated with a secondary action button that can be placed in the Cluster Header. We will show the secondary action button only if both the secondary_label and secondary_click_action are defined. secondaryLabelOnEmptyCluster $ref Sidekick__TemplatedString description Text assocated with a secondary action button that can be placed in the Cluster Header. We will show the secondary action button only if both the secondary_label_on_empty_cluster and secondary_click_action_on_empty_cluster are defined and the empty card is displayed. suppressClusterPadding description If false, clients should not group together content from more than one cluster. Cluster Packer packs each individual card inside its own cluster, and this field determines whether a cluster's contents should be grouped together with the previous cluster irrespective of their entry_update_id, controlling the multi-column layout. type boolean suppressSecondaryActionOnEmptyCluster description If the cluster supports both an empty card and a secondary action, suppress the secondary action when the empty card is displayed. type boolean title description Title displayed for the cluster. type string topMarginInDp description Top margin for the cluster, in DP Only specifiable for android v6.0+. format int32 type integer iterable_item_added root['schemas']['GoogleLogsTapandpayAndroid__BackupRestoreEvent']['properties']['errorType']['enum'][10] DB_ERROR root['schemas']['GoogleLogsTapandpayAndroid__BackupRestoreEvent']['properties']['errorType']['enum'][11] STORAGE_KEY_ERROR root['schemas']['GoogleLogsTapandpayAndroid__ClosedLoopEvent']['properties']['eventType']['enum'][215] CLICK_SIDELOAD_CARD root['schemas']['GoogleLogsTapandpayAndroid__ClosedLoopEvent']['properties']['eventType']['enum'][216] CLICK_REMOVE_SIDELOADED_CARD root['schemas']['GoogleLogsTapandpayAndroid__ClosedLoopEvent']['properties']['eventType']['enumDescriptions'][215] ClosedLoop sideload operations See go/wallet-design-sideload-closedloop for more details. root['schemas']['LogsProtoPaymentsConsumerCore__EditUserCreatedPassPageEndingMetadata']['properties']['updateFailure']['enum'][4] UPDATE_FAILURE_SYNC_VALUABLE_FAILED root['schemas']['SearchNotifications_UserActionMetadata_Action']['properties']['type']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['SearchNotifications_UserActionMetadata_Action']['properties']['type']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['SearchNotifications_UserActionMetadata_Action']['properties']['type']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['SearchNotifications_UserActionMetadata_Action']['properties']['type']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['SearchNotifications_UserActionMetadata_Action']['properties']['type']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['SearchNotifications_UserActionMetadata_Action']['properties']['type']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['SearchNotifications_UserActionMetadata_Action']['properties']['type']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['SearchNotifications_UserActionMetadata_Action']['properties']['type']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['SearchNowPushProtoChimepayloads__ActionLogFilter']['properties']['actionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ActionLogFilter']['properties']['actionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ActionLogFilter']['properties']['actionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ActionLogFilter']['properties']['actionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ActionLogFilter']['properties']['actionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['SearchNowPushProtoChimepayloads__ActionLogFilter']['properties']['actionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['SearchNowPushProtoChimepayloads__ActionLogFilter']['properties']['actionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['SearchNowPushProtoChimepayloads__ActionLogFilter']['properties']['actionType']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['SearchNowPushProtoChimepayloads__ChimeAction']['properties']['actionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ChimeAction']['properties']['actionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ChimeAction']['properties']['actionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ChimeAction']['properties']['actionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ChimeAction']['properties']['actionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['SearchNowPushProtoChimepayloads__ChimeAction']['properties']['actionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['SearchNowPushProtoChimepayloads__ChimeAction']['properties']['actionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['SearchNowPushProtoChimepayloads__ChimeAction']['properties']['actionType']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['SearchNowPushProtoChimepayloads__ExpiresAfterSetting']['properties']['type']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ExpiresAfterSetting']['properties']['type']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ExpiresAfterSetting']['properties']['type']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ExpiresAfterSetting']['properties']['type']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ExpiresAfterSetting']['properties']['type']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['SearchNowPushProtoChimepayloads__ExpiresAfterSetting']['properties']['type']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['SearchNowPushProtoChimepayloads__ExpiresAfterSetting']['properties']['type']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['SearchNowPushProtoChimepayloads__ExpiresAfterSetting']['properties']['type']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['Sidekick_ContentFeedbackSurvey_SurveyAnswer']['properties']['actionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['Sidekick_ContentFeedbackSurvey_SurveyAnswer']['properties']['actionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['Sidekick_ContentFeedbackSurvey_SurveyAnswer']['properties']['actionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['Sidekick_ContentFeedbackSurvey_SurveyAnswer']['properties']['actionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['Sidekick_ContentFeedbackSurvey_SurveyAnswer']['properties']['actionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['Sidekick_ContentFeedbackSurvey_SurveyAnswer']['properties']['actionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['Sidekick_ContentFeedbackSurvey_SurveyAnswer']['properties']['actionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['Sidekick_ContentFeedbackSurvey_SurveyAnswer']['properties']['actionType']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['Sidekick_ReportAction_ReportReason']['properties']['actionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['Sidekick_ReportAction_ReportReason']['properties']['actionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['Sidekick_ReportAction_ReportReason']['properties']['actionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['Sidekick_ReportAction_ReportReason']['properties']['actionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['Sidekick_ReportAction_ReportReason']['properties']['actionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['Sidekick_ReportAction_ReportReason']['properties']['actionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['Sidekick_ReportAction_ReportReason']['properties']['actionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['Sidekick_ReportAction_ReportReason']['properties']['actionType']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['Sidekick__Action']['properties']['type']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['Sidekick__Action']['properties']['type']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['Sidekick__Action']['properties']['type']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['Sidekick__Action']['properties']['type']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['Sidekick__Action']['properties']['type']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['Sidekick__Action']['properties']['type']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['Sidekick__Action']['properties']['type']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['Sidekick__Action']['properties']['type']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['Sidekick__ClickAction']['properties']['actionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['Sidekick__ClickAction']['properties']['actionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['Sidekick__ClickAction']['properties']['actionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['Sidekick__ClickAction']['properties']['actionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['Sidekick__ClickAction']['properties']['actionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['Sidekick__ClickAction']['properties']['actionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['Sidekick__ClickAction']['properties']['actionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['Sidekick__ClickAction']['properties']['actionType']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['Sidekick__ClientAction']['properties']['actionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['Sidekick__ClientAction']['properties']['actionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['Sidekick__ClientAction']['properties']['actionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['Sidekick__ClientAction']['properties']['actionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['Sidekick__ClientAction']['properties']['actionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['Sidekick__ClientAction']['properties']['actionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['Sidekick__ClientAction']['properties']['actionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['Sidekick__ClientAction']['properties']['actionType']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['Sidekick__ClosetAction']['properties']['undoActionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['Sidekick__ClosetAction']['properties']['undoActionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['Sidekick__ClosetAction']['properties']['undoActionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['Sidekick__ClosetAction']['properties']['undoActionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['Sidekick__ClosetAction']['properties']['undoActionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['Sidekick__ClosetAction']['properties']['undoActionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['Sidekick__ClosetAction']['properties']['undoActionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['Sidekick__ClosetAction']['properties']['undoActionType']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['Sidekick__InlineInjectionMetadata']['properties']['actionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['Sidekick__InlineInjectionMetadata']['properties']['actionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['Sidekick__InlineInjectionMetadata']['properties']['actionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['Sidekick__InlineInjectionMetadata']['properties']['actionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['Sidekick__InlineInjectionMetadata']['properties']['actionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['Sidekick__InlineInjectionMetadata']['properties']['actionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['Sidekick__InlineInjectionMetadata']['properties']['actionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['Sidekick__InlineInjectionMetadata']['properties']['actionType']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['Sidekick__Rating']['properties']['actionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['Sidekick__Rating']['properties']['actionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['Sidekick__Rating']['properties']['actionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['Sidekick__Rating']['properties']['actionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['Sidekick__Rating']['properties']['actionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['Sidekick__Rating']['properties']['actionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['Sidekick__Rating']['properties']['actionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['Sidekick__Rating']['properties']['actionType']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1065] SPORTS_SCHEDULE_CRICKET root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1066] SPORTS_SCHEDULE_SOCCER root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1067] SPORTS_SCHEDULE_BASEBALL root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1068] SPORTS_SCHEDULE_AMERICAN_FOOTBALL root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1069] SPORTS_SCHEDULE_HOCKEY root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1070] SPORTS_SCHEDULE_FOOTBALL root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1471] TVM_WHAT_TO_WATCH_MOST_SEARCHED_CAROUSEL root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1535] DEPRECATED_RECOMMENDED_QUERY_CLUSTER_DISCO_NOTES_ENTRY_POINT root['schemas']['Sidekick__ToggleStateAction']['properties']['checkedActionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['checkedActionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['checkedActionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['checkedActionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['checkedActionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['Sidekick__ToggleStateAction']['properties']['checkedActionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['Sidekick__ToggleStateAction']['properties']['checkedActionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['Sidekick__ToggleStateAction']['properties']['checkedActionType']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['Sidekick__ToggleStateAction']['properties']['clearedActionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['clearedActionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['clearedActionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['clearedActionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['clearedActionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['Sidekick__ToggleStateAction']['properties']['clearedActionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['Sidekick__ToggleStateAction']['properties']['clearedActionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['Sidekick__ToggleStateAction']['properties']['clearedActionType']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['Sidekick__ToggleStateAction']['properties']['uncheckedActionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['uncheckedActionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['uncheckedActionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['uncheckedActionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['uncheckedActionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['Sidekick__ToggleStateAction']['properties']['uncheckedActionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['Sidekick__ToggleStateAction']['properties']['uncheckedActionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['Sidekick__ToggleStateAction']['properties']['uncheckedActionType']['enumDescriptions'][214] Action for daily digest topic negative rating. iterable_item_removed root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1456] RECOMMENDED_QUERY_CLUSTER_DISCO_NOTES_ENTRY_POINT
prod/notifications-pa-v1	dictionary_item_added root['schemas']['GoogleLogsTapandpayAndroid__TransitHceSessionEvent']['properties']['isSideloaded'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_IosNotificationPermissions']['properties']['aiPrioritizationSetting'] values_changed root['revision'] new_value 20250309 old_value 20250304 root['schemas']['GoogleLogsTapandpayAndroid__TransitHceSessionEvent']['description'] new_value Event related to communication over NFC using close loop transit tap. Next id: 33 old_value Event related to communication over NFC using close loop transit tap. Next id: 32 root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_IosNotificationPermissions']['properties']['aiSummarizationSetting']['description'] new_value The setting that indicates whether the OS uses Apple Intelligence to summarize notifications for this app. This is currently an undocumented API, so we need to monitor how this is used. old_value The setting that indicates whether the app can uses Apple Intelligence to summarize notifications. This is currently an undocumented API, so we need to monitor how this is used. root['schemas']['Sidekick__Action']['properties']['type']['description'] new_value LINT.ThenChange( //depot/google3/logs/proto/sidekick/sidekicklogs.proto, //depot/google3/geo/sidekick/proto/analysis_action_map.txt, //depot/google3/java/com/google/search/now/common/footprints/NotificationActionTypes.java, ) old_value LINT.ThenChange( //depot/google3/logs/proto/sidekick/sidekicklogs.proto, //depot/google3/geo/sidekick/proto/analysis_action_map.txt, //depot/google3/java/com/google/search/now/common/data/action/ActionUtil.java, ) root['schemas']['Sidekick__ClusterMetadata']['properties'] new_value bottomMarginInDp description Override bottom margin for the given cluster in dp. Only specifiable for Android v6.0+. format int32 type integer clusterType description Type of the cluster. enum OTHER AROUND_YOU UPCOMING UPDATES STORIES TRIP MORE_CARDS WEBKICK_STORIES INTEREST_UPDATE ENTITY_BASED RECOMMENDATION EXPERIMENTAL ELECTION ONBOARDING THIRD_PARTY_APPS_AND_SITES NOW_ON_TAP_STREAM TOP_STORIES_GENERAL AT_A_CONTEXT TOP_STORIES_FOR_YOU DEEP_NOW_SUGGESTED ELECTION_STORIES BEFORE_PLACE IN_VEHICLE DEEP_NOW_WHOLE_CLUSTER OLYMPICS INTERESTS LIGHTYEAR_WEATHER HATS_FEEDBACK WARM_WELCOME ASSISTANT_HQ_HIGHLIGHTS ASSISTANT_HQ_AGENDA ASSISTANT_HQ_TRAVEL ASSISTANT_HQ_REMINDERS ASSISTANT_HQ_ORDERS ASSISTANT_HQ_SHOPPING_LIST ASSISTANT_HQ_PROMO_BANNER ASSISTANT_HQ_SHORTCUT ASSISTANT_HQ_TRIPS NEW_TO_YOU FEED_ADS enumDescriptions All clusters not from types below. This type should be used only for debugging or as a temporary solution. Lotic cluster IDs. Cluster at the bottom of the stream for experimental cards. New cards should start out as experimental, and after approval may move to the "dogfood" stage to show up in other clusters. The cluster is to be shown in the Now on Tap stream. See go/peek-at-now as an example feature. DeepNow is the framework for serving TensorFlow learned models to help in ranking/scoring Now cards. These models are learned using Now logs and intended to be displayed in a separate cluster for the initial live experiments. For more details, deep-now@ and/or jameskunz@. Cluster containing standalone election stories carousel, when there are no civic election cards present. Cluster containing information about the user's next destination. Cluster containing information that a user might need while in a vehicle. Similar to DEEP_NOW_SUGGESTED, but for when a whole cluster is moved. Cluster containing information about the olympics. Keep me updated (KMU) interest clusters. Weather cluster in Lightyear to be ranked at 1. Cluster containing a HaTS survey card. Single view tutorial card position to be ranked at 1 and shown rarely. Clusters for the Assistant HQ. Clusters for the new-to-you content. Ads clusters. type string needBundleType description The type of the NeedBundle that triggers the cluster. enum UNKNOWN CURRENT_LOCATION AT_A_CONTEXT UPCOMING TRIP CURRENT_TRIP UPDATE CONTENT RECOMMENDATION NON_PERSONALIZED ELECTION ELECTION_STORIES ONBOARDING ONBOARDING_MOVIES ONBOARDING_MUSIC ONBOARDING_SPORTS ONBOARDING_STOCKS FULL_PAGE_INTEREST_PICKER_LURE MISC THIRD_PARTY THIRD_PARTY_APPS_AND_SITES CUSTOMIZE INTERNAL INTERNAL_TOP_OF_STREAM INTERNAL_BOTTOM_OF_STREAM INTERNAL_PROMO NOTIFICATION EXPERIMENTAL IOS_PROMO LOBBY IN_VEHICLE OLYMPICS LIGHTYEAR_WEATHER HATS_FEEDBACK WARM_WELCOME TOP_STORIES_GENERAL TOP_STORIES_FOR_YOU DEEP_NOW_SUGGESTED BEFORE_PLACE KMU_MOVIE_WITH_RELEASE_DATE KMU_ACTOR_TO_MOVIE_WITH_RELEASE_DATE KMU_DIRECTOR_TO_MOVIE_WITH_RELEASE_DATE FEED_V2_MOVIE_STREAMING_WITH_RELEASE_DATE FEED_V2_MOVIE_WITH_RELEASE_DATE FEED_V2_YOUTUBE_MUSIC_VIDEOS FEED_V2_YOUTUBE_LIVE_STREAMS FEED_V2_BOLLYWOOD_TO_BOLLYWOOD_UPDATE FEED_ACTOR_TO_MOVIE_TRAILER_WITH_UPLOAD_DATE FEED_ARTIST_TO_ALBUM_WITH_RELEASE_DATE FEED_ARTIST_TO_YT_MUSIC_VIDEO FEED_ATHLETE_TO_TEAM_WITH_JOIN_DATE FEED_BOLLYWOOD_TO_BOLLYWOOD_UPDATE FEED_COACH_TO_TEAM_WITH_JOIN_DATE FEED_DIRECTOR_TO_MOVIE_TRAILER_WITH_UPLOAD_DATE FEED_LOCATION_TO_BOLLYWOOD_UPDATE FEED_MOVIE_SHOWTIMES FEED_MOVIE_TO_MOVIE_SEQUEL_WITH_RELEASE_DATE FEED_MOVIE_TRAILER_WITH_UPLOAD_DATE FEED_SPORTS_ATHLETE_COLLECTION FEED_SPORTS_LEAGUE_STANDING FEED_SPORTS_PRE_GAME_COLLECTION FEED_SPORTS_POST_GAME_COLLECTION FEED_SPORTS_ONGOING_GAME_COLLECTION FEED_SPORTS_PRIMARY_LEAGUE_COLLECTION FEED_SPORTS_SECONDARY_LEAGUE_COLLECTION FEED_SPORTS_TEAM_TO_JOIN_DATE FEED_SUGGESTED_ACTOR_TO_MOVIE_WITH_RELEASE_DATE FEED_SUGGESTED_ARTIST_TO_ALBUM_WITH_RELEASE_DATE FEED_SUGGESTED_DIRECTOR_TO_MOVIE_WITH_RELEASE_DATE FEED_SUGGESTED_MOVIE_WITH_RELEASE_DATE FEED_TV_SERIES_TO_NEW_AIRING_EPISODE FEED_VIEDOGAME_TO_VIDEOGAME_SERIES_WITH_RELEASE_DATE FEED_VIDEOGAME_WITH_RELEASE_DATE FEED_VOTING_REMINDER FEED_ONBOARDING_INTEREST_PICKER FEED_GESTALT_WELCOME_CARD FEED_WEATHER DASHBOARD_STOCK_TICKER_LIST KMU_TRENDING_STORY SEARCH_AWARENESS SPORTS_AWARENESS TV_EPISODE_AWARENESS KMU_HOT_KP KMU_FINANCE KMU_SPORTS_GAME ENHANCED_PERSONAL_DASHBOARD_MY_DAY ENHANCED_PERSONAL_DASHBOARD_AROUND_ME ENHANCED_PERSONAL_DASHBOARD_UPDATES KMU_SMEARED_MOVIE_WITH_RELEASE_DATE ASSISTANT_HQ_HIGHLIGHTS ASSISTANT_HQ_AGENDA ASSISTANT_HQ_TRAVEL ASSISTANT_HQ_REMINDERS ASSISTANT_HQ_ORDERS ASSISTANT_HQ_SHOPPING_LIST ASSISTANT_HQ_SHORTCUT ASSISTANT_HQ_TRIPS ASSISTANT_HQ_HIGHLIGHTS_EVAL ASSISTANT_HQ_AGENDA_EVAL ASSISTANT_HQ_TRAVEL_EVAL ASSISTANT_HQ_REMINDERS_EVAL ASSISTANT_HQ_ORDERS_EVAL ASSISTANT_HQ_SHOPPING_LIST_EVAL ASSISTANT_HQ_PROMO_BANNER TUTORIAL_PROMO_FEED TUTORIAL_PROMO_DASHBOARD FEED_TODAY_IN_HISTORY_BIRTHDAY FEED_TODAY_IN_HISTORY_DEATH_ANNIVERSARY FEED_TODAY_IN_HISTORY_GEO_ESTABLISHED FEED_TODAY_IN_HISTORY_HISTORICAL_EVENT FEED_TODAY_IN_HISTORY_LAW_IN_EFFECT FEED_TODAY_IN_HISTORY_LAW_RATIFIED FEED_TODAY_IN_HISTORY_LEGAL_CASE_DECIDED FEED_TODAY_IN_HISTORY_EVENTS_LOCALIZED FEED_TODAY_IN_HISTORY_BIRTHDAY_LOCALIZED FEED_TODAY_IN_HISTORY_DEATH_ANNIVERSARY_LOCALIZED NEW_TO_YOU NEW_TO_YOU_MOVIE NEW_TO_YOU_VIDEO_PURCHASE NEW_TO_YOU_TRIP NEW_TO_YOU_HOBBY_TRIP NEW_TO_YOU_LANDMARK NEW_TO_YOU_MOVIE_CAST NEW_TO_YOU_REMINDER NEW_TO_YOU_WHILE_TRAVELING NEW_TO_YOU_VASCO_TASK NEW_TO_YOU_VASCO_FRESH_TASK NEW_TO_YOU_VASCO_VIDEO_TASK NEW_TO_YOU_FRESH_INTEREST NEW_TO_YOU_BOOK_PURCHASE NEW_TO_YOU_VIDEO_GAME_PURCHASE NEW_TO_YOU_SOFTWARE_PURCHASE NEW_TO_YOU_LIVE_VIDEO NEW_TO_YOU_TODAY_IN_HISTORY NEW_TO_YOU_EVENT NEW_TO_YOU_LONG_TERM_INTEREST NEW_TO_YOU_PARENTING NEW_TO_YOU_AFTER_A_PLACE LONG_TERM_INTEREST URL_TO_URL_RECOMMENDATION_CROSSPATH URL_TO_URL_RECOMMENDATION_FRESH URL_TO_URL_RECOMMENDATION URL_TO_URL_RECOMMENDATION_RUBY URL_TO_URL_RECOMMENDATION_VIEW URL_TO_URL_RECOMMENDATION_HEART STOCK_END_OF_DAY_NOTIFICATION STOCK_IPO_DAY_OF_NOTIFICATION FEED_AWARDS_TO_AWARDS_CEREMONY_REMINDER FEED_AWARDS_TO_AWARDS_CEREMONY_SUMMARY FEED_AWARDS_NOMINEE_TO_AWARDS_CEREMONY_REMINDER FEED_FILM_FESTIVAL_TO_ONGOING_FILM_FESTIVAL FEED_ARTIST_TO_ONGOING_MUSIC_FESTIVAL FEED_MUSIC_FESTIVAL_TO_ONGOING_MUSIC_FESTIVAL FEED_EPHEMERAL_EVENT_LIVESTREAM FEED_MULTISPORT_EVENT_OPENING_CEREMONY_REMINDER FEED_MULTISPORT_EVENT_GENERAL_INFORMATION FEED_MULTISPORT_EVENT_GAME_WINNER FEED_MULTISPORT_EVENT_END_OF_GAMES FEED_PBX_MOVIE FEED_PBX_TV FEED_AUTHOR_TO_BOOK_WITH_PUBLICATION_DATE FEED_BOOK_TO_BOOK_WITH_PUBLICATION_DATE FEED_BOOK_SERIES_TO_BOOK_WITH_PUBLICATION_DATE FEED_AUTHOR_TO_BOOK_WITH_PUBLICATION_DATE_NOTIFICATION FEED_BOOK_TO_BOOK_WITH_PUBLICATION_DATE_NOTIFICATION FEED_BOOK_SERIES_TO_BOOK_WITH_PUBLICATION_DATE_NOTIFICATION RECENTLY_FOLLOWED RECENTLY_FOLLOWED_N2Y MOST_RECENTLY_FOLLOWED FEED_HEALTH FEED_STORIES_COLLECTION SEARCH_ENGAGEMENT_HIGHLIGHT SEARCH_ENGAGEMENT_ASKJOE VIDYA_ONBOARDING FEED_ADS FEED_ADS_HERO_IMAGE FEED_ADS_SQUARE_IMAGE FEED_ADS_SQUARE_CAROUSEL FEED_ADS_SQUARE_THUMBNAIL FEED_ADS_PORTRAIT_IMAGE FEED_ADS_PORTRAIT_CAROUSEL FEED_ADS_CLICK_TO_DOWNLOAD FEED_ADS_CLICK_TO_DOWNLOAD_SQUARE FEED_ADS_CLICK_TO_DOWNLOAD_PORTRAIT FEED_ADS_CLICK_TO_DOWNLOAD_MULTI_APP FEED_ADS_CLICK_TO_DOWNLOAD_VIDEO FEED_ADS_CLICK_TO_DOWNLOAD_VIDEO_SQUARE FEED_ADS_CLICK_TO_DOWNLOAD_VIDEO_PORTRAIT FEED_ADS_CLICK_TO_DOWNLOAD_VIDEO_VERTICAL FEED_ADS_CLICK_TO_DOWNLOAD_DYNAMIC_SHOPPING FEED_ADS_MULTI_PHOTO FEED_ADS_MULTI_PHOTO_PER_CARD_HEADLINE FEED_ADS_ONO_HERO_IMAGE FEED_ADS_DYNAMIC_SHOPPING FEED_ADS_RATIO_TWEAK FEED_ADS_VIDEO FEED_ADS_VIDEO_SQUARE FEED_ADS_VIDEO_PORTRAIT FEED_ADS_VIDEO_VERTICAL FEED_ADS_CLICK_TO_DOWNLOAD_MULTI_PHOTO FEED_ADS_APP_REENGAGEMENT_HERO_IMAGE FEED_ADS_APP_REENGAGEMENT_SQUARE FEED_HEADLINE_NEWS FEED_NATION_NEWS FEED_WORLD_NEWS FEED_ENTERTAINMENT_NEWS FEED_SPORTS_NEWS FEED_BUSINESS_NEWS FEED_SCITECH_NEWS CONTEXTUAL_NOTIFICATION LOTTERY_RESULT_NOTIFICATION WEBSITE_UPDATE INTENT_ANNOTATION_DEMO FEED_VIDEO DEEP_TRENDS HIDE_INFERRED_LANGUAGE NOW_PERSISTENT_PUSH YOUTUBE_TENNIS_HIGHLIGHTS WEBKICK_TRENDING_STORIES STAMP LOCALLY_TRENDING_STORIES WEBKICK_LOCAL_STORIES WEBKICK_LOCAL_STORIES_GROUPING EXHIBITIONS ISSUE_SEARCH_QUERY KMU_TRENDING_POLITICS_STORY CARDMAKER SPORTS_TEAM_GAME SPORTS_IOS_LIVE_ACTIVITY SPORTS_ATHLETE_GAME SPORTS_ATHLETE_GAME_FOLLOWED SPORTS_LEAGUE_GAME SPORTS_LEAGUE_SCHEDULE SPORTS_LEAGUE_GAME_FOLLOWED SPORTS_MULTI_PARTICIPANT_GAME PUBLIC_ALERT URGENT_PUBLIC_ALERT UPCOMING_TURNDOWN_PROMO GOOGLE_STORIES BROAD_INTEREST_STORIES BROAD_INTEREST_STORIES_RECENTLY_FOLLOWED BROAD_INTEREST_STORIES_THE_MOST_RECENTLY_FOLLOWED BROAD_INTEREST_ECS_STORIES GEO_TARGETING_STORIES EPHEMERAL_EVENT_STORIES FRESH_VIDEOS TICKET_AVAILABILITY_NOTIFICATION TOPIC_FEED_ENTRY_POINTS SIX_PACK_LOW_ENGAGED COVID_19_ENTRY_POINTS MORNING_ENTRY_POINTS IMAGE PANOPTIC_ARTICLE LOCAL_RECOMMENDATION INTEREST_EXPLORATION DISCOVER_VIDEO_GAME_VIDEOS TWITTER_STORIES PODCAST CRISIS_RESPONSE_ALERT URGENT_CRISIS_RESPONSE_ALERT COOKING_VIDEOS FASHION_BEAUTY_VIDEOS ONEOFF_NOTIFICATION NEW_TO_YOU_GROUPING VISTAAR_ARTICLES CLASSIC_CORE_INTEREST_RESULT DEEP_TRENDS_FABLE FEED_VIDEO_DEEP_REC LIVEWEB_STORY FEED_ONBOARDING_INTEREST_PICKER_SPORTS_TEAMS FEED_INTEREST_PICKER_SPORT_CRICKET_IPL_TEAMS FEED_ONBOARDING_INTEREST_PICKER_BROAD_TOPICS CORE_INTEREST_INTEREST_PICKER INTEREST_PICKER_PILLS INTEREST_PICKER_CHANNEL_INTEREST_VOCAB INTEREST_PICKER_CREATORS INTEREST_PICKER_SPORTS_TEAMS GOG_POSTS GOG_CAMEOS MOONSTONE MOONSTONE_PROMOTED MOONSTONE_FRESH_EMBEDDING MOONSTONE_CORE_INTEREST_EMBEDDING MOONSTONE_NOTIFICATION NEW_MUSIC_ALBUM_RELEASE STORYTIME STORYTIME_SINGLETON STORY_RECOMMENDATIONS REAL_TIME_STORYTIME CLASSIC_CORE_INTEREST_FOOD_AND_COOKING CLASSIC_CORE_INTEREST_FASHION_AND_BEAUTY CLASSIC_CORE_INTEREST_TRAVEL CLASSIC_CORE_INTEREST_MUSIC CLASSIC_CORE_INTEREST_VIDEO_GAME CLASSIC_CORE_INTEREST_TV_AND_MOVIE CLASSIC_CORE_INTEREST_TV_AND_MOVIE_CATEGORIES CURATED_VIDEOS NEWS_HEADLINES DEEP_TRENDS_CORE_INTEREST FEED_CHANNELS_CONTENT POST_FOLLOW_GROUPING POST_FOLLOW_SURVEY NEW_FOLLOW CREATOR_FOLLOW_GROUPING CREATOR_FOLLOW_NEW_FOLLOW QUERY_RECOMMENDATIONS_FROM_CREATOR QUERY_RECOMMENDATIONS_ABOUT_CREATOR FEED_INTERESTED_CHANNELS_CONTENT CHANNELS_CONTENT FEED_ONBOARDING_LANGUAGE_PICKER INFEED_GOLD_PRICE_CARD WEB_FORUM EPHEMERAL_EXPERIENCES LOCAL_RECOMMENDATION_UGC_PLACE_REVIEW SIGN_IN_LURE_BUTTON WHAT_TO_STREAM U2U_VASCO_TASK CUTE_VIDEOS COVID19_LURE GOLDEN_URLS WEB_CHANNELS WEB_CHANNELS_ENTRY_POINTS COVID_NEWS_HEADLINES COVID_NEWS_HEADLINES_SINGLETON COVID_LOCAL_HEADLINES_GROUPING COVID_BEYOND_THE_HEADLINES_GROUPING COVID_CHANNEL_GROUPING_MENTAL_HEALTH COVID_CHANNEL_GROUPING_WORKOUT COVID_CHANNEL_GROUPING_WFH COVID_CHANNEL_GROUPING_RECIPE COVID_CHANNEL_GROUPING_PARENTING COVID_CHANNEL_GROUPING_YOGA COVID_CHANNEL_GROUPING_EDUCATION COVID_CHANNEL_GROUPING_GAMING COVID_CHANNEL_GROUPING_TABLETOP_GAME COVID_CHANNEL_GROUPING_STAY_CONNECTED COVID_CHANNEL_GROUPING_COFFEE_AT_HOME COVID_CHANNEL_GROUPING_PROTECT_YOURSELF COVID_CHANNEL_GROUPING_CREATIVITY_AT_HOME COVID_CHANNEL_GROUPING_WELLNESS SAPPHIRE STAMP_SHORT_VIDEO STAMP_SHORT_VIDEO_SINGLETON SHORT_VIDEO_4PACK EXPLORATION_GROUPING_ONE_TOPIC EXPLORATION_GROUPING_MULTI_TOPICS EXPLORE_CHANNEL_EXPLORATION_GROUPING_ONE_TOPIC EXPLORE_CHANNEL_EXPLORATION_GROUPING_MULTI_TOPICS EXPLORE_CHANNEL_BROAD_TOPICS_CHANNEL_PICKER FOLLOWING_FEED_EXPLORATION_GROUPING SHOPPABLE_IMAGE SUBSCRIBE_TO_SEARCH PINNED_CONTENT_FULFILLMENT PINNED_CONTENT_CAROUSEL_FULFILLMENT LOCAL_LIFT_STORIES NEWS_FULL_COVERAGE_ARTICLES NEWS_FULL_COVERAGE_ARTICLES_SINGLETON NEWS_FULL_COVERAGE_TWEETS NEWS_STORIES_HEADLINES NEWS_STORIES_WORLD NEWS_STORIES_REGION NEWS_STORIES_POLITICS NEWS_STORIES_BUSINESS NEWS_STORIES_TECHNOLOGY NEWS_STORIES_SCIENCE NEWS_STORIES_SPORTS NEWS_STORIES_ENTERTAINMENT NEWS_STORIES_OP_EDS NEWS_STORIES_LOCAL NEWS_STORIES_ISSUE_SPOTLIGHT NEWS_STORIES_BEYOND_THE_HEADLINES NEWS_STORIES_PERSONAL_SPOTLIGHT NEWS_STORIES_BREAKING LOCAL_CHANNEL_HEADLINES_GROUPING LOCAL_CHANNEL_HEADLINES_SINGLETONS LOCAL_CHANNEL_FOOD_GROUPING LOCAL_CHANNEL_REGIONAL_GROUPING LOCAL_CHANNEL_LIFESTYLE_GROUPING LOCAL_CHANNEL_VIDEO_GROUPING NEWS_CHANNEL_SINGLETONS LOCAL_CHANNEL_SINGLETONS KOHINOOR_STORIES STORIES_CHANNEL_SINGLETON LOCATION_MANAGEMENT_LURE PRIVACY_NOTICE_CARD SHAREABLE_IMAGES SHAREABLE_IMAGES_CAROUSEL SHAREABLE_IMAGES_FOUR_PACK SHAREABLE_IMAGES_SIX_PACK SHAREABLE_IMAGES_SINGLETON STATEFUL_TASK TRENDING_CHANNELS TRENDING_CHANNELS_SHOPPING TRENDING_CHANNELS_ENTERTAINMENT TRENDING_CHANNELS_BASEBALL TRENDING_CHANNELS_GADGETS TRENDING_CHANNELS_FASHION FIREFLY GARAMOND_DEMO BEYOND_THE_HEADLINES_SINGLETON GARAMOND_RELATED_ARTICLE_GROUPING TOP_SEARCH_INTERACTED INFO_LURE EDITORIAL_STORIES_GROUPING PALATINO_LURE GARAMOND_INTRO LAST_YEAR_TODAY_STORIES DISCOVER_LIGHTWEIGHT_FIRST_PAGE DIVERSE_CONTENT WEB_GAMES FAN_CONTENT_GROUPING RELATED_CONTENT RELATED_CONTENT_RUBY NEW_TO_YOU_MIDNIGHT_TRAIN_TASK HOME_STACK SHOPPING_INSPIRATION SHOPPING_INSPIRATION_DEMO FOLLOWING_FEED WHAT_TO_COOK WEB_CHANNELS_CHANNEL_IN_BAR_LURE AUGMENTED_REALITY HEARTBEAT FOLLOW_INTEREST OLYMPICS_FEATURED_EVENTS CREATOR_CHANNELS_4PACK TAPPABLE_QUERIES PRIVACY_AWARENESS_PROMO CREATOR_CHANNEL_CREATOR_RECOMMENDATIONS CREATOR_CHANNEL_SINGLETON_CONTENT_RECOMMENDATION FLOODS_DATAHUB FOLLOWING_FEED_ENTRY_LURE SOCIAL_PERSPECTIVES SCALABLE_ATTRIBUTE_VIDEOS TRENDING_HASHTAGS IMAGE_GRID SHOPPING_IMAGE_GRID INSPIRING_HASHTAG_IMAGES CONTENT_EXPLORATION CONTENT_EXPLORATION_VIDEOS EPHEMERAL_EVENT EPHEMERAL_EVENT_TWO_PACK MORE_STORIES_LURE WINTER_OLYMPICS WINTER_OLYMPICS_MEDALS WINTER_OLYMPICS_RECAP_VIDEO WINTER_OLYMPICS_LIVE_STORIES DISCOVER_PROMO_CARD DISCOVER_MAGI_PROMO_CARD DAILY_DISCOVER_PROMO_CARD DISCOVER_MAC_GAP_ON_PROMO_CARD DISCOVER_MAC_GAP_OFF_PROMO_CARD DISCOVER_UKRAINE_INFO TRENDING_VIDEOS TRENDING_TOPICS_CLUSTERS MOOD_CLUSTERS FOLLOWING_FEED_ONBOARDING PAGINATION_PANOPTIC FOOD_RECIPES_CLUSTER FOOD_INTERESTING_FINDS_ARTICLE_CLUSTER FOOD_INTERESTING_FINDS_VIDEO_CLUSTER SHOPPING_INSPIRATION_CLUSTER SUPER_INTEREST_ARTICLES_CLUSTER SUPER_INTEREST_SHORT_VIDEOS_CLUSTER CURATED_COLD_USER_ARTICLES_CLUSTER CURATED_COLD_USER_SHORT_VIDEOS_CLUSTER CURATED_GLOYO_ARTICLES_CLUSTER CURATED_GLOYO_SHORT_VIDEOS_CLUSTER THIN_PROFILE_USER_SHORT_VIDEOS_CLUSTER ON_DEVICE_MEDIA_CONTENT_CAROUSEL SEARCH_BASED_FAST_PERSONALIZATION CONTENT_AND_PLACE_MENTIONS_GROUPING SPORTS_ATHLETE_INFO RELATED_VIDEOS WHAT_TO_STREAM_SRP_ACTION_CLUSTER CONTAINER_EXPANSION_CONTRACTION_SWITCH MEDIA_CONTENT_EXPLORE_MORE_BANNER PETACAT_EXPLORATION PETACAT_CHANNEL SHOPPING_HALLOWEEN_PROMO_CARD SHOPPING_HOLIDAY_DEALS_PROMO_CARD ATTRIBUTE_VIDEO LENS_AWARENESS_PROMO_CARD FLAVOR_CORPUS_CHANNELS ON_DEVICE_MEDIA_CONTENT_ERROR NOW_NEW_ROMAN_IMAGE_LURE DISCOVER_YEAR_IN_SEARCH EUROPE_ENERGY_CRISIS_PROMO QUERY_RECOMMENDATIONS_WYWA QUERY_RECOMMENDATIONS_WYWA_PIN_AT_TOP QUERY_RECOMMENDATIONS_SIQE QUERY_RECOMMENDATIONS_TMSN QUERY_RECOMMENDATIONS_TRAVEL QUERY_RECOMMENDATIONS_TOM_RELATED_QUESTIONS QUERY_RECOMMENDATIONS_WEB_ANSWERS QUERY_RECOMMENDATIONS_TOM_Q2Q QUERY_RECOMMENDATIONS_GTQ QUERY_RECOMMENDATIONS_BROAD_LOCAL_NEWS QUERY_RECOMMENDATIONS_SIQE_NUROOT QUERY_RECOMMENDATIONS_NUROOT_SINGLETON QUERY_RECOMMENDATIONS_NUROOT_DOUBLETON QUERY_RECOMMENDATIONS_NUROOT_THREE_PACK QUERY_RECOMMENDATIONS_NUROOT_FOUR_PACK EXAMPLE_DISCOVER_FEATURE UCP_FOUR_PACK UCP_TWO_PACK FOLLOW_IN_MAIN_FEED TRAVEL_TTD_FOUR_PACK TRAVEL_TTD_FOUR_PACK_PREFABS DISCOVER_APP_MEDIA_FOUR_PACK DISCOVER_APP_AUDIO DISCOVER_APP_ON_DEVICE DISCOVER_APP_ON_DEVICE_ONBOARDING TAPPABLE_QUERIES_WITH_RANGE_POS_CONSTRAINTS SPORTS_LEAGUE_CLUSTER_INFO SPORTS_LEAGUE_STANDINGS_INFO TAPPABLE_QUERIES_WITH_CONSERVATIVE_POS_CONSTRAINTS LOCAL_EVENTS LOCAL_EVENTS_WITH_FIXED_POSITION_SPEC SHOPPING_PRODUCT_GRID SHOPPING_PRODUCT_GRID_SHORT_CARDS SHOP_THE_LOOK ASTRIA FP13N_EMBED_RETRIEVAL_CONTENT HEART_RELATED_CONTENT DISCOVER_TVM_VERTICAL UNPLANNED_EVENTS CONTENT_AND_PLACE_ATTACHMENTS HEART_FP13N_EMBED_RETRIEVAL_CONTENT SHOPPING_TASK_PRODUCT_GRID SHOPPING_TASK_PRODUCT_GRID_SHORT_CARDS NOW_NEW_ROMAN_CLUSTER NAV_QUERY_POST_FOLLOW_CONTENT TRANSLATED_CONTENT DISCOVER_VERTICAL GOOGLE_TWENTY_FIVE_PROMO_CARD SHOPPING_PRODUCT_GRID_PERSONALIZED_CATEGORY_SHORT_CARDS SHOPPING_PRODUCT_GRID_POPULAR_CATEGORY_SHORT_CARDS EXPLICIT_INTERESTS_TO_FOLLOWS_INFO_CARD JPS_SENIORS_PROMO_CARD SPORTS_TEAM_GAME_FOLLOWED SPORTS_TEAM_GAME_NEW_FOLLOW ADD_WIDGET_PROMO_CARD UCP_DELAYED_NOTES_CREATION_PROMPT_CARD QUERY_RECOMMENDATIONS_DINING QUERY_RECOMMENDATIONS_MOONSTONE QUERY_RECOMMENDATIONS_BROAD_TOPIC QUERY_RECOMMENDATIONS_FOLLOW_INSPIRED LOCAL_MERCHANT_CONTENT UPSELL_QUERY_PICKER LODGING_FOUR_PACK APP_UPGRADE_PROMO_CARD RAY_PROMO_CARD QUERY_RECOMMENDATIONS_JOURNEY_EXPLORATION QUERY_RECOMMENDATIONS_TVM_WHAT_TO_WATCH QUERY_RECOMMENDATIONS_TRAVEL_TTD VERTICAL_NEWS_DIGEST LOK_SABHA_ELECTION_PROMO QUERY_RECOMMENDATIONS_QUERY_CONTENT_EXPLORATION DEBUG_PROMO_CARD SHOPPING_DEALS_LURE QUERY_RECOMMENDATIONS_USER_BANDIT OLYMIPCS_SEARCH_GENERATIVE_EXPERIENCE_PROMO_CARD EUROPE_ELECTION_PROMO_CARD QUERY_RECOMMENDATIONS_LOCAL_ACTIVITIES EUROPE_ELECTION_RESULTS_PROMO_CARD QUERY_RECOMMENDATIONS_LIMELIGHT_REVIEW QUERY_RECOMMENDATIONS_LIMELIGHT_DISCUSSION QUERY_RECOMMENDATIONS_LOCAL_MERCHANT_CONTENT DISCOVER_LABS_PROMO_CARD OLYMIPCS_SEARCH_PLAYGROUND_PROMO_CARD QUERY_RECOMMENDATIONS_SIQE_RICH_ENTITY QUERY_RECOMMENDATIONS_SIQE_RICH_ENTITY_FILM QUERY_RECOMMENDATIONS_SIQE_RICH_ENTITY_TV_PROGRAM QUERY_RECOMMENDATIONS_SIQE_RICH_ENTITY_PEOPLE QUERY_RECOMMENDATIONS_MOONSTONE_RICH_ENTITY QUERY_RECOMMENDATIONS_WYWA_RICH_ENTITY QUERY_RECOMMENDATIONS_WYWA_RICH_ENTITY_FILM QUERY_RECOMMENDATIONS_WYWA_RICH_ENTITY_TV_PROGRAM QUERY_RECOMMENDATIONS_WYWA_RICH_ENTITY_PEOPLE QUERY_RECOMMENDATIONS_SIQE_RECOMMENDED_ENTITY QUERY_RECOMMENDATIONS_SIQE_RECOMMENDED_ENTITY_FILM QUERY_RECOMMENDATIONS_SIQE_RECOMMENDED_ENTITY_TV_PROGRAM QUERY_RECOMMENDATIONS_SIQE_RECOMMENDED_ENTITY_PEOPLE QUERY_RECOMMENDATIONS_MOONSTONE_RECOMMENDED_ENTITY QUERY_RECOMMENDATIONS_WYWA_RECOMMENDED_ENTITY QUERY_RECOMMENDATIONS_WYWA_RECOMMENDED_ENTITY_FILM QUERY_RECOMMENDATIONS_WYWA_RECOMMENDED_ENTITY_TV_PROGRAM QUERY_RECOMMENDATIONS_WYWA_RECOMMENDED_ENTITY_PEOPLE QUERY_RECOMMENDATIONS_TOM_Q2Q_RECOMMENDED_ENTITY QUERY_RECOMMENDATIONS_MIXED_CONTENT SMARTBOXES COMMUNITY_QNA_PROMO_CARD QUERY_RECOMMENDATIONS_TRENDING_MUSTNT_MISS QUERY_RECOMMENDATIONS_MUSTNT_MISS_IN_VERTICAL QUERY_FOLLOW_EMPTY_INJECTION_NOTICE QUERY_RECOMMENDATIONS_JOURNEY QUERY_RECOMMENDATIONS_HUVO_VIDEO QUERY_RECOMMENDATIONS_HUVO_CAROUSEL DISCOVER_PROMO_CARD_AT_ONE DISCOVER_PROMO_CARD_AT_SEVEN QUERY_RECOMMENDATIONS_SIQE_ACTIVITY QUERY_RECOMMENDATIONS_REPEAT_INFO INDIAN_PREMIER_LEAGUE ANIMA_NOTICE_CARD RWJ_SHORT_VIDEO ENTERTAINMENT_TRAILER_DROP SPORTS_GAME_SCHEDULE TVM_WHAT_TO_WATCH_MOST_SEARCHED_CAROUSEL enumDeprecated False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False enumDescriptions Information about the current location. Specific information for this context. Upcoming events and reminders. Trip information. Ongoing trip information. Updates for the user. Content recommendations. Other recommendations. For cards in non personalized stream. Election information. Onboarding. Everything else. For Shadie demo. Cards that might be needed while in a vehicle. Bundle for feedback requested from user. NeedBundleTypes used in the intent system should appear after this line. See commentary at the start of the enumeration. Information about the user's next destination. Types with KMU/FEED prefix refer to Interest feed. Bundles for movie release related KMU intents. Bundle for stock ticker list card in dashboard. Bundle for trending story. Bundle for search awareness features. Bundle for sports awareness features. Bundle for TV Episodes awareness tips. Bundle for HOT_KP. Bundle for KMU finance intents. Sports game cluster. Personal Dashboard Enhancement. Visit go/personal-dashboard-v1.1 for more details. Experimental bundle for smeared movie clusters. Bundles for Assistant HQ (go/hq-now-integration). Bundles for Assistant HQ Eval (go/hq-now-integration). Bundles for welcome cards. Today in history cards. Bundles of new-to-you cards. More bundles are added to handle dismisses properly as V2 dismiss action is on the collection card and collections are identified with the bundles. Bundles of long term ineterest cards. Bundles of url-to-url Crosspath cards. Bundles of fresh url-to-url cards. Bundles of url-to-url cards. Bundles of url-to-url ruby cards. Bundles of Discover View triggered url-to-url cards. Bundles of Discover Hearts triggered url-to-url cards. Bundles for end-of-day stock notification cards. Bundles for awards ceremony cards. Bundles for film festival cards. Bundles for music festival cards. Bundles for ephemeral event livestream cards. Bundles for multi-sport event (e.g. Asian games) cards. Bundles for popularity based experience Bundles for books cards and notifications. Bundles for recently followed entities. Bundles for health cards and notifications. Bundles of Highlight cards. Bundles of AskJoe cards. Bundles for Vidya language onboarding features. Bundles for Ads -- go/feed-ads-frontend Hard news content types -- go/feed-news Bundle for Contextual notifications. Lottery related. Bundle for website update cards. Bundle for intent annotation offline demo and eval. Video cards. Bundle for DeepTrends stories. Bundle for Language Picker which will allow user to opt out from Bilingual feed. Bundle for notifications that were originally sent via push that need to be re-served during feed refresh. Bundle for tennis highlights. Bundle for webkick trending stories Bundle for STAMPs (go/stamp-feed-design). Locally trending stories are part of zero state content. Bundle for webkick local stories Bundle for museum exhibitions (add go link) User wants to issue a query. Parameterized by the query, itself, as a string. Bundle for politics trending story. Bundle for cardmaker cards. Sports on the intent system. Team game bundle. iOS live activity bundle. Athlete game bundle. Athlete game bundle for followed queries. League game bundle. League schedule bundle. League game bundle for followed queries. Multi participant game bundle. Bundles for Public Alerts cards. Bundle for upcoming turndown promo cards. Bundles for Google Stories Card. Broad interest stories (go/broad-interest-modeling-design). Stories targeted based on the user's city location. Stories based on date/time dependent events such as festivals. See go/festive-feed for festivals design. Videos from panoptic Start of ticket sales notification Topic feed entry points that lead to Topic Feed on a particular topic. Six Pack for users with low Discover engagement. A group of 6 COVID-19 related sub-intents. Using the same UI as the organic 6 Pack. A group of entry points that are triggered only in the morning. Images cluster. For now used for images experience prototyping in Discover. See go/images-in-discover-notes for project notes. Need bundle type corresponding to all Panoptic based fulfillers. Personalized local recommendation by go/local-stream-prd. Bundle for video games for core interests (fulfilled by videoroot). Bundle for Twitter in Discover card. Bundle for Podcast recommendations. Bundles for Crisis Response Alerts cards (SOS Alerts, Public Alerts) Bundle for cooking for core interests (fulfilled by videoroot). Bundle for fashion and beauty for core interests (fulfilled by videoroot). Bundle for One-off Notifications. N2Y content grouped around an interest or attribute (go/n2y-groupings-prd). Indic Articles from Vistaar. Core Interest fulfilled by ECS contents Design doc: (go/ci-content-ecs) Bundle for DeepTrends FaBLE stories. Design doc: (go/deep-trends-fable). Bundle for deep videos retrieval (fulfilled by videoroot). Bundle for liveweb stories. Legacy Interest picker go/follow related Pickers. Bundles for different Get-On-Google contents (go/gog) Bundles for Get-On-Google posts. Bundle for Get-On-Google cameos. Bundle for Moonstone quasi-personalized content. Need bundle type for Moonstone with Monet embedding on fresh content. Need bundle type for Moonstone with Monet embedding on core interest Bundle for Moonstone quasi-personalized content. Bundle for new album release Bundle for STORYTIME using carousel UI (go/storytimesite). Bundle for STORYTIME using the singleton UI (go/storytime-singleton-dd). Bundle for Story Recommendations (go/story-recs-serving-design). Bundle for Real Time P13n STAMPs (go/real-time-stamp-dd). Classic Core Interest food and cooking vertical, fulfilled by ECS contents Classic Core Interest fashion and beauty vertical, fulfilled by ECS contents Classic Core Interest travel vertical, fulfilled by ECS contents Classic Core Interest music vertical, fulfilled by ECS contents Classic Core Interest video game vertical, fulfilled by ECS contents Classic Core Interest tv and movies vertical, fulfilled by ECS contents Classic Core Interest tv and movies categories vertical, fulfilled by ECS contents Bundle for curated videos retrieval Bundle for News Headlines. Bundle for DeepTrends Core Interest stories. Design doc: (go/deep-trends-core-interest). Bundle for content from Topic Feed Channels in the main Discover feed. Bundle for post-follow grouping in the main Discover feed. Bundle for post-follow survey in the Discover feed. Bundle for post-follow grouping targeting new follows. Bundle for creator follows. go/creator-follow-plan Bundle for creator follows made recently. Bundle for creator content. Bundle for creator content. Bundle for content from from user interested channels in Main Feed. Bundle for fulfilling channels requests. Bundle for Inline Language Picker (go/feed-lang-picker) Bundle for gold price in Discover Feed. Bundle for forum content in Discover. Bundle for Ephemeral Experiences notifications. Personalized local recommendation with UGC photos and reviews contents for a single place (go/discover-ugc-review-card-prd) Sign in Lure Button for discover signed out users ( go/iga-signedout-discover ) Intent for Discover What To Watch streaming recommendations card. Intent for U2U content for Vasco tasks. Bundle for videos with cute attributes. Design doc: go/discover-attribute-videos-dd. Bundle for showing a COVID-19 lure card that points to OSRP. Golden URLS to show in discover. Bundle for WebChannels content in Discover. Bundle for WebChannels entry points (i.e., 6-pack) in Discover. go/web-channels-6-pack Covid news headlines in Discover. See go/covid19-headlines-discover-dd. For main feed cluster For landing page singletons For landing page local grouping These channel-specific types are needed to implement channel-specific packing rules (e.g., fixed position). Bundle for interest exploration stories in Discover. Bundle for triggering STAMP short video using a carousel UI on the Discover feed. Contra doc: go/contra_project_plan, go/contra-design Stamp doc: go/stamp_background Bundle for triggering STAMP short video using a singleton UI on the Discover feed. Design doc: go/stampshortvideo-carousel-dd Bundle for triggering STAMP short video using grid (4-pack) UI on the Discover feed. Bundle for exploration groupings. Doc: go/discover-exploration-groupings Bundle for exploration groupings in Explore Channel. Bundle for channel picker in Explore Channel. Bundle for exploration groupings in Following Feed Bundle for shoppable images. go/shoppable-images-in-discover-implementation Bundle of SUBSCRIBE_TO_SEARCH intents. For fulfilling content in the feed from notification click Bundle for local lift stories from panoptic's hivemind channel go/signedout-hivemind Bundles for Full Coverage landing pages. Bundle for the top news headlines from top publishers. Bundle for the top world news headlines from top publishers. Bundle for the top regional (e.g., "US") news headlines from top publishers. Bundle for the top politics news headlines from top publishers. Bundle for the top business news headlines from top publishers. Bundle for the top technology news headlines from top publishers. Bundle for the top science news headlines from top publishers. Bundle for the top sports news headlines from top publishers. Bundle for the top entertainment news headlines from top publishers. Bundle for the top news opinion articles. Bundle for the top local news articles. Bundle for ongoing / long-running news stories. Bundle for articles that provide in-depth reporting on key news topics. Bundle for niche news stories highly specific to the user. Bundle for breaking news articles. Bundle for a group of top local stories Bundle for singleton top local stories Bundle for a group of local food / restaurant stories Bundle for a group of state / county local stories Bundle for a group of local lifestyle stories Bundle for a group of local videos Singleton results for the #News channel. Singleton results for the #Local channel. Bundle for kohinoor content in discover. Bundle for Stories Channel in Discover. See go/serving-stories-channel. Bundle for a card letting the user configure their preferred location(s). Bundle for the privacy notice card. Bundle for Shareable Images Card in Discover. Bundle for Shareable Images in Discover using a Carousel UI on the discover feed. Bundle for Shareable Images in Discover using a Four-Pack UI on the discover feed. Bundle for Shareable Images Card in Discover using a Six-Pack UI on the discover feed. Bundle for Shareable Images Card in Discover using a Singleton UI on the discover feed. Bundle for Stateful Tasks in Discover. Bundle for Trending Channels. Bundle for Trending Channels Shopping card. Bundle for Trending Channels Entertainment card. Bundle for Trending Channels Baseball card. Bundle for Trending Channels Gadgets card. Bundle for Trending Channels Fashion card. Bundle for triggering content from torso/tail publishers. go/fireflyxdiscover-le Bundle for non-organically triggering garamond cards for demo / testing. Bundle for Beyond-the-headlines singletons in Discover. go/bth-discover-dd Bundle for Garamond related article groupings. go/garamond-related-articles Bundle for serving top search interacted urls in discover. go/top-search-interacted Bundle for info lures in Discover. See go/discover-info-lures Bundle for Editorial Curation stories in Discover. See http://go/discover-editorial-collections Bundle for Palatino lure in Discover. Bundle for got-it card to introduce garamond cards. go/garamond-got-it-card-plan Bundle for Lyt (aka last year today) stories for Feed on select dates. See go/lyt-stories-in-feed for more details. Bundle for Discover Lightweight First Page. See: go/lightweight-first-page. Bundles for showing unpersonalised feed in discover. Since we want to show each topic in a separate cluster, we are creating a separate need_bundle_type for each need_type. See: go/gold++-dd Bundle for showing web games in Discover. Bundles for showing Fancast content in discover. See: go/fancasts Need bundle type for related content intents. go/discover-emerald-server-design Need bundle type for related content intents for Discover Ruby. go/discover-ruby-serving Need bundle type for midnight train next step in user journey prediction. go/wa-journey-online Need bundle type for Discover home stack. go/home-stack-discover-dd Need bundle type for Shopping inspiration content go/shopping-inspiration-panoptic Need bundle type for Shopping Inspiration Demo cards. Need bundle type for Discover Following feed. Recipe bundle type in discover go/recipes-in-discover-design Need bundle tyoe for Web Channels Channel-in-bar lure go/discover-webchannels-channel-in-bar-lure-dd Need bundle type for Augmented Reality content. Please take a look at go/o20-athletes-in-ar for more details. Need bundle type for HeartBeat in GeoTargetingStroies. go/heartbeat-dd for more details. Need bundle type for Singleton follow card. go/o20-discover-follow-card Need Bundle for Featured Events Card for Olympics on Discover go/o21-featured-events-in-discover-design Need bundle type for Creator Channel 4-Pack Content go/cc-discover-4pack Need bundle type for engaging tappable queries on Discover. go/tappable-queries-dd Need bundle type for privacy awareness cards. go/discover-privacy-awareness-promos Need bundle type for Creator Channel 6-pack creator recommendation See go/cc-discover-6pack Need bundle type for Creator Channel singleton content recommendation Need bundle type for floods data hub notifications Need bundle type for Discover Following feed. Need bundle type for Social Perspectives content. Social Perspectives aims to organize social media conversations across platforms and surface them to Discover users. See go/fanspeak-social-perspectives-dispur-review-presentation. Need bundle type for Scalable Attribute content. Scalable Attribute content aims to deliver content based on content properties / flavor rather than ties to particular topics or mids. Bundle for trending channels go/discover-trending-hashtags Need bundle type for Image Grid in main feed. go/image-grid-main-feed. Need bundle type for Shopping Image Grid in main feed. go/discover-brand-le Need bundle type for Inspiring Hashtag Images in main feed. go/inspiring-hashtag-serving. For exploring new or tail content/creators. go/next-gen-content-explore. For exploring new video content. go/ce-discover-videos. Need bundle type for Events content in main feed. go/events-in-discover-dd. Need bundle type for Events content served as two pack in main feed. go/events-in-discover-dd. Need bundle type for more_stories (WEBKICK_STORIES_SECONDARY_PAGE_LURE) card. Need bundle type for Winter Olympics features. go/discover-winter-olympics-22-design Deprecated Need bundle type for configurable cards on the Discover feed. go/discover-promo-card-platform Need bundle type for a Magi promo card on the Discover feed using it's promo framework (go/discover-promo-card-platform). Need bundle type for Daily Discover Promo Card. go/daily-discover-promo-impl Need bundle type for a MAC GAP-on promo card on the Discover feed using its promo framework (go/discover-promo-card-platform). Need bundle type for a MAC GAP-off promo card on the Discover feed using its promo framework (go/discover-promo-card-platform). Need bundle type for showing Ukraine Info card. Need bundle type for mood clusters. go/discover-mood-based-cluster-fulfillment Need bundle type for following feed onboarding. go/following-feed-onboarding. Need bundle type for on-the-fly Panoptic content in Pagination. For Food Super-interest vertical go/food-super-interest-cluster go/horizon-3-shopping-experiences-design For generic Super-interests use go/define-discover-super-interests For on-device media content carousel go/media-content-on-discover-dd. For search based fast personalization go/search-based-fp-roadmap. Bundle for a group of article with place mentions. Athlete info for team/athlete games - go/athlete-triggering-dd Related videos - go/related-videos-aga-design Need bundle type for Discover What To Watch streaming srp action cluster. go/stream-srp-action Switch which makes a container expand/collapse. go/tangor-media-card-design 'Explore more' banner for media content on Discover. go/media-content-explore-more-banner Need bundle type for petacat exploration channel. We would like to do quality tuning with things like fixed position, so separate it from CONTENT. go/explore-value-with-multiarm-bandit Need bundle type for shopping halloween promo card. Need bundle type for shopping black friday deals promo card. Need bundle type for Discover Attribute videos. go/lens-awareness-promo Need bundle type for Discover Lens awareness promo card. Need bundle type for Discover flavor corpus project go/discover-corpus-lp Need Bundle type for Media Error states on Discover go/minus-one-tangor-error-states Need bundle type for NewRoman Image Lure card Need bundle type for a year in search info card. Need bundle type for European energy crisis card. Need bundle types for query recommendations. go/query-recommendations:serving-infra Need bundle type for "While you were away" (go/wywa-v0) Need bundle type for "Serendipitous query exploration" (go/siqe-quality) Need bundle type for "Teach Me Something New" (go/tmsn-dd) Need bundle type for Travel (go/travel-inspo-queries-dd) Need bundle type for "WebAnswers in QR" (go/sh-related-query) Need bundle type for "Aquarium WebAnswers in QR" (go/discover-questions-feature-dd) Need bundle type for Top-of-mind Q2Q (go/tom-q2q-infra) Need bundle type for Geo Targeting query recommendation. Need bundle type for broad local news query (go/discover-local-news-dd). Need bundle type for "Serendipitous query exploration" fulfilled via NuRoot backend. Need bundle type for singleton query clusters fulfilled via NuRoot backend. Need bundle type for doubleton query clusters fulfilled via NuRoot backend. Need bundle type for 3-pack query clusters fulfilled via NuRoot backend. Need bundle type for 4-pack query clusters fulfilled via NuRoot backend. Need bundle type for an example discover feature Bundle for UCP using 4-pack UI (go/ucp-discover-design). Bundle for UCP using 2-pack UI (go/ucp-discover-design). Need bundle type for followed content shown in the Main Feed go/follow-boost Need bundle type for Travel Things to Do using 4-pack UI (go/ttd-on-discover-design). Need bundle type for Travel Things to Do using 4-pack UI and prefabs (go/ttd-on-discover-design, go/discover-primitive-sfps). Need bundle type for media app content go/paces-design-doc Need bundle type for listen app content go/paces-listen-dd Need bundle type for on device app content go/discover-on-device-content Need bundle type for on device app content onboarding go/discover-on-device-content Need bundle type for range_position_spec based ranking in packer go/si-ep-delve-dd Need bundle type for sports league experience (go/sports-discover-league-cluster-design-doc). Need bundle type for sports league standings experience (go/standings-card-discover) Need bundle type for conservative adaptive ranking constraints go/si-ep-delve-adaptive-ranking-prd Need bundle type for local events content. go/local-events-on-discover Need bundle type for Shopping Product Grid in main feed. go/productgrid-fe-impl Need bundle type for Shopping Product Grid Short Cards with personalized queries in main feed. go/shoppingmoments-shortcard-fe-impl Need bundle type for Shop The Look in main feed. go/stl-fe-design, go/sda-stl-be Need bundle type for Astria personalized content. Need bundle type for Fast Personalization embedding based retrieval content. go/fp13n-embed Need bundle type for heart related content. go/discover-heart Need bundle type for discover tvm vertical. go/discover-tvm-vertical-dd Need bundle type for unplanned events content. go/events-on-discover For article and place mentions attachments. go/discover-prefabs Need bundle type for heart fast personalization embedding based retrieval content. go/fp13n-embed Need bundle type for Task Product Grid in main feed. go/task-continuation-product-grid-be Need bundle type for Task Product Grid Short Cards in main feed. go/shoppingmoments-shortcard-fe-impl Need bundle type for NewRoman Image Cluster card Need bundle type for Navigational Query source post-follow and query post-follow fulfillment. Currently only used for dark launch LE. go/nav_query_coverage_analysis Need bundle type for translated (Toledo) content on Discover (go/transcend-dd) Need bundle type for discover verticals content and attachments. go/events-using-qr-dd Need bundle type for Google 25th celebratory card on the Discover feed. See go/g25-xga Need bundle type for Shopping Product Grid Short Cards with personalized categories in main feed. go/shoppingmoments-shortcard-fe-impl Need bundle type for Shopping Product Grid Short Cards with popular categories in main feed. go/shoppingmoments-shortcard-fe-impl Need bundle type for info card in Discover main feed educating users that their explicit interests are now follows Need bundle type for promo card run by Japan Search for Seniors team in Discover main feed Need bundle type for followed sports team game cards. Need bundle type for sports team game cards targeting new follows. Need bundle type for followed sports team game cards. Need bundle type for Modern Creators & Formats (go/mcf-pulse) delayed notes creation prompt card. go/link-notes-delayed-creation-in-discover-dd. Need bundle type for Dining (go/disco-dining-dd) Need bundle type for MOONSTONE Targeting query recommendation. Need bundle type for Broad Topic query recommendation. Need bundle type for Follow Inspired query recommendation. Need bundle for Local Merchant Content (go/mcc-discover-le). Need bundle type for upselling a query picker to users more likely to follow queries. Need bundle type for hotel and vacation rental Four-Pack UI on the discover feed. Need bundle type for app upgrade promo card shown to the user. Need bundle type for Results About You promo card shown to the user. Need bundle type for Journey Exploration query recommendation. Need bundle type for "w2w query"(go/w2w-for-discover) Need bundle type for Top Sights on QR (go/top-sights-qr-migration). Need bundle type for a content retriever retrieves hard-coded video game news. This retriever will be used for a signal LE. Bundle for Lok Sabha Promo on Discover Need bundle type for Query Content Exploration query recommendation. Need bundle type for the Discover Debug in-feed opt-in/debug card. go/discover-debug-card-dd. Need bundle type for the Shopping Deals Lure card on Discover. go/shopping-discover-promo-le Need bundle type for User Bandit query recommendation. Need bundle type for olympics SGE promo card. go/discover-olympics-sge Need bundle type for local activities query recommendations. Need bundle type for "LimeLight Review". go/discover-limelight-review-dd Need bundle type for "Limelight Discussions" go/discover-limelight-discussions-dd Need bundle for Local Merchant Content QR (go/mcc-discover-qr) Need bundle for internally used Discover labs promo card. Need bundle type for Olympics Playground promo card. go/olympic-search-playground-promo Need bundle type for rich entity attachment. go/sv-rich-design Need bundle type for recommended entity attachment go/offline-entity-enhancement Need bundle for mixed content query cluster of horizontal and shopping content (go/mixed-content-with-shopping). Need type for Smartboxes content. (go/smartbox-design) Need bundle type for Q&A in Discover LE promo card. go/community-qna-discover-le Need bundle type for Trending Mustn't Miss queries. go/trending-mustnt-miss-dd Need bundle for an empty injection notice. go/no-content-injection-notice-dd Need bundle type for Journey query recommendation. Need bundle type for Huvo video query recommendation. Need bundle type for HuVo clusters using carousel UI. Shared Need bundle type for promos running via the Seaport framework and set at position 1 in the Discover feed. go/discover-promo-in-seaport. Shared Need bundle type for promos running via the Seaport framework and set at position 7 in the Discover feed. go/discover-promo-in-seaport. Need bundle type for SIQE activity based recommendations. Need bundle type for repeat info query recommendation (go/repeat-info-needs). Need bundle type for https://en.wikipedia.org/wiki/Indian_Premier_League. Need bundle type for the Anima notice card Need bundle type for RWJ short video card. Need bundle type for "Entertainment Trailer Drop". go/sv-entertainment Game schedule bundle. Need bundle type for "tvm w2w most searched carousel". type string suppressClusterPadding description If false, clients should not group together content from more than one cluster. Cluster Packer packs each individual card inside its own cluster, and this field determines whether a cluster's contents should be grouped together with the previous cluster irrespective of their entry_update_id, controlling the multi-column layout. type boolean title description Title displayed for the cluster. type string topMarginInDp description Top margin for the cluster, in DP Only specifiable for android v6.0+. format int32 type integer old_value backgroundColor description Color (argb) of background displayed in the cluster header. format uint32 type integer bottomMarginAllCardsInDp deprecated True description This used to override bottom margin for all cards in the given cluster in dp. It is now deprecated and should not be used in any version using Monet. (Do not use after AGSA v7.13) format int32 type integer bottomMarginInDp description Override bottom margin for the given cluster in dp. Only specifiable for Android v6.0+. format int32 type integer cardElevationInDp deprecated True description This used to override elevation for all cards in the given cluster in dp. It is now deprecated and should not be used in any version using Monet. (Do not use after AGSA v7.13) format int32 type integer clientAction deprecated True description This was added to support a drop down menu of actions. This is no longer used. items $ref Sidekick__ClientAction type array clusterType description Type of the cluster. enum OTHER AROUND_YOU UPCOMING UPDATES STORIES TRIP MORE_CARDS WEBKICK_STORIES INTEREST_UPDATE ENTITY_BASED RECOMMENDATION EXPERIMENTAL ELECTION ONBOARDING THIRD_PARTY_APPS_AND_SITES NOW_ON_TAP_STREAM TOP_STORIES_GENERAL AT_A_CONTEXT TOP_STORIES_FOR_YOU DEEP_NOW_SUGGESTED ELECTION_STORIES BEFORE_PLACE IN_VEHICLE DEEP_NOW_WHOLE_CLUSTER OLYMPICS INTERESTS LIGHTYEAR_WEATHER HATS_FEEDBACK WARM_WELCOME ASSISTANT_HQ_HIGHLIGHTS ASSISTANT_HQ_AGENDA ASSISTANT_HQ_TRAVEL ASSISTANT_HQ_REMINDERS ASSISTANT_HQ_ORDERS ASSISTANT_HQ_SHOPPING_LIST ASSISTANT_HQ_PROMO_BANNER ASSISTANT_HQ_SHORTCUT ASSISTANT_HQ_TRIPS NEW_TO_YOU FEED_ADS enumDescriptions All clusters not from types below. This type should be used only for debugging or as a temporary solution. Lotic cluster IDs. Cluster at the bottom of the stream for experimental cards. New cards should start out as experimental, and after approval may move to the "dogfood" stage to show up in other clusters. The cluster is to be shown in the Now on Tap stream. See go/peek-at-now as an example feature. DeepNow is the framework for serving TensorFlow learned models to help in ranking/scoring Now cards. These models are learned using Now logs and intended to be displayed in a separate cluster for the initial live experiments. For more details, deep-now@ and/or jameskunz@. Cluster containing standalone election stories carousel, when there are no civic election cards present. Cluster containing information about the user's next destination. Cluster containing information that a user might need while in a vehicle. Similar to DEEP_NOW_SUGGESTED, but for when a whole cluster is moved. Cluster containing information about the olympics. Keep me updated (KMU) interest clusters. Weather cluster in Lightyear to be ranked at 1. Cluster containing a HaTS survey card. Single view tutorial card position to be ranked at 1 and shown rarely. Clusters for the Assistant HQ. Clusters for the new-to-you content. Ads clusters. type string dividerColor description Color (argb) used for the divider line between clusters. format uint32 type integer emptyClusterCardEntryUpdateId description This is the entry_update_id of the Entry which is considered the empty card for the Cluster, the Card shown if there is no other content. The card will be hidden if other cards are visible in the cluster. It must be in the top level of the children in the cluster. format int64 type string fontColor description Color (argb) of font displayed in the cluster header. format uint32 type integer headerImageUrl description URL of image displayed behind the cluster header. type string isChild description True if the card is inside a cluster. This field is populated only in joined/flattened logs by the joining script. type boolean isDividerVisible description Whether to show the divider type boolean isFullBleed description Whether all contents of the cluster should extend to the container edge. type boolean justification description Justification for why the cluster is being shown. type string needBundleType description The type of the NeedBundle that triggers the cluster. enum UNKNOWN CURRENT_LOCATION AT_A_CONTEXT UPCOMING TRIP CURRENT_TRIP UPDATE CONTENT RECOMMENDATION NON_PERSONALIZED ELECTION ELECTION_STORIES ONBOARDING ONBOARDING_MOVIES ONBOARDING_MUSIC ONBOARDING_SPORTS ONBOARDING_STOCKS FULL_PAGE_INTEREST_PICKER_LURE MISC THIRD_PARTY THIRD_PARTY_APPS_AND_SITES CUSTOMIZE INTERNAL INTERNAL_TOP_OF_STREAM INTERNAL_BOTTOM_OF_STREAM INTERNAL_PROMO NOTIFICATION EXPERIMENTAL IOS_PROMO LOBBY IN_VEHICLE OLYMPICS LIGHTYEAR_WEATHER HATS_FEEDBACK WARM_WELCOME TOP_STORIES_GENERAL TOP_STORIES_FOR_YOU DEEP_NOW_SUGGESTED BEFORE_PLACE KMU_MOVIE_WITH_RELEASE_DATE KMU_ACTOR_TO_MOVIE_WITH_RELEASE_DATE KMU_DIRECTOR_TO_MOVIE_WITH_RELEASE_DATE FEED_V2_MOVIE_STREAMING_WITH_RELEASE_DATE FEED_V2_MOVIE_WITH_RELEASE_DATE FEED_V2_YOUTUBE_MUSIC_VIDEOS FEED_V2_YOUTUBE_LIVE_STREAMS FEED_V2_BOLLYWOOD_TO_BOLLYWOOD_UPDATE FEED_ACTOR_TO_MOVIE_TRAILER_WITH_UPLOAD_DATE FEED_ARTIST_TO_ALBUM_WITH_RELEASE_DATE FEED_ARTIST_TO_YT_MUSIC_VIDEO FEED_ATHLETE_TO_TEAM_WITH_JOIN_DATE FEED_BOLLYWOOD_TO_BOLLYWOOD_UPDATE FEED_COACH_TO_TEAM_WITH_JOIN_DATE FEED_DIRECTOR_TO_MOVIE_TRAILER_WITH_UPLOAD_DATE FEED_LOCATION_TO_BOLLYWOOD_UPDATE FEED_MOVIE_SHOWTIMES FEED_MOVIE_TO_MOVIE_SEQUEL_WITH_RELEASE_DATE FEED_MOVIE_TRAILER_WITH_UPLOAD_DATE FEED_SPORTS_ATHLETE_COLLECTION FEED_SPORTS_LEAGUE_STANDING FEED_SPORTS_PRE_GAME_COLLECTION FEED_SPORTS_POST_GAME_COLLECTION FEED_SPORTS_ONGOING_GAME_COLLECTION FEED_SPORTS_PRIMARY_LEAGUE_COLLECTION FEED_SPORTS_SECONDARY_LEAGUE_COLLECTION FEED_SPORTS_TEAM_TO_JOIN_DATE FEED_SUGGESTED_ACTOR_TO_MOVIE_WITH_RELEASE_DATE FEED_SUGGESTED_ARTIST_TO_ALBUM_WITH_RELEASE_DATE FEED_SUGGESTED_DIRECTOR_TO_MOVIE_WITH_RELEASE_DATE FEED_SUGGESTED_MOVIE_WITH_RELEASE_DATE FEED_TV_SERIES_TO_NEW_AIRING_EPISODE FEED_VIEDOGAME_TO_VIDEOGAME_SERIES_WITH_RELEASE_DATE FEED_VIDEOGAME_WITH_RELEASE_DATE FEED_VOTING_REMINDER FEED_ONBOARDING_INTEREST_PICKER FEED_GESTALT_WELCOME_CARD FEED_WEATHER DASHBOARD_STOCK_TICKER_LIST KMU_TRENDING_STORY SEARCH_AWARENESS SPORTS_AWARENESS TV_EPISODE_AWARENESS KMU_HOT_KP KMU_FINANCE KMU_SPORTS_GAME ENHANCED_PERSONAL_DASHBOARD_MY_DAY ENHANCED_PERSONAL_DASHBOARD_AROUND_ME ENHANCED_PERSONAL_DASHBOARD_UPDATES KMU_SMEARED_MOVIE_WITH_RELEASE_DATE ASSISTANT_HQ_HIGHLIGHTS ASSISTANT_HQ_AGENDA ASSISTANT_HQ_TRAVEL ASSISTANT_HQ_REMINDERS ASSISTANT_HQ_ORDERS ASSISTANT_HQ_SHOPPING_LIST ASSISTANT_HQ_SHORTCUT ASSISTANT_HQ_TRIPS ASSISTANT_HQ_HIGHLIGHTS_EVAL ASSISTANT_HQ_AGENDA_EVAL ASSISTANT_HQ_TRAVEL_EVAL ASSISTANT_HQ_REMINDERS_EVAL ASSISTANT_HQ_ORDERS_EVAL ASSISTANT_HQ_SHOPPING_LIST_EVAL ASSISTANT_HQ_PROMO_BANNER TUTORIAL_PROMO_FEED TUTORIAL_PROMO_DASHBOARD FEED_TODAY_IN_HISTORY_BIRTHDAY FEED_TODAY_IN_HISTORY_DEATH_ANNIVERSARY FEED_TODAY_IN_HISTORY_GEO_ESTABLISHED FEED_TODAY_IN_HISTORY_HISTORICAL_EVENT FEED_TODAY_IN_HISTORY_LAW_IN_EFFECT FEED_TODAY_IN_HISTORY_LAW_RATIFIED FEED_TODAY_IN_HISTORY_LEGAL_CASE_DECIDED FEED_TODAY_IN_HISTORY_EVENTS_LOCALIZED FEED_TODAY_IN_HISTORY_BIRTHDAY_LOCALIZED FEED_TODAY_IN_HISTORY_DEATH_ANNIVERSARY_LOCALIZED NEW_TO_YOU NEW_TO_YOU_MOVIE NEW_TO_YOU_VIDEO_PURCHASE NEW_TO_YOU_TRIP NEW_TO_YOU_HOBBY_TRIP NEW_TO_YOU_LANDMARK NEW_TO_YOU_MOVIE_CAST NEW_TO_YOU_REMINDER NEW_TO_YOU_WHILE_TRAVELING NEW_TO_YOU_VASCO_TASK NEW_TO_YOU_VASCO_FRESH_TASK NEW_TO_YOU_VASCO_VIDEO_TASK NEW_TO_YOU_FRESH_INTEREST NEW_TO_YOU_BOOK_PURCHASE NEW_TO_YOU_VIDEO_GAME_PURCHASE NEW_TO_YOU_SOFTWARE_PURCHASE NEW_TO_YOU_LIVE_VIDEO NEW_TO_YOU_TODAY_IN_HISTORY NEW_TO_YOU_EVENT NEW_TO_YOU_LONG_TERM_INTEREST NEW_TO_YOU_PARENTING NEW_TO_YOU_AFTER_A_PLACE LONG_TERM_INTEREST URL_TO_URL_RECOMMENDATION_CROSSPATH URL_TO_URL_RECOMMENDATION_FRESH URL_TO_URL_RECOMMENDATION URL_TO_URL_RECOMMENDATION_RUBY URL_TO_URL_RECOMMENDATION_VIEW URL_TO_URL_RECOMMENDATION_HEART STOCK_END_OF_DAY_NOTIFICATION STOCK_IPO_DAY_OF_NOTIFICATION FEED_AWARDS_TO_AWARDS_CEREMONY_REMINDER FEED_AWARDS_TO_AWARDS_CEREMONY_SUMMARY FEED_AWARDS_NOMINEE_TO_AWARDS_CEREMONY_REMINDER FEED_FILM_FESTIVAL_TO_ONGOING_FILM_FESTIVAL FEED_ARTIST_TO_ONGOING_MUSIC_FESTIVAL FEED_MUSIC_FESTIVAL_TO_ONGOING_MUSIC_FESTIVAL FEED_EPHEMERAL_EVENT_LIVESTREAM FEED_MULTISPORT_EVENT_OPENING_CEREMONY_REMINDER FEED_MULTISPORT_EVENT_GENERAL_INFORMATION FEED_MULTISPORT_EVENT_GAME_WINNER FEED_MULTISPORT_EVENT_END_OF_GAMES FEED_PBX_MOVIE FEED_PBX_TV FEED_AUTHOR_TO_BOOK_WITH_PUBLICATION_DATE FEED_BOOK_TO_BOOK_WITH_PUBLICATION_DATE FEED_BOOK_SERIES_TO_BOOK_WITH_PUBLICATION_DATE FEED_AUTHOR_TO_BOOK_WITH_PUBLICATION_DATE_NOTIFICATION FEED_BOOK_TO_BOOK_WITH_PUBLICATION_DATE_NOTIFICATION FEED_BOOK_SERIES_TO_BOOK_WITH_PUBLICATION_DATE_NOTIFICATION RECENTLY_FOLLOWED RECENTLY_FOLLOWED_N2Y MOST_RECENTLY_FOLLOWED FEED_HEALTH FEED_STORIES_COLLECTION SEARCH_ENGAGEMENT_HIGHLIGHT SEARCH_ENGAGEMENT_ASKJOE VIDYA_ONBOARDING FEED_ADS FEED_ADS_HERO_IMAGE FEED_ADS_SQUARE_IMAGE FEED_ADS_SQUARE_CAROUSEL FEED_ADS_SQUARE_THUMBNAIL FEED_ADS_PORTRAIT_IMAGE FEED_ADS_PORTRAIT_CAROUSEL FEED_ADS_CLICK_TO_DOWNLOAD FEED_ADS_CLICK_TO_DOWNLOAD_SQUARE FEED_ADS_CLICK_TO_DOWNLOAD_PORTRAIT FEED_ADS_CLICK_TO_DOWNLOAD_MULTI_APP FEED_ADS_CLICK_TO_DOWNLOAD_VIDEO FEED_ADS_CLICK_TO_DOWNLOAD_VIDEO_SQUARE FEED_ADS_CLICK_TO_DOWNLOAD_VIDEO_PORTRAIT FEED_ADS_CLICK_TO_DOWNLOAD_VIDEO_VERTICAL FEED_ADS_CLICK_TO_DOWNLOAD_DYNAMIC_SHOPPING FEED_ADS_MULTI_PHOTO FEED_ADS_MULTI_PHOTO_PER_CARD_HEADLINE FEED_ADS_ONO_HERO_IMAGE FEED_ADS_DYNAMIC_SHOPPING FEED_ADS_RATIO_TWEAK FEED_ADS_VIDEO FEED_ADS_VIDEO_SQUARE FEED_ADS_VIDEO_PORTRAIT FEED_ADS_VIDEO_VERTICAL FEED_ADS_CLICK_TO_DOWNLOAD_MULTI_PHOTO FEED_ADS_APP_REENGAGEMENT_HERO_IMAGE FEED_ADS_APP_REENGAGEMENT_SQUARE FEED_HEADLINE_NEWS FEED_NATION_NEWS FEED_WORLD_NEWS FEED_ENTERTAINMENT_NEWS FEED_SPORTS_NEWS FEED_BUSINESS_NEWS FEED_SCITECH_NEWS CONTEXTUAL_NOTIFICATION LOTTERY_RESULT_NOTIFICATION WEBSITE_UPDATE INTENT_ANNOTATION_DEMO FEED_VIDEO DEEP_TRENDS HIDE_INFERRED_LANGUAGE NOW_PERSISTENT_PUSH YOUTUBE_TENNIS_HIGHLIGHTS WEBKICK_TRENDING_STORIES STAMP LOCALLY_TRENDING_STORIES WEBKICK_LOCAL_STORIES WEBKICK_LOCAL_STORIES_GROUPING EXHIBITIONS ISSUE_SEARCH_QUERY KMU_TRENDING_POLITICS_STORY CARDMAKER SPORTS_TEAM_GAME SPORTS_IOS_LIVE_ACTIVITY SPORTS_ATHLETE_GAME SPORTS_ATHLETE_GAME_FOLLOWED SPORTS_LEAGUE_GAME SPORTS_LEAGUE_SCHEDULE SPORTS_LEAGUE_GAME_FOLLOWED SPORTS_MULTI_PARTICIPANT_GAME PUBLIC_ALERT URGENT_PUBLIC_ALERT UPCOMING_TURNDOWN_PROMO GOOGLE_STORIES BROAD_INTEREST_STORIES BROAD_INTEREST_STORIES_RECENTLY_FOLLOWED BROAD_INTEREST_STORIES_THE_MOST_RECENTLY_FOLLOWED BROAD_INTEREST_ECS_STORIES GEO_TARGETING_STORIES EPHEMERAL_EVENT_STORIES FRESH_VIDEOS TICKET_AVAILABILITY_NOTIFICATION TOPIC_FEED_ENTRY_POINTS SIX_PACK_LOW_ENGAGED COVID_19_ENTRY_POINTS MORNING_ENTRY_POINTS IMAGE PANOPTIC_ARTICLE LOCAL_RECOMMENDATION INTEREST_EXPLORATION DISCOVER_VIDEO_GAME_VIDEOS TWITTER_STORIES PODCAST CRISIS_RESPONSE_ALERT URGENT_CRISIS_RESPONSE_ALERT COOKING_VIDEOS FASHION_BEAUTY_VIDEOS ONEOFF_NOTIFICATION NEW_TO_YOU_GROUPING VISTAAR_ARTICLES CLASSIC_CORE_INTEREST_RESULT DEEP_TRENDS_FABLE FEED_VIDEO_DEEP_REC LIVEWEB_STORY FEED_ONBOARDING_INTEREST_PICKER_SPORTS_TEAMS FEED_INTEREST_PICKER_SPORT_CRICKET_IPL_TEAMS FEED_ONBOARDING_INTEREST_PICKER_BROAD_TOPICS CORE_INTEREST_INTEREST_PICKER INTEREST_PICKER_PILLS INTEREST_PICKER_CHANNEL_INTEREST_VOCAB INTEREST_PICKER_CREATORS INTEREST_PICKER_SPORTS_TEAMS GOG_POSTS GOG_CAMEOS MOONSTONE MOONSTONE_PROMOTED MOONSTONE_FRESH_EMBEDDING MOONSTONE_CORE_INTEREST_EMBEDDING MOONSTONE_NOTIFICATION NEW_MUSIC_ALBUM_RELEASE STORYTIME STORYTIME_SINGLETON STORY_RECOMMENDATIONS REAL_TIME_STORYTIME CLASSIC_CORE_INTEREST_FOOD_AND_COOKING CLASSIC_CORE_INTEREST_FASHION_AND_BEAUTY CLASSIC_CORE_INTEREST_TRAVEL CLASSIC_CORE_INTEREST_MUSIC CLASSIC_CORE_INTEREST_VIDEO_GAME CLASSIC_CORE_INTEREST_TV_AND_MOVIE CLASSIC_CORE_INTEREST_TV_AND_MOVIE_CATEGORIES CURATED_VIDEOS NEWS_HEADLINES DEEP_TRENDS_CORE_INTEREST FEED_CHANNELS_CONTENT POST_FOLLOW_GROUPING POST_FOLLOW_SURVEY NEW_FOLLOW CREATOR_FOLLOW_GROUPING CREATOR_FOLLOW_NEW_FOLLOW QUERY_RECOMMENDATIONS_FROM_CREATOR QUERY_RECOMMENDATIONS_ABOUT_CREATOR FEED_INTERESTED_CHANNELS_CONTENT CHANNELS_CONTENT FEED_ONBOARDING_LANGUAGE_PICKER INFEED_GOLD_PRICE_CARD WEB_FORUM EPHEMERAL_EXPERIENCES LOCAL_RECOMMENDATION_UGC_PLACE_REVIEW SIGN_IN_LURE_BUTTON WHAT_TO_STREAM U2U_VASCO_TASK CUTE_VIDEOS COVID19_LURE GOLDEN_URLS WEB_CHANNELS WEB_CHANNELS_ENTRY_POINTS COVID_NEWS_HEADLINES COVID_NEWS_HEADLINES_SINGLETON COVID_LOCAL_HEADLINES_GROUPING COVID_BEYOND_THE_HEADLINES_GROUPING COVID_CHANNEL_GROUPING_MENTAL_HEALTH COVID_CHANNEL_GROUPING_WORKOUT COVID_CHANNEL_GROUPING_WFH COVID_CHANNEL_GROUPING_RECIPE COVID_CHANNEL_GROUPING_PARENTING COVID_CHANNEL_GROUPING_YOGA COVID_CHANNEL_GROUPING_EDUCATION COVID_CHANNEL_GROUPING_GAMING COVID_CHANNEL_GROUPING_TABLETOP_GAME COVID_CHANNEL_GROUPING_STAY_CONNECTED COVID_CHANNEL_GROUPING_COFFEE_AT_HOME COVID_CHANNEL_GROUPING_PROTECT_YOURSELF COVID_CHANNEL_GROUPING_CREATIVITY_AT_HOME COVID_CHANNEL_GROUPING_WELLNESS SAPPHIRE STAMP_SHORT_VIDEO STAMP_SHORT_VIDEO_SINGLETON SHORT_VIDEO_4PACK EXPLORATION_GROUPING_ONE_TOPIC EXPLORATION_GROUPING_MULTI_TOPICS EXPLORE_CHANNEL_EXPLORATION_GROUPING_ONE_TOPIC EXPLORE_CHANNEL_EXPLORATION_GROUPING_MULTI_TOPICS EXPLORE_CHANNEL_BROAD_TOPICS_CHANNEL_PICKER FOLLOWING_FEED_EXPLORATION_GROUPING SHOPPABLE_IMAGE SUBSCRIBE_TO_SEARCH PINNED_CONTENT_FULFILLMENT PINNED_CONTENT_CAROUSEL_FULFILLMENT LOCAL_LIFT_STORIES NEWS_FULL_COVERAGE_ARTICLES NEWS_FULL_COVERAGE_ARTICLES_SINGLETON NEWS_FULL_COVERAGE_TWEETS NEWS_STORIES_HEADLINES NEWS_STORIES_WORLD NEWS_STORIES_REGION NEWS_STORIES_POLITICS NEWS_STORIES_BUSINESS NEWS_STORIES_TECHNOLOGY NEWS_STORIES_SCIENCE NEWS_STORIES_SPORTS NEWS_STORIES_ENTERTAINMENT NEWS_STORIES_OP_EDS NEWS_STORIES_LOCAL NEWS_STORIES_ISSUE_SPOTLIGHT NEWS_STORIES_BEYOND_THE_HEADLINES NEWS_STORIES_PERSONAL_SPOTLIGHT NEWS_STORIES_BREAKING LOCAL_CHANNEL_HEADLINES_GROUPING LOCAL_CHANNEL_HEADLINES_SINGLETONS LOCAL_CHANNEL_FOOD_GROUPING LOCAL_CHANNEL_REGIONAL_GROUPING LOCAL_CHANNEL_LIFESTYLE_GROUPING LOCAL_CHANNEL_VIDEO_GROUPING NEWS_CHANNEL_SINGLETONS LOCAL_CHANNEL_SINGLETONS KOHINOOR_STORIES STORIES_CHANNEL_SINGLETON LOCATION_MANAGEMENT_LURE PRIVACY_NOTICE_CARD SHAREABLE_IMAGES SHAREABLE_IMAGES_CAROUSEL SHAREABLE_IMAGES_FOUR_PACK SHAREABLE_IMAGES_SIX_PACK SHAREABLE_IMAGES_SINGLETON STATEFUL_TASK TRENDING_CHANNELS TRENDING_CHANNELS_SHOPPING TRENDING_CHANNELS_ENTERTAINMENT TRENDING_CHANNELS_BASEBALL TRENDING_CHANNELS_GADGETS TRENDING_CHANNELS_FASHION FIREFLY GARAMOND_DEMO BEYOND_THE_HEADLINES_SINGLETON GARAMOND_RELATED_ARTICLE_GROUPING TOP_SEARCH_INTERACTED INFO_LURE EDITORIAL_STORIES_GROUPING PALATINO_LURE GARAMOND_INTRO LAST_YEAR_TODAY_STORIES DISCOVER_LIGHTWEIGHT_FIRST_PAGE DIVERSE_CONTENT WEB_GAMES FAN_CONTENT_GROUPING RELATED_CONTENT RELATED_CONTENT_RUBY NEW_TO_YOU_MIDNIGHT_TRAIN_TASK HOME_STACK SHOPPING_INSPIRATION SHOPPING_INSPIRATION_DEMO FOLLOWING_FEED WHAT_TO_COOK WEB_CHANNELS_CHANNEL_IN_BAR_LURE AUGMENTED_REALITY HEARTBEAT FOLLOW_INTEREST OLYMPICS_FEATURED_EVENTS CREATOR_CHANNELS_4PACK TAPPABLE_QUERIES PRIVACY_AWARENESS_PROMO CREATOR_CHANNEL_CREATOR_RECOMMENDATIONS CREATOR_CHANNEL_SINGLETON_CONTENT_RECOMMENDATION FLOODS_DATAHUB FOLLOWING_FEED_ENTRY_LURE SOCIAL_PERSPECTIVES SCALABLE_ATTRIBUTE_VIDEOS TRENDING_HASHTAGS IMAGE_GRID SHOPPING_IMAGE_GRID INSPIRING_HASHTAG_IMAGES CONTENT_EXPLORATION CONTENT_EXPLORATION_VIDEOS EPHEMERAL_EVENT EPHEMERAL_EVENT_TWO_PACK MORE_STORIES_LURE WINTER_OLYMPICS WINTER_OLYMPICS_MEDALS WINTER_OLYMPICS_RECAP_VIDEO WINTER_OLYMPICS_LIVE_STORIES DISCOVER_PROMO_CARD DISCOVER_MAGI_PROMO_CARD DAILY_DISCOVER_PROMO_CARD DISCOVER_MAC_GAP_ON_PROMO_CARD DISCOVER_MAC_GAP_OFF_PROMO_CARD DISCOVER_UKRAINE_INFO TRENDING_VIDEOS TRENDING_TOPICS_CLUSTERS MOOD_CLUSTERS FOLLOWING_FEED_ONBOARDING PAGINATION_PANOPTIC FOOD_RECIPES_CLUSTER FOOD_INTERESTING_FINDS_ARTICLE_CLUSTER FOOD_INTERESTING_FINDS_VIDEO_CLUSTER SHOPPING_INSPIRATION_CLUSTER SUPER_INTEREST_ARTICLES_CLUSTER SUPER_INTEREST_SHORT_VIDEOS_CLUSTER CURATED_COLD_USER_ARTICLES_CLUSTER CURATED_COLD_USER_SHORT_VIDEOS_CLUSTER CURATED_GLOYO_ARTICLES_CLUSTER CURATED_GLOYO_SHORT_VIDEOS_CLUSTER THIN_PROFILE_USER_SHORT_VIDEOS_CLUSTER ON_DEVICE_MEDIA_CONTENT_CAROUSEL SEARCH_BASED_FAST_PERSONALIZATION CONTENT_AND_PLACE_MENTIONS_GROUPING SPORTS_ATHLETE_INFO RELATED_VIDEOS WHAT_TO_STREAM_SRP_ACTION_CLUSTER CONTAINER_EXPANSION_CONTRACTION_SWITCH MEDIA_CONTENT_EXPLORE_MORE_BANNER PETACAT_EXPLORATION PETACAT_CHANNEL SHOPPING_HALLOWEEN_PROMO_CARD SHOPPING_HOLIDAY_DEALS_PROMO_CARD ATTRIBUTE_VIDEO LENS_AWARENESS_PROMO_CARD FLAVOR_CORPUS_CHANNELS ON_DEVICE_MEDIA_CONTENT_ERROR NOW_NEW_ROMAN_IMAGE_LURE DISCOVER_YEAR_IN_SEARCH EUROPE_ENERGY_CRISIS_PROMO QUERY_RECOMMENDATIONS_WYWA QUERY_RECOMMENDATIONS_WYWA_PIN_AT_TOP QUERY_RECOMMENDATIONS_SIQE QUERY_RECOMMENDATIONS_TMSN QUERY_RECOMMENDATIONS_TRAVEL QUERY_RECOMMENDATIONS_TOM_RELATED_QUESTIONS QUERY_RECOMMENDATIONS_WEB_ANSWERS QUERY_RECOMMENDATIONS_TOM_Q2Q QUERY_RECOMMENDATIONS_GTQ QUERY_RECOMMENDATIONS_BROAD_LOCAL_NEWS QUERY_RECOMMENDATIONS_SIQE_NUROOT QUERY_RECOMMENDATIONS_NUROOT_SINGLETON QUERY_RECOMMENDATIONS_NUROOT_DOUBLETON QUERY_RECOMMENDATIONS_NUROOT_THREE_PACK QUERY_RECOMMENDATIONS_NUROOT_FOUR_PACK EXAMPLE_DISCOVER_FEATURE UCP_FOUR_PACK UCP_TWO_PACK FOLLOW_IN_MAIN_FEED TRAVEL_TTD_FOUR_PACK TRAVEL_TTD_FOUR_PACK_PREFABS DISCOVER_APP_MEDIA_FOUR_PACK DISCOVER_APP_AUDIO DISCOVER_APP_ON_DEVICE DISCOVER_APP_ON_DEVICE_ONBOARDING TAPPABLE_QUERIES_WITH_RANGE_POS_CONSTRAINTS SPORTS_LEAGUE_CLUSTER_INFO SPORTS_LEAGUE_STANDINGS_INFO TAPPABLE_QUERIES_WITH_CONSERVATIVE_POS_CONSTRAINTS LOCAL_EVENTS LOCAL_EVENTS_WITH_FIXED_POSITION_SPEC SHOPPING_PRODUCT_GRID SHOPPING_PRODUCT_GRID_SHORT_CARDS SHOP_THE_LOOK ASTRIA FP13N_EMBED_RETRIEVAL_CONTENT HEART_RELATED_CONTENT DISCOVER_TVM_VERTICAL UNPLANNED_EVENTS CONTENT_AND_PLACE_ATTACHMENTS HEART_FP13N_EMBED_RETRIEVAL_CONTENT SHOPPING_TASK_PRODUCT_GRID SHOPPING_TASK_PRODUCT_GRID_SHORT_CARDS NOW_NEW_ROMAN_CLUSTER NAV_QUERY_POST_FOLLOW_CONTENT TRANSLATED_CONTENT DISCOVER_VERTICAL GOOGLE_TWENTY_FIVE_PROMO_CARD SHOPPING_PRODUCT_GRID_PERSONALIZED_CATEGORY_SHORT_CARDS SHOPPING_PRODUCT_GRID_POPULAR_CATEGORY_SHORT_CARDS EXPLICIT_INTERESTS_TO_FOLLOWS_INFO_CARD JPS_SENIORS_PROMO_CARD SPORTS_TEAM_GAME_FOLLOWED SPORTS_TEAM_GAME_NEW_FOLLOW ADD_WIDGET_PROMO_CARD UCP_DELAYED_NOTES_CREATION_PROMPT_CARD QUERY_RECOMMENDATIONS_DINING QUERY_RECOMMENDATIONS_MOONSTONE QUERY_RECOMMENDATIONS_BROAD_TOPIC QUERY_RECOMMENDATIONS_FOLLOW_INSPIRED LOCAL_MERCHANT_CONTENT UPSELL_QUERY_PICKER LODGING_FOUR_PACK APP_UPGRADE_PROMO_CARD RAY_PROMO_CARD QUERY_RECOMMENDATIONS_JOURNEY_EXPLORATION QUERY_RECOMMENDATIONS_TVM_WHAT_TO_WATCH QUERY_RECOMMENDATIONS_TRAVEL_TTD VERTICAL_NEWS_DIGEST LOK_SABHA_ELECTION_PROMO QUERY_RECOMMENDATIONS_QUERY_CONTENT_EXPLORATION DEBUG_PROMO_CARD SHOPPING_DEALS_LURE QUERY_RECOMMENDATIONS_USER_BANDIT OLYMIPCS_SEARCH_GENERATIVE_EXPERIENCE_PROMO_CARD EUROPE_ELECTION_PROMO_CARD QUERY_RECOMMENDATIONS_LOCAL_ACTIVITIES EUROPE_ELECTION_RESULTS_PROMO_CARD QUERY_RECOMMENDATIONS_LIMELIGHT_REVIEW QUERY_RECOMMENDATIONS_LIMELIGHT_DISCUSSION QUERY_RECOMMENDATIONS_LOCAL_MERCHANT_CONTENT DISCOVER_LABS_PROMO_CARD OLYMIPCS_SEARCH_PLAYGROUND_PROMO_CARD QUERY_RECOMMENDATIONS_SIQE_RICH_ENTITY QUERY_RECOMMENDATIONS_SIQE_RICH_ENTITY_FILM QUERY_RECOMMENDATIONS_SIQE_RICH_ENTITY_TV_PROGRAM QUERY_RECOMMENDATIONS_SIQE_RICH_ENTITY_PEOPLE QUERY_RECOMMENDATIONS_MOONSTONE_RICH_ENTITY QUERY_RECOMMENDATIONS_WYWA_RICH_ENTITY QUERY_RECOMMENDATIONS_WYWA_RICH_ENTITY_FILM QUERY_RECOMMENDATIONS_WYWA_RICH_ENTITY_TV_PROGRAM QUERY_RECOMMENDATIONS_WYWA_RICH_ENTITY_PEOPLE QUERY_RECOMMENDATIONS_SIQE_RECOMMENDED_ENTITY QUERY_RECOMMENDATIONS_SIQE_RECOMMENDED_ENTITY_FILM QUERY_RECOMMENDATIONS_SIQE_RECOMMENDED_ENTITY_TV_PROGRAM QUERY_RECOMMENDATIONS_SIQE_RECOMMENDED_ENTITY_PEOPLE QUERY_RECOMMENDATIONS_MOONSTONE_RECOMMENDED_ENTITY QUERY_RECOMMENDATIONS_WYWA_RECOMMENDED_ENTITY QUERY_RECOMMENDATIONS_WYWA_RECOMMENDED_ENTITY_FILM QUERY_RECOMMENDATIONS_WYWA_RECOMMENDED_ENTITY_TV_PROGRAM QUERY_RECOMMENDATIONS_WYWA_RECOMMENDED_ENTITY_PEOPLE QUERY_RECOMMENDATIONS_TOM_Q2Q_RECOMMENDED_ENTITY QUERY_RECOMMENDATIONS_MIXED_CONTENT SMARTBOXES COMMUNITY_QNA_PROMO_CARD QUERY_RECOMMENDATIONS_TRENDING_MUSTNT_MISS QUERY_RECOMMENDATIONS_MUSTNT_MISS_IN_VERTICAL QUERY_FOLLOW_EMPTY_INJECTION_NOTICE QUERY_RECOMMENDATIONS_JOURNEY QUERY_RECOMMENDATIONS_HUVO_VIDEO QUERY_RECOMMENDATIONS_HUVO_CAROUSEL DISCOVER_PROMO_CARD_AT_ONE DISCOVER_PROMO_CARD_AT_SEVEN QUERY_RECOMMENDATIONS_SIQE_ACTIVITY QUERY_RECOMMENDATIONS_REPEAT_INFO INDIAN_PREMIER_LEAGUE ANIMA_NOTICE_CARD RWJ_SHORT_VIDEO ENTERTAINMENT_TRAILER_DROP SPORTS_GAME_SCHEDULE enumDeprecated False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False enumDescriptions Information about the current location. Specific information for this context. Upcoming events and reminders. Trip information. Ongoing trip information. Updates for the user. Content recommendations. Other recommendations. For cards in non personalized stream. Election information. Onboarding. Everything else. For Shadie demo. Cards that might be needed while in a vehicle. Bundle for feedback requested from user. NeedBundleTypes used in the intent system should appear after this line. See commentary at the start of the enumeration. Information about the user's next destination. Types with KMU/FEED prefix refer to Interest feed. Bundles for movie release related KMU intents. Bundle for stock ticker list card in dashboard. Bundle for trending story. Bundle for search awareness features. Bundle for sports awareness features. Bundle for TV Episodes awareness tips. Bundle for HOT_KP. Bundle for KMU finance intents. Sports game cluster. Personal Dashboard Enhancement. Visit go/personal-dashboard-v1.1 for more details. Experimental bundle for smeared movie clusters. Bundles for Assistant HQ (go/hq-now-integration). Bundles for Assistant HQ Eval (go/hq-now-integration). Bundles for welcome cards. Today in history cards. Bundles of new-to-you cards. More bundles are added to handle dismisses properly as V2 dismiss action is on the collection card and collections are identified with the bundles. Bundles of long term ineterest cards. Bundles of url-to-url Crosspath cards. Bundles of fresh url-to-url cards. Bundles of url-to-url cards. Bundles of url-to-url ruby cards. Bundles of Discover View triggered url-to-url cards. Bundles of Discover Hearts triggered url-to-url cards. Bundles for end-of-day stock notification cards. Bundles for awards ceremony cards. Bundles for film festival cards. Bundles for music festival cards. Bundles for ephemeral event livestream cards. Bundles for multi-sport event (e.g. Asian games) cards. Bundles for popularity based experience Bundles for books cards and notifications. Bundles for recently followed entities. Bundles for health cards and notifications. Bundles of Highlight cards. Bundles of AskJoe cards. Bundles for Vidya language onboarding features. Bundles for Ads -- go/feed-ads-frontend Hard news content types -- go/feed-news Bundle for Contextual notifications. Lottery related. Bundle for website update cards. Bundle for intent annotation offline demo and eval. Video cards. Bundle for DeepTrends stories. Bundle for Language Picker which will allow user to opt out from Bilingual feed. Bundle for notifications that were originally sent via push that need to be re-served during feed refresh. Bundle for tennis highlights. Bundle for webkick trending stories Bundle for STAMPs (go/stamp-feed-design). Locally trending stories are part of zero state content. Bundle for webkick local stories Bundle for museum exhibitions (add go link) User wants to issue a query. Parameterized by the query, itself, as a string. Bundle for politics trending story. Bundle for cardmaker cards. Sports on the intent system. Team game bundle. iOS live activity bundle. Athlete game bundle. Athlete game bundle for followed queries. League game bundle. League schedule bundle. League game bundle for followed queries. Multi participant game bundle. Bundles for Public Alerts cards. Bundle for upcoming turndown promo cards. Bundles for Google Stories Card. Broad interest stories (go/broad-interest-modeling-design). Stories targeted based on the user's city location. Stories based on date/time dependent events such as festivals. See go/festive-feed for festivals design. Videos from panoptic Start of ticket sales notification Topic feed entry points that lead to Topic Feed on a particular topic. Six Pack for users with low Discover engagement. A group of 6 COVID-19 related sub-intents. Using the same UI as the organic 6 Pack. A group of entry points that are triggered only in the morning. Images cluster. For now used for images experience prototyping in Discover. See go/images-in-discover-notes for project notes. Need bundle type corresponding to all Panoptic based fulfillers. Personalized local recommendation by go/local-stream-prd. Bundle for video games for core interests (fulfilled by videoroot). Bundle for Twitter in Discover card. Bundle for Podcast recommendations. Bundles for Crisis Response Alerts cards (SOS Alerts, Public Alerts) Bundle for cooking for core interests (fulfilled by videoroot). Bundle for fashion and beauty for core interests (fulfilled by videoroot). Bundle for One-off Notifications. N2Y content grouped around an interest or attribute (go/n2y-groupings-prd). Indic Articles from Vistaar. Core Interest fulfilled by ECS contents Design doc: (go/ci-content-ecs) Bundle for DeepTrends FaBLE stories. Design doc: (go/deep-trends-fable). Bundle for deep videos retrieval (fulfilled by videoroot). Bundle for liveweb stories. Legacy Interest picker go/follow related Pickers. Bundles for different Get-On-Google contents (go/gog) Bundles for Get-On-Google posts. Bundle for Get-On-Google cameos. Bundle for Moonstone quasi-personalized content. Need bundle type for Moonstone with Monet embedding on fresh content. Need bundle type for Moonstone with Monet embedding on core interest Bundle for Moonstone quasi-personalized content. Bundle for new album release Bundle for STORYTIME using carousel UI (go/storytimesite). Bundle for STORYTIME using the singleton UI (go/storytime-singleton-dd). Bundle for Story Recommendations (go/story-recs-serving-design). Bundle for Real Time P13n STAMPs (go/real-time-stamp-dd). Classic Core Interest food and cooking vertical, fulfilled by ECS contents Classic Core Interest fashion and beauty vertical, fulfilled by ECS contents Classic Core Interest travel vertical, fulfilled by ECS contents Classic Core Interest music vertical, fulfilled by ECS contents Classic Core Interest video game vertical, fulfilled by ECS contents Classic Core Interest tv and movies vertical, fulfilled by ECS contents Classic Core Interest tv and movies categories vertical, fulfilled by ECS contents Bundle for curated videos retrieval Bundle for News Headlines. Bundle for DeepTrends Core Interest stories. Design doc: (go/deep-trends-core-interest). Bundle for content from Topic Feed Channels in the main Discover feed. Bundle for post-follow grouping in the main Discover feed. Bundle for post-follow survey in the Discover feed. Bundle for post-follow grouping targeting new follows. Bundle for creator follows. go/creator-follow-plan Bundle for creator follows made recently. Bundle for creator content. Bundle for creator content. Bundle for content from from user interested channels in Main Feed. Bundle for fulfilling channels requests. Bundle for Inline Language Picker (go/feed-lang-picker) Bundle for gold price in Discover Feed. Bundle for forum content in Discover. Bundle for Ephemeral Experiences notifications. Personalized local recommendation with UGC photos and reviews contents for a single place (go/discover-ugc-review-card-prd) Sign in Lure Button for discover signed out users ( go/iga-signedout-discover ) Intent for Discover What To Watch streaming recommendations card. Intent for U2U content for Vasco tasks. Bundle for videos with cute attributes. Design doc: go/discover-attribute-videos-dd. Bundle for showing a COVID-19 lure card that points to OSRP. Golden URLS to show in discover. Bundle for WebChannels content in Discover. Bundle for WebChannels entry points (i.e., 6-pack) in Discover. go/web-channels-6-pack Covid news headlines in Discover. See go/covid19-headlines-discover-dd. For main feed cluster For landing page singletons For landing page local grouping These channel-specific types are needed to implement channel-specific packing rules (e.g., fixed position). Bundle for interest exploration stories in Discover. Bundle for triggering STAMP short video using a carousel UI on the Discover feed. Contra doc: go/contra_project_plan, go/contra-design Stamp doc: go/stamp_background Bundle for triggering STAMP short video using a singleton UI on the Discover feed. Design doc: go/stampshortvideo-carousel-dd Bundle for triggering STAMP short video using grid (4-pack) UI on the Discover feed. Bundle for exploration groupings. Doc: go/discover-exploration-groupings Bundle for exploration groupings in Explore Channel. Bundle for channel picker in Explore Channel. Bundle for exploration groupings in Following Feed Bundle for shoppable images. go/shoppable-images-in-discover-implementation Bundle of SUBSCRIBE_TO_SEARCH intents. For fulfilling content in the feed from notification click Bundle for local lift stories from panoptic's hivemind channel go/signedout-hivemind Bundles for Full Coverage landing pages. Bundle for the top news headlines from top publishers. Bundle for the top world news headlines from top publishers. Bundle for the top regional (e.g., "US") news headlines from top publishers. Bundle for the top politics news headlines from top publishers. Bundle for the top business news headlines from top publishers. Bundle for the top technology news headlines from top publishers. Bundle for the top science news headlines from top publishers. Bundle for the top sports news headlines from top publishers. Bundle for the top entertainment news headlines from top publishers. Bundle for the top news opinion articles. Bundle for the top local news articles. Bundle for ongoing / long-running news stories. Bundle for articles that provide in-depth reporting on key news topics. Bundle for niche news stories highly specific to the user. Bundle for breaking news articles. Bundle for a group of top local stories Bundle for singleton top local stories Bundle for a group of local food / restaurant stories Bundle for a group of state / county local stories Bundle for a group of local lifestyle stories Bundle for a group of local videos Singleton results for the #News channel. Singleton results for the #Local channel. Bundle for kohinoor content in discover. Bundle for Stories Channel in Discover. See go/serving-stories-channel. Bundle for a card letting the user configure their preferred location(s). Bundle for the privacy notice card. Bundle for Shareable Images Card in Discover. Bundle for Shareable Images in Discover using a Carousel UI on the discover feed. Bundle for Shareable Images in Discover using a Four-Pack UI on the discover feed. Bundle for Shareable Images Card in Discover using a Six-Pack UI on the discover feed. Bundle for Shareable Images Card in Discover using a Singleton UI on the discover feed. Bundle for Stateful Tasks in Discover. Bundle for Trending Channels. Bundle for Trending Channels Shopping card. Bundle for Trending Channels Entertainment card. Bundle for Trending Channels Baseball card. Bundle for Trending Channels Gadgets card. Bundle for Trending Channels Fashion card. Bundle for triggering content from torso/tail publishers. go/fireflyxdiscover-le Bundle for non-organically triggering garamond cards for demo / testing. Bundle for Beyond-the-headlines singletons in Discover. go/bth-discover-dd Bundle for Garamond related article groupings. go/garamond-related-articles Bundle for serving top search interacted urls in discover. go/top-search-interacted Bundle for info lures in Discover. See go/discover-info-lures Bundle for Editorial Curation stories in Discover. See http://go/discover-editorial-collections Bundle for Palatino lure in Discover. Bundle for got-it card to introduce garamond cards. go/garamond-got-it-card-plan Bundle for Lyt (aka last year today) stories for Feed on select dates. See go/lyt-stories-in-feed for more details. Bundle for Discover Lightweight First Page. See: go/lightweight-first-page. Bundles for showing unpersonalised feed in discover. Since we want to show each topic in a separate cluster, we are creating a separate need_bundle_type for each need_type. See: go/gold++-dd Bundle for showing web games in Discover. Bundles for showing Fancast content in discover. See: go/fancasts Need bundle type for related content intents. go/discover-emerald-server-design Need bundle type for related content intents for Discover Ruby. go/discover-ruby-serving Need bundle type for midnight train next step in user journey prediction. go/wa-journey-online Need bundle type for Discover home stack. go/home-stack-discover-dd Need bundle type for Shopping inspiration content go/shopping-inspiration-panoptic Need bundle type for Shopping Inspiration Demo cards. Need bundle type for Discover Following feed. Recipe bundle type in discover go/recipes-in-discover-design Need bundle tyoe for Web Channels Channel-in-bar lure go/discover-webchannels-channel-in-bar-lure-dd Need bundle type for Augmented Reality content. Please take a look at go/o20-athletes-in-ar for more details. Need bundle type for HeartBeat in GeoTargetingStroies. go/heartbeat-dd for more details. Need bundle type for Singleton follow card. go/o20-discover-follow-card Need Bundle for Featured Events Card for Olympics on Discover go/o21-featured-events-in-discover-design Need bundle type for Creator Channel 4-Pack Content go/cc-discover-4pack Need bundle type for engaging tappable queries on Discover. go/tappable-queries-dd Need bundle type for privacy awareness cards. go/discover-privacy-awareness-promos Need bundle type for Creator Channel 6-pack creator recommendation See go/cc-discover-6pack Need bundle type for Creator Channel singleton content recommendation Need bundle type for floods data hub notifications Need bundle type for Discover Following feed. Need bundle type for Social Perspectives content. Social Perspectives aims to organize social media conversations across platforms and surface them to Discover users. See go/fanspeak-social-perspectives-dispur-review-presentation. Need bundle type for Scalable Attribute content. Scalable Attribute content aims to deliver content based on content properties / flavor rather than ties to particular topics or mids. Bundle for trending channels go/discover-trending-hashtags Need bundle type for Image Grid in main feed. go/image-grid-main-feed. Need bundle type for Shopping Image Grid in main feed. go/discover-brand-le Need bundle type for Inspiring Hashtag Images in main feed. go/inspiring-hashtag-serving. For exploring new or tail content/creators. go/next-gen-content-explore. For exploring new video content. go/ce-discover-videos. Need bundle type for Events content in main feed. go/events-in-discover-dd. Need bundle type for Events content served as two pack in main feed. go/events-in-discover-dd. Need bundle type for more_stories (WEBKICK_STORIES_SECONDARY_PAGE_LURE) card. Need bundle type for Winter Olympics features. go/discover-winter-olympics-22-design Deprecated Need bundle type for configurable cards on the Discover feed. go/discover-promo-card-platform Need bundle type for a Magi promo card on the Discover feed using it's promo framework (go/discover-promo-card-platform). Need bundle type for Daily Discover Promo Card. go/daily-discover-promo-impl Need bundle type for a MAC GAP-on promo card on the Discover feed using its promo framework (go/discover-promo-card-platform). Need bundle type for a MAC GAP-off promo card on the Discover feed using its promo framework (go/discover-promo-card-platform). Need bundle type for showing Ukraine Info card. Need bundle type for mood clusters. go/discover-mood-based-cluster-fulfillment Need bundle type for following feed onboarding. go/following-feed-onboarding. Need bundle type for on-the-fly Panoptic content in Pagination. For Food Super-interest vertical go/food-super-interest-cluster go/horizon-3-shopping-experiences-design For generic Super-interests use go/define-discover-super-interests For on-device media content carousel go/media-content-on-discover-dd. For search based fast personalization go/search-based-fp-roadmap. Bundle for a group of article with place mentions. Athlete info for team/athlete games - go/athlete-triggering-dd Related videos - go/related-videos-aga-design Need bundle type for Discover What To Watch streaming srp action cluster. go/stream-srp-action Switch which makes a container expand/collapse. go/tangor-media-card-design 'Explore more' banner for media content on Discover. go/media-content-explore-more-banner Need bundle type for petacat exploration channel. We would like to do quality tuning with things like fixed position, so separate it from CONTENT. go/explore-value-with-multiarm-bandit Need bundle type for shopping halloween promo card. Need bundle type for shopping black friday deals promo card. Need bundle type for Discover Attribute videos. go/lens-awareness-promo Need bundle type for Discover Lens awareness promo card. Need bundle type for Discover flavor corpus project go/discover-corpus-lp Need Bundle type for Media Error states on Discover go/minus-one-tangor-error-states Need bundle type for NewRoman Image Lure card Need bundle type for a year in search info card. Need bundle type for European energy crisis card. Need bundle types for query recommendations. go/query-recommendations:serving-infra Need bundle type for "While you were away" (go/wywa-v0) Need bundle type for "Serendipitous query exploration" (go/siqe-quality) Need bundle type for "Teach Me Something New" (go/tmsn-dd) Need bundle type for Travel (go/travel-inspo-queries-dd) Need bundle type for "WebAnswers in QR" (go/sh-related-query) Need bundle type for "Aquarium WebAnswers in QR" (go/discover-questions-feature-dd) Need bundle type for Top-of-mind Q2Q (go/tom-q2q-infra) Need bundle type for Geo Targeting query recommendation. Need bundle type for broad local news query (go/discover-local-news-dd). Need bundle type for "Serendipitous query exploration" fulfilled via NuRoot backend. Need bundle type for singleton query clusters fulfilled via NuRoot backend. Need bundle type for doubleton query clusters fulfilled via NuRoot backend. Need bundle type for 3-pack query clusters fulfilled via NuRoot backend. Need bundle type for 4-pack query clusters fulfilled via NuRoot backend. Need bundle type for an example discover feature Bundle for UCP using 4-pack UI (go/ucp-discover-design). Bundle for UCP using 2-pack UI (go/ucp-discover-design). Need bundle type for followed content shown in the Main Feed go/follow-boost Need bundle type for Travel Things to Do using 4-pack UI (go/ttd-on-discover-design). Need bundle type for Travel Things to Do using 4-pack UI and prefabs (go/ttd-on-discover-design, go/discover-primitive-sfps). Need bundle type for media app content go/paces-design-doc Need bundle type for listen app content go/paces-listen-dd Need bundle type for on device app content go/discover-on-device-content Need bundle type for on device app content onboarding go/discover-on-device-content Need bundle type for range_position_spec based ranking in packer go/si-ep-delve-dd Need bundle type for sports league experience (go/sports-discover-league-cluster-design-doc). Need bundle type for sports league standings experience (go/standings-card-discover) Need bundle type for conservative adaptive ranking constraints go/si-ep-delve-adaptive-ranking-prd Need bundle type for local events content. go/local-events-on-discover Need bundle type for Shopping Product Grid in main feed. go/productgrid-fe-impl Need bundle type for Shopping Product Grid Short Cards with personalized queries in main feed. go/shoppingmoments-shortcard-fe-impl Need bundle type for Shop The Look in main feed. go/stl-fe-design, go/sda-stl-be Need bundle type for Astria personalized content. Need bundle type for Fast Personalization embedding based retrieval content. go/fp13n-embed Need bundle type for heart related content. go/discover-heart Need bundle type for discover tvm vertical. go/discover-tvm-vertical-dd Need bundle type for unplanned events content. go/events-on-discover For article and place mentions attachments. go/discover-prefabs Need bundle type for heart fast personalization embedding based retrieval content. go/fp13n-embed Need bundle type for Task Product Grid in main feed. go/task-continuation-product-grid-be Need bundle type for Task Product Grid Short Cards in main feed. go/shoppingmoments-shortcard-fe-impl Need bundle type for NewRoman Image Cluster card Need bundle type for Navigational Query source post-follow and query post-follow fulfillment. Currently only used for dark launch LE. go/nav_query_coverage_analysis Need bundle type for translated (Toledo) content on Discover (go/transcend-dd) Need bundle type for discover verticals content and attachments. go/events-using-qr-dd Need bundle type for Google 25th celebratory card on the Discover feed. See go/g25-xga Need bundle type for Shopping Product Grid Short Cards with personalized categories in main feed. go/shoppingmoments-shortcard-fe-impl Need bundle type for Shopping Product Grid Short Cards with popular categories in main feed. go/shoppingmoments-shortcard-fe-impl Need bundle type for info card in Discover main feed educating users that their explicit interests are now follows Need bundle type for promo card run by Japan Search for Seniors team in Discover main feed Need bundle type for followed sports team game cards. Need bundle type for sports team game cards targeting new follows. Need bundle type for followed sports team game cards. Need bundle type for Modern Creators & Formats (go/mcf-pulse) delayed notes creation prompt card. go/link-notes-delayed-creation-in-discover-dd. Need bundle type for Dining (go/disco-dining-dd) Need bundle type for MOONSTONE Targeting query recommendation. Need bundle type for Broad Topic query recommendation. Need bundle type for Follow Inspired query recommendation. Need bundle for Local Merchant Content (go/mcc-discover-le). Need bundle type for upselling a query picker to users more likely to follow queries. Need bundle type for hotel and vacation rental Four-Pack UI on the discover feed. Need bundle type for app upgrade promo card shown to the user. Need bundle type for Results About You promo card shown to the user. Need bundle type for Journey Exploration query recommendation. Need bundle type for "w2w query"(go/w2w-for-discover) Need bundle type for Top Sights on QR (go/top-sights-qr-migration). Need bundle type for a content retriever retrieves hard-coded video game news. This retriever will be used for a signal LE. Bundle for Lok Sabha Promo on Discover Need bundle type for Query Content Exploration query recommendation. Need bundle type for the Discover Debug in-feed opt-in/debug card. go/discover-debug-card-dd. Need bundle type for the Shopping Deals Lure card on Discover. go/shopping-discover-promo-le Need bundle type for User Bandit query recommendation. Need bundle type for olympics SGE promo card. go/discover-olympics-sge Need bundle type for local activities query recommendations. Need bundle type for "LimeLight Review". go/discover-limelight-review-dd Need bundle type for "Limelight Discussions" go/discover-limelight-discussions-dd Need bundle for Local Merchant Content QR (go/mcc-discover-qr) Need bundle for internally used Discover labs promo card. Need bundle type for Olympics Playground promo card. go/olympic-search-playground-promo Need bundle type for rich entity attachment. go/sv-rich-design Need bundle type for recommended entity attachment go/offline-entity-enhancement Need bundle for mixed content query cluster of horizontal and shopping content (go/mixed-content-with-shopping). Need type for Smartboxes content. (go/smartbox-design) Need bundle type for Q&A in Discover LE promo card. go/community-qna-discover-le Need bundle type for Trending Mustn't Miss queries. go/trending-mustnt-miss-dd Need bundle for an empty injection notice. go/no-content-injection-notice-dd Need bundle type for Journey query recommendation. Need bundle type for Huvo video query recommendation. Need bundle type for HuVo clusters using carousel UI. Shared Need bundle type for promos running via the Seaport framework and set at position 1 in the Discover feed. go/discover-promo-in-seaport. Shared Need bundle type for promos running via the Seaport framework and set at position 7 in the Discover feed. go/discover-promo-in-seaport. Need bundle type for SIQE activity based recommendations. Need bundle type for repeat info query recommendation (go/repeat-info-needs). Need bundle type for https://en.wikipedia.org/wiki/Indian_Premier_League. Need bundle type for the Anima notice card Need bundle type for RWJ short video card. Need bundle type for "Entertainment Trailer Drop". go/sv-entertainment Game schedule bundle. type string secondaryAccessibilityLabelOnEmptyCluster description The string that should be used by screen readers for secondary_label_on_empty_cluster. If not set, the platform default for the label element should be used. type string secondaryClickAction $ref Sidekick__ClientAction description A secondary action attached to this Cluster header. If this is defined along with the secondary_label, a button like link will be added to the cluster header. secondaryClickActionOnEmptyCluster $ref Sidekick__ClientAction description A secondary action attached to this Cluster header. If this is defined along with the secondary_label_on_empty_cluster, a button like link will be added to the cluster header when the empty card is displayed. secondaryLabel $ref Sidekick__TemplatedString description Text assocated with a secondary action button that can be placed in the Cluster Header. We will show the secondary action button only if both the secondary_label and secondary_click_action are defined. secondaryLabelOnEmptyCluster $ref Sidekick__TemplatedString description Text assocated with a secondary action button that can be placed in the Cluster Header. We will show the secondary action button only if both the secondary_label_on_empty_cluster and secondary_click_action_on_empty_cluster are defined and the empty card is displayed. suppressClusterPadding description If false, clients should not group together content from more than one cluster. Cluster Packer packs each individual card inside its own cluster, and this field determines whether a cluster's contents should be grouped together with the previous cluster irrespective of their entry_update_id, controlling the multi-column layout. type boolean suppressSecondaryActionOnEmptyCluster description If the cluster supports both an empty card and a secondary action, suppress the secondary action when the empty card is displayed. type boolean title description Title displayed for the cluster. type string topMarginInDp description Top margin for the cluster, in DP Only specifiable for android v6.0+. format int32 type integer iterable_item_added root['schemas']['GoogleLogsTapandpayAndroid__BackupRestoreEvent']['properties']['errorType']['enum'][10] DB_ERROR root['schemas']['GoogleLogsTapandpayAndroid__BackupRestoreEvent']['properties']['errorType']['enum'][11] STORAGE_KEY_ERROR root['schemas']['GoogleLogsTapandpayAndroid__ClosedLoopEvent']['properties']['eventType']['enum'][215] CLICK_SIDELOAD_CARD root['schemas']['GoogleLogsTapandpayAndroid__ClosedLoopEvent']['properties']['eventType']['enum'][216] CLICK_REMOVE_SIDELOADED_CARD root['schemas']['GoogleLogsTapandpayAndroid__ClosedLoopEvent']['properties']['eventType']['enumDescriptions'][215] ClosedLoop sideload operations See go/wallet-design-sideload-closedloop for more details. root['schemas']['LogsProtoPaymentsConsumerCore__EditUserCreatedPassPageEndingMetadata']['properties']['updateFailure']['enum'][4] UPDATE_FAILURE_SYNC_VALUABLE_FAILED root['schemas']['SearchNotifications_UserActionMetadata_Action']['properties']['type']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['SearchNotifications_UserActionMetadata_Action']['properties']['type']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['SearchNotifications_UserActionMetadata_Action']['properties']['type']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['SearchNotifications_UserActionMetadata_Action']['properties']['type']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['SearchNotifications_UserActionMetadata_Action']['properties']['type']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['SearchNotifications_UserActionMetadata_Action']['properties']['type']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['SearchNotifications_UserActionMetadata_Action']['properties']['type']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['SearchNotifications_UserActionMetadata_Action']['properties']['type']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['SearchNowPushProtoChimepayloads__ActionLogFilter']['properties']['actionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ActionLogFilter']['properties']['actionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ActionLogFilter']['properties']['actionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ActionLogFilter']['properties']['actionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ActionLogFilter']['properties']['actionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['SearchNowPushProtoChimepayloads__ActionLogFilter']['properties']['actionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['SearchNowPushProtoChimepayloads__ActionLogFilter']['properties']['actionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['SearchNowPushProtoChimepayloads__ActionLogFilter']['properties']['actionType']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['SearchNowPushProtoChimepayloads__ChimeAction']['properties']['actionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ChimeAction']['properties']['actionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ChimeAction']['properties']['actionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ChimeAction']['properties']['actionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ChimeAction']['properties']['actionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['SearchNowPushProtoChimepayloads__ChimeAction']['properties']['actionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['SearchNowPushProtoChimepayloads__ChimeAction']['properties']['actionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['SearchNowPushProtoChimepayloads__ChimeAction']['properties']['actionType']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['SearchNowPushProtoChimepayloads__ExpiresAfterSetting']['properties']['type']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ExpiresAfterSetting']['properties']['type']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ExpiresAfterSetting']['properties']['type']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ExpiresAfterSetting']['properties']['type']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['SearchNowPushProtoChimepayloads__ExpiresAfterSetting']['properties']['type']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['SearchNowPushProtoChimepayloads__ExpiresAfterSetting']['properties']['type']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['SearchNowPushProtoChimepayloads__ExpiresAfterSetting']['properties']['type']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['SearchNowPushProtoChimepayloads__ExpiresAfterSetting']['properties']['type']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['Sidekick_ContentFeedbackSurvey_SurveyAnswer']['properties']['actionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['Sidekick_ContentFeedbackSurvey_SurveyAnswer']['properties']['actionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['Sidekick_ContentFeedbackSurvey_SurveyAnswer']['properties']['actionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['Sidekick_ContentFeedbackSurvey_SurveyAnswer']['properties']['actionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['Sidekick_ContentFeedbackSurvey_SurveyAnswer']['properties']['actionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['Sidekick_ContentFeedbackSurvey_SurveyAnswer']['properties']['actionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['Sidekick_ContentFeedbackSurvey_SurveyAnswer']['properties']['actionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['Sidekick_ContentFeedbackSurvey_SurveyAnswer']['properties']['actionType']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['Sidekick_ReportAction_ReportReason']['properties']['actionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['Sidekick_ReportAction_ReportReason']['properties']['actionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['Sidekick_ReportAction_ReportReason']['properties']['actionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['Sidekick_ReportAction_ReportReason']['properties']['actionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['Sidekick_ReportAction_ReportReason']['properties']['actionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['Sidekick_ReportAction_ReportReason']['properties']['actionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['Sidekick_ReportAction_ReportReason']['properties']['actionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['Sidekick_ReportAction_ReportReason']['properties']['actionType']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['Sidekick__Action']['properties']['type']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['Sidekick__Action']['properties']['type']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['Sidekick__Action']['properties']['type']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['Sidekick__Action']['properties']['type']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['Sidekick__Action']['properties']['type']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['Sidekick__Action']['properties']['type']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['Sidekick__Action']['properties']['type']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['Sidekick__Action']['properties']['type']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['Sidekick__ClickAction']['properties']['actionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['Sidekick__ClickAction']['properties']['actionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['Sidekick__ClickAction']['properties']['actionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['Sidekick__ClickAction']['properties']['actionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['Sidekick__ClickAction']['properties']['actionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['Sidekick__ClickAction']['properties']['actionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['Sidekick__ClickAction']['properties']['actionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['Sidekick__ClickAction']['properties']['actionType']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['Sidekick__ClientAction']['properties']['actionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['Sidekick__ClientAction']['properties']['actionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['Sidekick__ClientAction']['properties']['actionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['Sidekick__ClientAction']['properties']['actionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['Sidekick__ClientAction']['properties']['actionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['Sidekick__ClientAction']['properties']['actionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['Sidekick__ClientAction']['properties']['actionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['Sidekick__ClientAction']['properties']['actionType']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['Sidekick__ClosetAction']['properties']['undoActionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['Sidekick__ClosetAction']['properties']['undoActionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['Sidekick__ClosetAction']['properties']['undoActionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['Sidekick__ClosetAction']['properties']['undoActionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['Sidekick__ClosetAction']['properties']['undoActionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['Sidekick__ClosetAction']['properties']['undoActionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['Sidekick__ClosetAction']['properties']['undoActionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['Sidekick__ClosetAction']['properties']['undoActionType']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['Sidekick__InlineInjectionMetadata']['properties']['actionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['Sidekick__InlineInjectionMetadata']['properties']['actionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['Sidekick__InlineInjectionMetadata']['properties']['actionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['Sidekick__InlineInjectionMetadata']['properties']['actionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['Sidekick__InlineInjectionMetadata']['properties']['actionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['Sidekick__InlineInjectionMetadata']['properties']['actionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['Sidekick__InlineInjectionMetadata']['properties']['actionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['Sidekick__InlineInjectionMetadata']['properties']['actionType']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['Sidekick__Rating']['properties']['actionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['Sidekick__Rating']['properties']['actionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['Sidekick__Rating']['properties']['actionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['Sidekick__Rating']['properties']['actionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['Sidekick__Rating']['properties']['actionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['Sidekick__Rating']['properties']['actionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['Sidekick__Rating']['properties']['actionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['Sidekick__Rating']['properties']['actionType']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1065] SPORTS_SCHEDULE_CRICKET root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1066] SPORTS_SCHEDULE_SOCCER root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1067] SPORTS_SCHEDULE_BASEBALL root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1068] SPORTS_SCHEDULE_AMERICAN_FOOTBALL root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1069] SPORTS_SCHEDULE_HOCKEY root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1070] SPORTS_SCHEDULE_FOOTBALL root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1471] TVM_WHAT_TO_WATCH_MOST_SEARCHED_CAROUSEL root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1535] DEPRECATED_RECOMMENDED_QUERY_CLUSTER_DISCO_NOTES_ENTRY_POINT root['schemas']['Sidekick__ToggleStateAction']['properties']['checkedActionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['checkedActionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['checkedActionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['checkedActionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['checkedActionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['Sidekick__ToggleStateAction']['properties']['checkedActionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['Sidekick__ToggleStateAction']['properties']['checkedActionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['Sidekick__ToggleStateAction']['properties']['checkedActionType']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['Sidekick__ToggleStateAction']['properties']['clearedActionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['clearedActionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['clearedActionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['clearedActionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['clearedActionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['Sidekick__ToggleStateAction']['properties']['clearedActionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['Sidekick__ToggleStateAction']['properties']['clearedActionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['Sidekick__ToggleStateAction']['properties']['clearedActionType']['enumDescriptions'][214] Action for daily digest topic negative rating. root['schemas']['Sidekick__ToggleStateAction']['properties']['uncheckedActionType']['enum'][211] DAILY_DIGEST_PODCAST_POSITIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['uncheckedActionType']['enum'][212] DAILY_DIGEST_PODCAST_NEGATIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['uncheckedActionType']['enum'][213] DAILY_DIGEST_TOPIC_POSITIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['uncheckedActionType']['enum'][214] DAILY_DIGEST_TOPIC_NEGATIVE_RATING root['schemas']['Sidekick__ToggleStateAction']['properties']['uncheckedActionType']['enumDescriptions'][211] Action for daily digest podcast positive rating. root['schemas']['Sidekick__ToggleStateAction']['properties']['uncheckedActionType']['enumDescriptions'][212] Action for daily digest podcast negative rating. root['schemas']['Sidekick__ToggleStateAction']['properties']['uncheckedActionType']['enumDescriptions'][213] Action for daily digest topic positive rating. root['schemas']['Sidekick__ToggleStateAction']['properties']['uncheckedActionType']['enumDescriptions'][214] Action for daily digest topic negative rating. iterable_item_removed root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1456] RECOMMENDED_QUERY_CLUSTER_DISCO_NOTES_ENTRY_POINT
prod/ogads-pa-	values_changed root['revision'] new_value 20250309 old_value 20250302 iterable_item_added root['resources']['v1']['methods']['getdata']['parameters']['hostProduct']['enum'][719] CUSTOMER_ENGAGEMENT_AI root['resources']['v1']['methods']['getdata']['parameters']['hostProduct']['enumDescriptions'][719] go/connect-ai-agent root['resources']['v1']['methods']['getdata']['parameters']['subproduct']['enum'][719] CUSTOMER_ENGAGEMENT_AI root['resources']['v1']['methods']['getdata']['parameters']['subproduct']['enumDescriptions'][719] go/connect-ai-agent
prod/ogads-pa-v1	values_changed root['revision'] new_value 20250309 old_value 20250302 iterable_item_added root['resources']['v1']['methods']['getdata']['parameters']['hostProduct']['enum'][719] CUSTOMER_ENGAGEMENT_AI root['resources']['v1']['methods']['getdata']['parameters']['hostProduct']['enumDescriptions'][719] go/connect-ai-agent root['resources']['v1']['methods']['getdata']['parameters']['subproduct']['enum'][719] CUSTOMER_ENGAGEMENT_AI root['resources']['v1']['methods']['getdata']['parameters']['subproduct']['enumDescriptions'][719] go/connect-ai-agent
prod/opsconfigmonitoring-	values_changed root['revision'] new_value 20250308 old_value 20250301
prod/opsconfigmonitoring-v1	values_changed root['revision'] new_value 20250308 old_value 20250301
prod/parametermanager-	values_changed root['revision'] new_value 20250307 old_value 20250226
prod/parametermanager-v1	values_changed root['revision'] new_value 20250307 old_value 20250226
prod/parametermanager-v1alpha	values_changed root['revision'] new_value 20250307 old_value 20250226
prod/performanceparameters-	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/performanceparameters-v1	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/policyremediatormanager-	values_changed root['resources']['organizations']['resources']['locations']['resources']['operations']['methods']['cancel']['description'] new_value Starts asynchronous cancellation on a long-running operation. The server makes a best effort to cancel the operation, but success is not guaranteed. If the server doesn't support this method, it returns `google.rpc.Code.UNIMPLEMENTED`. Clients can use Operations.GetOperation or other methods to check whether the cancellation succeeded or whether the operation completed despite cancellation. On successful cancellation, the operation is not deleted; instead, it becomes an operation with an Operation.error value with a google.rpc.Status.code of `1`, corresponding to `Code.CANCELLED`. old_value Starts asynchronous cancellation on a long-running operation. The server makes a best effort to cancel the operation, but success is not guaranteed. If the server doesn't support this method, it returns `google.rpc.Code.UNIMPLEMENTED`. Clients can use Operations.GetOperation or other methods to check whether the cancellation succeeded or whether the operation completed despite cancellation. On successful cancellation, the operation is not deleted; instead, it becomes an operation with an Operation.error value with a google.rpc.Status.code of 1, corresponding to `Code.CANCELLED`. root['resources']['projects']['resources']['locations']['resources']['operations']['methods']['cancel']['description'] new_value Starts asynchronous cancellation on a long-running operation. The server makes a best effort to cancel the operation, but success is not guaranteed. If the server doesn't support this method, it returns `google.rpc.Code.UNIMPLEMENTED`. Clients can use Operations.GetOperation or other methods to check whether the cancellation succeeded or whether the operation completed despite cancellation. On successful cancellation, the operation is not deleted; instead, it becomes an operation with an Operation.error value with a google.rpc.Status.code of `1`, corresponding to `Code.CANCELLED`. old_value Starts asynchronous cancellation on a long-running operation. The server makes a best effort to cancel the operation, but success is not guaranteed. If the server doesn't support this method, it returns `google.rpc.Code.UNIMPLEMENTED`. Clients can use Operations.GetOperation or other methods to check whether the cancellation succeeded or whether the operation completed despite cancellation. On successful cancellation, the operation is not deleted; instead, it becomes an operation with an Operation.error value with a google.rpc.Status.code of 1, corresponding to `Code.CANCELLED`. root['revision'] new_value 20250305 old_value 20230925
prod/policyremediatormanager-v1alpha	values_changed root['resources']['organizations']['resources']['locations']['resources']['operations']['methods']['cancel']['description'] new_value Starts asynchronous cancellation on a long-running operation. The server makes a best effort to cancel the operation, but success is not guaranteed. If the server doesn't support this method, it returns `google.rpc.Code.UNIMPLEMENTED`. Clients can use Operations.GetOperation or other methods to check whether the cancellation succeeded or whether the operation completed despite cancellation. On successful cancellation, the operation is not deleted; instead, it becomes an operation with an Operation.error value with a google.rpc.Status.code of `1`, corresponding to `Code.CANCELLED`. old_value Starts asynchronous cancellation on a long-running operation. The server makes a best effort to cancel the operation, but success is not guaranteed. If the server doesn't support this method, it returns `google.rpc.Code.UNIMPLEMENTED`. Clients can use Operations.GetOperation or other methods to check whether the cancellation succeeded or whether the operation completed despite cancellation. On successful cancellation, the operation is not deleted; instead, it becomes an operation with an Operation.error value with a google.rpc.Status.code of 1, corresponding to `Code.CANCELLED`. root['resources']['projects']['resources']['locations']['resources']['operations']['methods']['cancel']['description'] new_value Starts asynchronous cancellation on a long-running operation. The server makes a best effort to cancel the operation, but success is not guaranteed. If the server doesn't support this method, it returns `google.rpc.Code.UNIMPLEMENTED`. Clients can use Operations.GetOperation or other methods to check whether the cancellation succeeded or whether the operation completed despite cancellation. On successful cancellation, the operation is not deleted; instead, it becomes an operation with an Operation.error value with a google.rpc.Status.code of `1`, corresponding to `Code.CANCELLED`. old_value Starts asynchronous cancellation on a long-running operation. The server makes a best effort to cancel the operation, but success is not guaranteed. If the server doesn't support this method, it returns `google.rpc.Code.UNIMPLEMENTED`. Clients can use Operations.GetOperation or other methods to check whether the cancellation succeeded or whether the operation completed despite cancellation. On successful cancellation, the operation is not deleted; instead, it becomes an operation with an Operation.error value with a google.rpc.Status.code of 1, corresponding to `Code.CANCELLED`. root['revision'] new_value 20250305 old_value 20230925
prod/ppissuer-	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/ppissuer-v1	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/preprod-hangouts-	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/preprod-hangouts-v1	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/privacysandboxmaven-	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/privacysandboxmaven-v1	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/progressiverollout-	values_changed root['revision'] new_value 20250305 old_value 20250226
prod/progressiverollout-v1alpha	values_changed root['revision'] new_value 20250305 old_value 20250226
prod/progressiverollout-v1beta	values_changed root['revision'] new_value 20250305 old_value 20250226
prod/quantum-	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/quantum-v1alpha1	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/rbmopenmaap-	values_changed root['revision'] new_value 20250310 old_value 20250306
prod/rbmopenmaap-v1	values_changed root['revision'] new_value 20250310 old_value 20250306
prod/resultstore-	values_changed root['revision'] new_value 20250307 old_value 20250304
prod/resultstore-v2	values_changed root['revision'] new_value 20250307 old_value 20250304
prod/riskmanager-	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/riskmanager-v1	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/riskmanager-v1alpha1	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/routeoptimization-	values_changed root['revision'] new_value 20250309 old_value 20250304
prod/routeoptimization-v1	values_changed root['revision'] new_value 20250309 old_value 20250304
prod/routes-	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/routes-v1	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/salesforceshopping-	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/salesforceshopping-v1	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/searchresearcherresults-	values_changed root['revision'] new_value 20250309 old_value 20250306
prod/searchresearcherresults-v1	values_changed root['revision'] new_value 20250309 old_value 20250306
prod/securitycentermanagement-	values_changed root['resources']['folders']['resources']['locations']['resources']['securityCenterServices']['methods']['get']['parameters']['name']['description'] new_value Required. The Security Command Center service to retrieve, in one of the following formats: * organizations/{organization}/locations/{location}/securityCenterServices/{service} * folders/{folder}/locations/{location}/securityCenterServices/{service} * projects/{project}/locations/{location}/securityCenterServices/{service} The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` * `vm-threat-detection-aws` old_value Required. The Security Command Center service to retrieve, in one of the following formats: * organizations/{organization}/locations/{location}/securityCenterServices/{service} * folders/{folder}/locations/{location}/securityCenterServices/{service} * projects/{project}/locations/{location}/securityCenterServices/{service} The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` root['resources']['folders']['resources']['locations']['resources']['securityCenterServices']['methods']['patch']['parameters']['name']['description'] new_value Identifier. The name of the service, in one of the following formats: * `organizations/{organization}/locations/{location}/securityCenterServices/{service}` * `folders/{folder}/locations/{location}/securityCenterServices/{service}` * `projects/{project}/locations/{location}/securityCenterServices/{service}` The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` * `vm-threat-detection-aws` old_value Identifier. The name of the service, in one of the following formats: * `organizations/{organization}/locations/{location}/securityCenterServices/{service}` * `folders/{folder}/locations/{location}/securityCenterServices/{service}` * `projects/{project}/locations/{location}/securityCenterServices/{service}` The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` root['resources']['organizations']['resources']['locations']['resources']['securityCenterServices']['methods']['get']['parameters']['name']['description'] new_value Required. The Security Command Center service to retrieve, in one of the following formats: * organizations/{organization}/locations/{location}/securityCenterServices/{service} * folders/{folder}/locations/{location}/securityCenterServices/{service} * projects/{project}/locations/{location}/securityCenterServices/{service} The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` * `vm-threat-detection-aws` old_value Required. The Security Command Center service to retrieve, in one of the following formats: * organizations/{organization}/locations/{location}/securityCenterServices/{service} * folders/{folder}/locations/{location}/securityCenterServices/{service} * projects/{project}/locations/{location}/securityCenterServices/{service} The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` root['resources']['organizations']['resources']['locations']['resources']['securityCenterServices']['methods']['patch']['parameters']['name']['description'] new_value Identifier. The name of the service, in one of the following formats: * `organizations/{organization}/locations/{location}/securityCenterServices/{service}` * `folders/{folder}/locations/{location}/securityCenterServices/{service}` * `projects/{project}/locations/{location}/securityCenterServices/{service}` The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` * `vm-threat-detection-aws` old_value Identifier. The name of the service, in one of the following formats: * `organizations/{organization}/locations/{location}/securityCenterServices/{service}` * `folders/{folder}/locations/{location}/securityCenterServices/{service}` * `projects/{project}/locations/{location}/securityCenterServices/{service}` The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` root['resources']['projects']['resources']['locations']['resources']['securityCenterServices']['methods']['get']['parameters']['name']['description'] new_value Required. The Security Command Center service to retrieve, in one of the following formats: * organizations/{organization}/locations/{location}/securityCenterServices/{service} * folders/{folder}/locations/{location}/securityCenterServices/{service} * projects/{project}/locations/{location}/securityCenterServices/{service} The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` * `vm-threat-detection-aws` old_value Required. The Security Command Center service to retrieve, in one of the following formats: * organizations/{organization}/locations/{location}/securityCenterServices/{service} * folders/{folder}/locations/{location}/securityCenterServices/{service} * projects/{project}/locations/{location}/securityCenterServices/{service} The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` root['resources']['projects']['resources']['locations']['resources']['securityCenterServices']['methods']['patch']['parameters']['name']['description'] new_value Identifier. The name of the service, in one of the following formats: * `organizations/{organization}/locations/{location}/securityCenterServices/{service}` * `folders/{folder}/locations/{location}/securityCenterServices/{service}` * `projects/{project}/locations/{location}/securityCenterServices/{service}` The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` * `vm-threat-detection-aws` old_value Identifier. The name of the service, in one of the following formats: * `organizations/{organization}/locations/{location}/securityCenterServices/{service}` * `folders/{folder}/locations/{location}/securityCenterServices/{service}` * `projects/{project}/locations/{location}/securityCenterServices/{service}` The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` root['revision'] new_value 20250309 old_value 20250302 root['schemas']['SecurityCenterService']['properties']['name']['description'] new_value Identifier. The name of the service, in one of the following formats: * `organizations/{organization}/locations/{location}/securityCenterServices/{service}` * `folders/{folder}/locations/{location}/securityCenterServices/{service}` * `projects/{project}/locations/{location}/securityCenterServices/{service}` The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` * `vm-threat-detection-aws` old_value Identifier. The name of the service, in one of the following formats: * `organizations/{organization}/locations/{location}/securityCenterServices/{service}` * `folders/{folder}/locations/{location}/securityCenterServices/{service}` * `projects/{project}/locations/{location}/securityCenterServices/{service}` The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner`
prod/securitycentermanagement-v1	values_changed root['resources']['folders']['resources']['locations']['resources']['securityCenterServices']['methods']['get']['parameters']['name']['description'] new_value Required. The Security Command Center service to retrieve, in one of the following formats: * organizations/{organization}/locations/{location}/securityCenterServices/{service} * folders/{folder}/locations/{location}/securityCenterServices/{service} * projects/{project}/locations/{location}/securityCenterServices/{service} The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` * `vm-threat-detection-aws` old_value Required. The Security Command Center service to retrieve, in one of the following formats: * organizations/{organization}/locations/{location}/securityCenterServices/{service} * folders/{folder}/locations/{location}/securityCenterServices/{service} * projects/{project}/locations/{location}/securityCenterServices/{service} The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` root['resources']['folders']['resources']['locations']['resources']['securityCenterServices']['methods']['patch']['parameters']['name']['description'] new_value Identifier. The name of the service, in one of the following formats: * `organizations/{organization}/locations/{location}/securityCenterServices/{service}` * `folders/{folder}/locations/{location}/securityCenterServices/{service}` * `projects/{project}/locations/{location}/securityCenterServices/{service}` The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` * `vm-threat-detection-aws` old_value Identifier. The name of the service, in one of the following formats: * `organizations/{organization}/locations/{location}/securityCenterServices/{service}` * `folders/{folder}/locations/{location}/securityCenterServices/{service}` * `projects/{project}/locations/{location}/securityCenterServices/{service}` The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` root['resources']['organizations']['resources']['locations']['resources']['securityCenterServices']['methods']['get']['parameters']['name']['description'] new_value Required. The Security Command Center service to retrieve, in one of the following formats: * organizations/{organization}/locations/{location}/securityCenterServices/{service} * folders/{folder}/locations/{location}/securityCenterServices/{service} * projects/{project}/locations/{location}/securityCenterServices/{service} The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` * `vm-threat-detection-aws` old_value Required. The Security Command Center service to retrieve, in one of the following formats: * organizations/{organization}/locations/{location}/securityCenterServices/{service} * folders/{folder}/locations/{location}/securityCenterServices/{service} * projects/{project}/locations/{location}/securityCenterServices/{service} The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` root['resources']['organizations']['resources']['locations']['resources']['securityCenterServices']['methods']['patch']['parameters']['name']['description'] new_value Identifier. The name of the service, in one of the following formats: * `organizations/{organization}/locations/{location}/securityCenterServices/{service}` * `folders/{folder}/locations/{location}/securityCenterServices/{service}` * `projects/{project}/locations/{location}/securityCenterServices/{service}` The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` * `vm-threat-detection-aws` old_value Identifier. The name of the service, in one of the following formats: * `organizations/{organization}/locations/{location}/securityCenterServices/{service}` * `folders/{folder}/locations/{location}/securityCenterServices/{service}` * `projects/{project}/locations/{location}/securityCenterServices/{service}` The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` root['resources']['projects']['resources']['locations']['resources']['securityCenterServices']['methods']['get']['parameters']['name']['description'] new_value Required. The Security Command Center service to retrieve, in one of the following formats: * organizations/{organization}/locations/{location}/securityCenterServices/{service} * folders/{folder}/locations/{location}/securityCenterServices/{service} * projects/{project}/locations/{location}/securityCenterServices/{service} The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` * `vm-threat-detection-aws` old_value Required. The Security Command Center service to retrieve, in one of the following formats: * organizations/{organization}/locations/{location}/securityCenterServices/{service} * folders/{folder}/locations/{location}/securityCenterServices/{service} * projects/{project}/locations/{location}/securityCenterServices/{service} The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` root['resources']['projects']['resources']['locations']['resources']['securityCenterServices']['methods']['patch']['parameters']['name']['description'] new_value Identifier. The name of the service, in one of the following formats: * `organizations/{organization}/locations/{location}/securityCenterServices/{service}` * `folders/{folder}/locations/{location}/securityCenterServices/{service}` * `projects/{project}/locations/{location}/securityCenterServices/{service}` The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` * `vm-threat-detection-aws` old_value Identifier. The name of the service, in one of the following formats: * `organizations/{organization}/locations/{location}/securityCenterServices/{service}` * `folders/{folder}/locations/{location}/securityCenterServices/{service}` * `projects/{project}/locations/{location}/securityCenterServices/{service}` The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` root['revision'] new_value 20250309 old_value 20250302 root['schemas']['SecurityCenterService']['properties']['name']['description'] new_value Identifier. The name of the service, in one of the following formats: * `organizations/{organization}/locations/{location}/securityCenterServices/{service}` * `folders/{folder}/locations/{location}/securityCenterServices/{service}` * `projects/{project}/locations/{location}/securityCenterServices/{service}` The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner` * `vm-threat-detection-aws` old_value Identifier. The name of the service, in one of the following formats: * `organizations/{organization}/locations/{location}/securityCenterServices/{service}` * `folders/{folder}/locations/{location}/securityCenterServices/{service}` * `projects/{project}/locations/{location}/securityCenterServices/{service}` The following values are valid for `{service}`: * `container-threat-detection` * `event-threat-detection` * `security-health-analytics` * `vm-threat-detection` * `web-security-scanner`
prod/shoppingdataintegration-	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/shoppingdataintegration-v1	values_changed root['revision'] new_value 20250310 old_value 20250305
prod/sourcerepo-pa-	values_changed root['revision'] new_value 20250310 old_value 20250228
prod/sourcerepo-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250228
prod/staging-identitytoolkit.sandbox-v1	values_changed root['revision'] new_value 20250311 old_value 20250307
prod/staging-identitytoolkit.sandbox-v2	values_changed root['revision'] new_value 20250311 old_value 20250307
prod/staging-identitytoolkit.sandbox-v2alpha1	values_changed root['revision'] new_value 20250311 old_value 20250307
prod/staging-identitytoolkit.sandbox-v2beta1	values_changed root['revision'] new_value 20250311 old_value 20250307
prod/staging-notifications-pa.sandbox-	dictionary_item_added root['schemas']['WalletGooglepayCommon__AddHealthCardTarget'] root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['fcmToken'] root['schemas']['NotificationsFrontendDataCommon__SupportedFeatures']['properties']['standaloneInboxSupported'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystem'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystemVersion'] root['schemas']['WalletGooglepayCommon__NavigationTarget']['properties']['addHealthCard'] dictionary_item_removed root['schemas']['Sidekick__InlineVideo'] root['schemas']['Sidekick__SmallContentModule']['properties']['inlineVideo'] values_changed root['revision'] new_value 20250311 old_value 20250308 root['schemas']['WalletGooglepayCommon__NavigationTarget']['description'] new_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 75 old_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 74 iterable_item_added root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enum'][3] DIRECT_FCM_DELIVERY root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enumDescriptions'][3] Client supports receiving direct FCM delivery. This bypasses a lot of the Chime latencies. root['schemas']['SearchNotificationsClientCommon__InboxChimeData']['properties']['category']['enum'][56] GOOGLY_NOTIF root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][438] CONTENT_EXPLORATION_WEB root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][438] For exploring web content, as part of the Discover Exploration project. go/discover-exploration-dd. root['schemas']['Sidekick__SemanticProperties']['properties']['notificationCategory']['enum'][56] GOOGLY_NOTIF
prod/staging-notifications-pa.sandbox-v1	dictionary_item_added root['schemas']['WalletGooglepayCommon__AddHealthCardTarget'] root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['fcmToken'] root['schemas']['NotificationsFrontendDataCommon__SupportedFeatures']['properties']['standaloneInboxSupported'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystem'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystemVersion'] root['schemas']['WalletGooglepayCommon__NavigationTarget']['properties']['addHealthCard'] dictionary_item_removed root['schemas']['Sidekick__InlineVideo'] root['schemas']['Sidekick__SmallContentModule']['properties']['inlineVideo'] values_changed root['revision'] new_value 20250311 old_value 20250308 root['schemas']['WalletGooglepayCommon__NavigationTarget']['description'] new_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 75 old_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 74 iterable_item_added root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enum'][3] DIRECT_FCM_DELIVERY root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enumDescriptions'][3] Client supports receiving direct FCM delivery. This bypasses a lot of the Chime latencies. root['schemas']['SearchNotificationsClientCommon__InboxChimeData']['properties']['category']['enum'][56] GOOGLY_NOTIF root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][438] CONTENT_EXPLORATION_WEB root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][438] For exploring web content, as part of the Discover Exploration project. go/discover-exploration-dd. root['schemas']['Sidekick__SemanticProperties']['properties']['notificationCategory']['enum'][56] GOOGLY_NOTIF
prod/staging-qual-qa-notifications-pa.sandbox-	dictionary_item_added root['schemas']['WalletGooglepayCommon__AddHealthCardTarget'] root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['fcmToken'] root['schemas']['NotificationsFrontendDataCommon__SupportedFeatures']['properties']['standaloneInboxSupported'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystem'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystemVersion'] root['schemas']['WalletGooglepayCommon__NavigationTarget']['properties']['addHealthCard'] dictionary_item_removed root['schemas']['Sidekick__InlineVideo'] root['schemas']['Sidekick__SmallContentModule']['properties']['inlineVideo'] values_changed root['revision'] new_value 20250311 old_value 20250308 root['schemas']['WalletGooglepayCommon__NavigationTarget']['description'] new_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 75 old_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 74 iterable_item_added root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enum'][3] DIRECT_FCM_DELIVERY root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enumDescriptions'][3] Client supports receiving direct FCM delivery. This bypasses a lot of the Chime latencies. root['schemas']['SearchNotificationsClientCommon__InboxChimeData']['properties']['category']['enum'][56] GOOGLY_NOTIF root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][438] CONTENT_EXPLORATION_WEB root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][438] For exploring web content, as part of the Discover Exploration project. go/discover-exploration-dd. root['schemas']['Sidekick__SemanticProperties']['properties']['notificationCategory']['enum'][56] GOOGLY_NOTIF
prod/staging-qual-qa-notifications-pa.sandbox-v1	dictionary_item_added root['schemas']['WalletGooglepayCommon__AddHealthCardTarget'] root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['fcmToken'] root['schemas']['NotificationsFrontendDataCommon__SupportedFeatures']['properties']['standaloneInboxSupported'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystem'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystemVersion'] root['schemas']['WalletGooglepayCommon__NavigationTarget']['properties']['addHealthCard'] dictionary_item_removed root['schemas']['Sidekick__InlineVideo'] root['schemas']['Sidekick__SmallContentModule']['properties']['inlineVideo'] values_changed root['revision'] new_value 20250311 old_value 20250308 root['schemas']['WalletGooglepayCommon__NavigationTarget']['description'] new_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 75 old_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 74 iterable_item_added root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enum'][3] DIRECT_FCM_DELIVERY root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enumDescriptions'][3] Client supports receiving direct FCM delivery. This bypasses a lot of the Chime latencies. root['schemas']['SearchNotificationsClientCommon__InboxChimeData']['properties']['category']['enum'][56] GOOGLY_NOTIF root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][438] CONTENT_EXPLORATION_WEB root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][438] For exploring web content, as part of the Discover Exploration project. go/discover-exploration-dd. root['schemas']['Sidekick__SemanticProperties']['properties']['notificationCategory']['enum'][56] GOOGLY_NOTIF
prod/storagebatchoperations-	values_changed root['revision'] new_value 20250305 old_value 20250303
prod/storagebatchoperations-v1	values_changed root['revision'] new_value 20250305 old_value 20250303
prod/subscribewithgoogle-	values_changed root['revision'] new_value 20250309 old_value 20250306
prod/subscribewithgoogle-v1	values_changed root['revision'] new_value 20250309 old_value 20250306
prod/tasks-pa-	dictionary_item_added root['schemas']['ListTasks']['properties']['excludeAssigned'] values_changed root['revision'] new_value 20250307 old_value 20250304 root['schemas']['ListTasks']['description'] new_value Query Tasks. By default returns uncompleted, visible tasks. NEXT_ID: 21 old_value Query Tasks. By default returns uncompleted, visible tasks. NEXT_ID: 20 root['schemas']['QueryRequest']['properties']['bypassInit']['description'] new_value This is set for pure read only queries so that we don't do the lazy initialization (directory creation) for disabled/deleted users old_value This is set for pure read only queries so that we don’t do the lazy initialization (directory creation) for disabled/deleted users
prod/tasks-pa-v1	dictionary_item_added root['schemas']['ListTasks']['properties']['excludeAssigned'] values_changed root['revision'] new_value 20250307 old_value 20250304 root['schemas']['ListTasks']['description'] new_value Query Tasks. By default returns uncompleted, visible tasks. NEXT_ID: 21 old_value Query Tasks. By default returns uncompleted, visible tasks. NEXT_ID: 20 root['schemas']['QueryRequest']['properties']['bypassInit']['description'] new_value This is set for pure read only queries so that we don't do the lazy initialization (directory creation) for disabled/deleted users old_value This is set for pure read only queries so that we don’t do the lazy initialization (directory creation) for disabled/deleted users
prod/tile-	values_changed root['revision'] new_value 20250309 old_value 20250305 root['schemas']['TrafficTile']['properties']['zoom']['description'] new_value The [zoom level](https://developers.google.com/maps/documentation/automotive/vector-tiles/coordinates) of the requested map tile. This API supports zoom level 0 through 19 (inclusive). old_value The [zoom level](https://developers.google.com/maps/documentation/automotive/vector-tiles/coordinates) of the requested map tile. This API supports zoom level 0 through 19 (inclusive). Note: Only zoom levels 0-16 are downloaded automatically. Zoom levels 17-19 are served from online.
prod/tile-v1	values_changed root['revision'] new_value 20250309 old_value 20250305 root['schemas']['TrafficTile']['properties']['zoom']['description'] new_value The [zoom level](https://developers.google.com/maps/documentation/automotive/vector-tiles/coordinates) of the requested map tile. This API supports zoom level 0 through 19 (inclusive). old_value The [zoom level](https://developers.google.com/maps/documentation/automotive/vector-tiles/coordinates) of the requested map tile. This API supports zoom level 0 through 19 (inclusive). Note: Only zoom levels 0-16 are downloaded automatically. Zoom levels 17-19 are served from online.
prod/transferappliance-	values_changed root['revision'] new_value 20250306 old_value 20250227
prod/travelpartnerprices-	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/travelpartnerprices-v1	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/us-rbmopenmaap-	values_changed root['revision'] new_value 20250310 old_value 20250306
prod/us-rbmopenmaap-v1	values_changed root['revision'] new_value 20250310 old_value 20250306
prod/us-west2-connectgateway-	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/us-west2-connectgateway-v1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/us-west2-connectgateway-v1beta1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/us-west2-containerfilesystem-	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/us-west2-containerfilesystem-v1	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/vectortile-	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/vectortile-v1	values_changed root['revision'] new_value 20250309 old_value 20250305
prod/workloadcertificate-	values_changed root['revision'] new_value 20240103 old_value 20240117
prod/workloadcertificate-v1alpha1	values_changed root['revision'] new_value 20240103 old_value 20240117
prod/workspacevideo-pa-	values_changed root['revision'] new_value 20250309 old_value 20250304
prod/workspacevideo-pa-v1	values_changed root['revision'] new_value 20250309 old_value 20250304