prod/accountsettingsmobile-pa-	dictionary_item_added root['schemas']['CardCapabilities']['properties']['clpPromptCardDismissal']['deprecated'] root['schemas']['ClientCapabilities']['properties']['expressiveDesign'] dictionary_item_removed root['schemas']['ClpPromptBlock'] root['schemas']['ClpPromptCarouselCard'] root['schemas']['ClpPromptDescriptionBlock'] root['schemas']['ClpPromptItem'] root['schemas']['Card']['properties']['clpPromptCarousel'] root['schemas']['Resource']['properties']['clpPromptItem'] values_changed root['revision'] new_value 20250313 old_value 20250305 root['schemas']['ClientCapabilities']['description'] new_value Describes the client's capabilities to the server. Field names should be without a "supports" prefix. It is implicit in the message, since it's about which features the client supports. Next Id: 23 old_value Describes the client's capabilities to the server. Field names should be without a "supports" prefix. It is implicit in the message, since it's about which features the client supports. Next Id: 22 iterable_item_added root['schemas']['GoogleAccountVisualElementMetadata']['properties']['accountSettingsArea']['enum'][417] VIDEO_VERIFICATION_COLLECTION root['schemas']['GoogleAccountVisualElementMetadata']['properties']['accountSettingsArea']['enumDescriptions'][254] ResourceId.PLATFORM_PAYMENT_METHOD_LIST_SCREEN root['schemas']['GoogleAccountVisualElementMetadata']['properties']['accountSettingsArea']['enumDescriptions'][417] ResourceId.VIDEO_VERIFICATION_COLLECTION_SCREEN
prod/accountsettingsmobile-pa-v1	dictionary_item_added root['schemas']['CardCapabilities']['properties']['clpPromptCardDismissal']['deprecated'] root['schemas']['ClientCapabilities']['properties']['expressiveDesign'] dictionary_item_removed root['schemas']['ClpPromptBlock'] root['schemas']['ClpPromptCarouselCard'] root['schemas']['ClpPromptDescriptionBlock'] root['schemas']['ClpPromptItem'] root['schemas']['Card']['properties']['clpPromptCarousel'] root['schemas']['Resource']['properties']['clpPromptItem'] values_changed root['revision'] new_value 20250313 old_value 20250305 root['schemas']['ClientCapabilities']['description'] new_value Describes the client's capabilities to the server. Field names should be without a "supports" prefix. It is implicit in the message, since it's about which features the client supports. Next Id: 23 old_value Describes the client's capabilities to the server. Field names should be without a "supports" prefix. It is implicit in the message, since it's about which features the client supports. Next Id: 22 iterable_item_added root['schemas']['GoogleAccountVisualElementMetadata']['properties']['accountSettingsArea']['enum'][417] VIDEO_VERIFICATION_COLLECTION root['schemas']['GoogleAccountVisualElementMetadata']['properties']['accountSettingsArea']['enumDescriptions'][254] ResourceId.PLATFORM_PAYMENT_METHOD_LIST_SCREEN root['schemas']['GoogleAccountVisualElementMetadata']['properties']['accountSettingsArea']['enumDescriptions'][417] ResourceId.VIDEO_VERIFICATION_COLLECTION_SCREEN
prod/actions-	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/actions-v2	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/actions-v2alpha	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/actions-v3	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/adsmarketingfrontend-pa-	dictionary_item_removed root['schemas']['Channel'] root['schemas']['GetSpendDataRequest']['properties']['channels'] values_changed root['revision'] new_value 20250312 old_value 20250309
prod/adsmarketingfrontend-pa-v1	dictionary_item_removed root['schemas']['Channel'] root['schemas']['GetSpendDataRequest']['properties']['channels'] values_changed root['revision'] new_value 20250312 old_value 20250309
prod/aerialview-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/aerialview-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/aerialview-v1beta	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/agreement-	values_changed root['revision'] new_value 20250309 old_value 20250227
prod/agreement-v1alpha1	values_changed root['revision'] new_value 20250309 old_value 20250227
prod/agreement-v1beta1	values_changed root['revision'] new_value 20250309 old_value 20250227
prod/aida-	dictionary_item_added root['resources']['aida']['methods']['proxyDoConversation'] values_changed root['revision'] new_value 20250312 old_value 20250308
prod/aida-v1	dictionary_item_added root['resources']['aida']['methods']['proxyDoConversation'] values_changed root['revision'] new_value 20250312 old_value 20250308
prod/aiplugin-pa-	values_changed root['revision'] new_value 20250309 old_value 20250311 iterable_item_added root['schemas']['ClientMetadata']['properties']['pluginType']['enum'][5] PANTHEON root['schemas']['ClientMetadata']['properties']['pluginType']['enumDescriptions'][5] API calls coming from Pantheon and Coliseum.
prod/aiplugin-pa-v1	values_changed root['revision'] new_value 20250309 old_value 20250311
prod/aiplugin-pa-v1internal	values_changed root['revision'] new_value 20250309 old_value 20250311 iterable_item_added root['schemas']['ClientMetadata']['properties']['pluginType']['enum'][5] PANTHEON root['schemas']['ClientMetadata']['properties']['pluginType']['enumDescriptions'][5] API calls coming from Pantheon and Coliseum.
prod/aiui-	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/aiui-v1	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/alkaliauth-pa-	values_changed root['revision'] new_value 20250311 old_value 20250225
prod/alkaliauth-pa-v1	values_changed root['revision'] new_value 20250311 old_value 20250225
prod/alkalibasemap-pa-	values_changed root['revision'] new_value 20250311 old_value 20250304 root['schemas']['ApiPointFixEdit']['properties']['state']['enumDescriptions'][1] new_value When the edit's is ready to be processed (or currently being processed). old_value When the edit's evaluation is in progress. iterable_item_added root['schemas']['ApiPointFixEdit']['properties']['state']['enum'][4] DUPLICATE root['schemas']['ApiPointFixEdit']['properties']['state']['enum'][5] PENDING root['schemas']['ApiPointFixEdit']['properties']['state']['enumDescriptions'][4] When the corresponding GeoIssue is a duplicate of another GeoIssue. The duplicate may or may not be managed by GMCP. root['schemas']['ApiPointFixEdit']['properties']['state']['enumDescriptions'][5] When there is not enough information to determine the state of the edit. This should be non-terminal.
prod/alkalibasemap-pa-v1	values_changed root['revision'] new_value 20250311 old_value 20250304 root['schemas']['ApiPointFixEdit']['properties']['state']['enumDescriptions'][1] new_value When the edit's is ready to be processed (or currently being processed). old_value When the edit's evaluation is in progress. iterable_item_added root['schemas']['ApiPointFixEdit']['properties']['state']['enum'][4] DUPLICATE root['schemas']['ApiPointFixEdit']['properties']['state']['enum'][5] PENDING root['schemas']['ApiPointFixEdit']['properties']['state']['enumDescriptions'][4] When the corresponding GeoIssue is a duplicate of another GeoIssue. The duplicate may or may not be managed by GMCP. root['schemas']['ApiPointFixEdit']['properties']['state']['enumDescriptions'][5] When there is not enough information to determine the state of the edit. This should be non-terminal.
prod/alkalidatastore-pa-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/alkalidatastore-pa-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/alkalilearn-pa-	values_changed root['revision'] new_value 20250311 old_value 20250308
prod/alkalilearn-pa-v1	values_changed root['revision'] new_value 20250311 old_value 20250308
prod/alkalilearn-pa-v2	values_changed root['revision'] new_value 20250311 old_value 20250308
prod/alkalilogexporter-pa-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/alkalilogexporter-pa-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/alkalimetricsink-pa-	values_changed root['revision'] new_value 20250313 old_value 20250306 iterable_item_added root['schemas']['EventMetric']['properties']['metricType']['enum'][14] LARGEST_CONTENTFUL_PAINT root['schemas']['EventMetric']['properties']['metricType']['enum'][15] LARGEST_CONTENTFUL_PAINT_SPA root['schemas']['EventMetric']['properties']['metricType']['enumDescriptions'][14] Largest Contentful Paint root['schemas']['EventMetric']['properties']['metricType']['enumDescriptions'][15] Largest Contentful Paint Transition
prod/alkalimetricsink-pa-v1	values_changed root['revision'] new_value 20250313 old_value 20250306 iterable_item_added root['schemas']['EventMetric']['properties']['metricType']['enum'][14] LARGEST_CONTENTFUL_PAINT root['schemas']['EventMetric']['properties']['metricType']['enum'][15] LARGEST_CONTENTFUL_PAINT_SPA root['schemas']['EventMetric']['properties']['metricType']['enumDescriptions'][14] Largest Contentful Paint root['schemas']['EventMetric']['properties']['metricType']['enumDescriptions'][15] Largest Contentful Paint Transition
prod/alkalipanelstvmeter-pa-	values_changed root['revision'] new_value 20250224 old_value 20250207
prod/alkalipanelstvmeter-pa-v1	values_changed root['revision'] new_value 20250224 old_value 20250207
prod/alkaliproducer-pa-	dictionary_item_removed root['schemas']['ExperimentValues']['properties']['onboardingGaEnabled'] values_changed root['revision'] new_value 20250312 old_value 20250307
prod/alkaliproducer-pa-v1	dictionary_item_removed root['schemas']['ExperimentValues']['properties']['onboardingGaEnabled'] values_changed root['revision'] new_value 20250312 old_value 20250307
prod/alkalishoutbox-pa-	values_changed root['revision'] new_value 20250313 old_value 20250306
prod/alkalishoutbox-pa-v1	values_changed root['revision'] new_value 20250313 old_value 20250306
prod/alkalitermsofservice-pa-	values_changed root['revision'] new_value 20250313 old_value 20250306
prod/alkalitermsofservice-pa-v1	values_changed root['revision'] new_value 20250313 old_value 20250306
prod/alkaliuploader-pa-	values_changed root['revision'] new_value 20250313 old_value 20250306
prod/alkaliuploader-pa-v1	values_changed root['revision'] new_value 20250313 old_value 20250306
prod/alpha-ml-	values_changed root['revision'] new_value 20250308 old_value 20250222
prod/alpha-ml-v1	values_changed root['revision'] new_value 20250308 old_value 20250222
prod/alpha-vision-	values_changed root['revision'] new_value 20250312 old_value 20250228
prod/alpha-vision-v1	values_changed root['revision'] new_value 20250312 old_value 20250228
prod/alpha-vision-v1p1beta1	values_changed root['revision'] new_value 20250312 old_value 20250228
prod/alpha-vision-v1p2beta1	values_changed root['revision'] new_value 20250312 old_value 20250228
prod/alpha-vision-v1p3beta1	values_changed root['revision'] new_value 20250312 old_value 20250228
prod/alpha-vision-v1p4beta1	values_changed root['revision'] new_value 20250312 old_value 20250228
prod/analyticssuitefrontend-pa-	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/analyticssuitefrontend-pa-v1	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/ap-rbmopenmaap-	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/ap-rbmopenmaap-v1	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/appsbackup-pa-	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/appsbackup-pa-v1	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/appsgenaiserver-pa-	dictionary_item_added root['schemas']['AppsExtensionsFileMetadataGmailMetadata'] root['schemas']['AppsExtensionsSheetsActionsNavigateAction'] root['schemas']['AppsIntelligenceGenAiReferenceMetadata'] root['schemas']['AppsIntelligenceGenAiSheetsNavigationActionParams'] root['schemas']['AppsIntelligenceGenAiTnfmParams'] root['schemas']['AppsUpsellSharedRecommendationCustomizedactionbehaviorAdminconsoleaccordionTaskRedirect'] root['schemas']['AppsUpsellSharedRecommendationCustomizedactionbehaviorAdminconsoleaccordionTaskRedirectTaskRedirectAction'] root['schemas']['AppsUpsellSharedRecommendationCustomizedactionbehaviorAdminconsoleaccordionTaskRedirectTaskRedirectConfig'] root['schemas']['AppsUpsellSharedRecommendationTemplatesValuePropGroup'] root['schemas']['AppsUpsellSharedRecommendationTemplatesValuePropGroups'] root['schemas']['AssistantLamdaWorkspaceEditorResourceReferenceMetadataOptions'] root['schemas']['AssistantLamdaWorkspaceToolContentViewNavigationInfoSheetsGridRange'] root['schemas']['AppsExtensionsFileMetadata']['properties']['gmailMetadata'] root['schemas']['AppsExtensionsSheetsActions']['properties']['navigateAction'] root['schemas']['AppsIntelligenceGenAiAction']['properties']['sheetsNavigationActionParams'] root['schemas']['AppsIntelligenceGenAiCitationMetadata']['deprecated'] root['schemas']['AppsIntelligenceGenAiCitationMetadata']['properties']['tableMetadata']['deprecated'] root['schemas']['AppsIntelligenceGenAiUseCaseParams']['properties']['tnfmParams'] root['schemas']['AppsIntelligenceGenAiWorkspaceResourceMetadata']['properties']['referenceMetadata'] root['schemas']['AppsIntelligenceGenAiWorkspaceResourceMetadata']['properties']['citations']['deprecated'] root['schemas']['AppsUpsellSharedRecommendationCommonRecommendation']['properties']['valuePropGroups'] root['schemas']['AppsUpsellSharedRecommendationCustomizedactionbehaviorCustomizedActionBehavior']['properties']['adminConsoleAccordionTaskRedirect'] root['schemas']['AssistantLamdaWorkspaceEditorResourceReferenceEditorResourceOptions']['properties']['metadataOptions'] root['schemas']['AssistantLamdaWorkspaceToolContentViewNavigationInfo']['properties']['sheetsGridRange'] dictionary_item_removed root['schemas']['AppsIntelligenceGenAiCitationMetadata']['description'] root['schemas']['AppsIntelligenceGenAiCitationMetadata']['properties']['tableMetadata']['description'] root['schemas']['AppsIntelligenceGenAiWorkspaceResourceMetadata']['properties']['citations']['description'] values_changed root['revision'] new_value 20250310 old_value 20250306 root['schemas']['AppsExtensionsWorkflowDataSource']['description'] new_value Workflow only. In a `TextInput` or `SelectionInput` widget with MULTI_SELECT type or a `DateTimePicker`, provide data source from Google. old_value Workflow only. In a `SelectionInput` or `TextInput` widget with DROPDOWN or MULTI_SELECT type, provide data source from Google. root['schemas']['AppsIntelligenceGenAiAction']['description'] new_value Next ID: 19 old_value Next ID: 18 root['schemas']['AppsIntelligenceGenAiUseCaseParams']['description'] new_value Generate Use Case specific parameters Next ID: 13. old_value Generate Use Case specific parameters Next ID: 12. root['schemas']['AppsIntelligenceGenAiWorkspaceResourceMetadata']['properties']['attributions']['description'] new_value List of citations in the response that point at this resource (go/bk-citations-prd). old_value Metadata about nodes in response that are attributable to this resource. root['schemas']['AppsUpsellSharedRecommendationCommonRecommendation']['description'] new_value A common response for recommendation systems. Next id: 26 old_value A common response for recommendation systems. Next id: 25 root['schemas']['AssistantLamdaEncryptionMetadata']['properties']['isEncrypted']['description'] new_value Indicates if the file contents is encrypted. If true, the keyset must also be specified, otherwise the file contents will not be readable. If the file attachment is read from logs, this may be set to true even if the keyset is not present to indicate that the file was encrypted but can no longer be decrypted. Encrypted files are stored as "plain" files in storage, since file-type specific processing (e.g. transcoding of images) would fail due to the encryption. See: go/bard-storage-encryption This has the side effect that FIFE urls will not be generated for encrypted files. Moreover encrypted files are not copied to persistent storage. Trying to copy them will fail. If false, but a keyset is specified, the file will not be decrypted. If the file contents is encrypted, this will lead to garbage data being returned. old_value Indicates if the file contents is encrypted. If true, the keyset must also be specified, otherwise the file contents will not be readable. If the file attachment is read from logs, this may be set to true even if the keyset is not present to indicate that the file was encrypted but can no longer be decrypted. If false, but a keyset is specified, the file will not be decrypted. If the file contents is encrypted, this will lead to garbage data being returned. root['schemas']['AssistantLamdaNightwingMutatingOp']['description'] new_value An op that generated by the tool. For now it's also used between the server and the client, but we can also translate this proto into the RobinOp in the future. More on go/bard-rfc-802. LINT.IfChange Next ID: 1091. old_value An op that generated by the tool. For now it's also used between the server and the client, but we can also translate this proto into the RobinOp in the future. More on go/bard-rfc-802. LINT.IfChange Next ID: 1090. root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][347] new_value Meet: Premium feature paywall. old_value Meet: Recording paywall root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][340] new_value Meet: General paywall. old_value Meet: Greenroom banner root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][338] new_value Meet: Breakout room paywall. old_value Meet: Carousel root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][338] new_value Meet: Breakout room paywall. old_value Meet: Carousel root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][342] new_value Meet: Landing page with no agenda listed. old_value Meet: Landing page promo root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][347] new_value Meet: Premium feature paywall. old_value Meet: Recording paywall root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][343] new_value Meet: Landing page promo. old_value Meet: Landing page welcome screen root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][343] new_value Meet: Landing page promo. old_value Meet: Landing page welcome screen root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][341] new_value Meet: Greenroom banner. old_value Meet: Landing page with no agenda listed root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][338] new_value Meet: Breakout room paywall. old_value Meet: Carousel root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][347] new_value Meet: Premium feature paywall. old_value Meet: Recording paywall root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][337] new_value Meet Android: Homescreen banner. old_value Meet: Breakout room paywall root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][346] new_value Meet: Poll paywall. old_value Meet: Premium feature paywall root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][339] new_value Meet: Carousel. old_value Meet: General paywall root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][342] new_value Meet: Landing page with no agenda listed. old_value Meet: Landing page promo root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][344] new_value Meet: Landing page welcome screen. old_value Meet: Landing page with agenda listed root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][343] new_value Meet: Landing page promo. old_value Meet: Landing page welcome screen root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][339] new_value Meet: Carousel. old_value Meet: General paywall root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][345] new_value Meet: Landing page with agenda listed. old_value Meet: Poll paywall root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][337] new_value Meet Android: Homescreen banner. old_value Meet: Breakout room paywall root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][342] new_value Meet: Landing page with no agenda listed. old_value Meet: Landing page promo root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][345] new_value Meet: Landing page with agenda listed. old_value Meet: Poll paywall root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][340] new_value Meet: General paywall. old_value Meet: Greenroom banner root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][346] new_value Meet: Poll paywall. old_value Meet: Premium feature paywall root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][340] new_value Meet: General paywall. old_value Meet: Greenroom banner root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][342] new_value Meet: Landing page with no agenda listed. old_value Meet: Landing page promo root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][347] new_value Meet: Premium feature paywall. old_value Meet: Recording paywall root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][339] new_value Meet: Carousel. old_value Meet: General paywall root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][337] new_value Meet Android: Homescreen banner. old_value Meet: Breakout room paywall root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][346] new_value Meet: Poll paywall. old_value Meet: Premium feature paywall root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][344] new_value Meet: Landing page welcome screen. old_value Meet: Landing page with agenda listed root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][341] new_value Meet: Greenroom banner. old_value Meet: Landing page with no agenda listed root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][338] new_value Meet: Breakout room paywall. old_value Meet: Carousel root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][344] new_value Meet: Landing page welcome screen. old_value Meet: Landing page with agenda listed root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][339] new_value Meet: Carousel. old_value Meet: General paywall root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][341] new_value Meet: Greenroom banner. old_value Meet: Landing page with no agenda listed root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][337] new_value Meet Android: Homescreen banner. old_value Meet: Breakout room paywall root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][341] new_value Meet: Greenroom banner. old_value Meet: Landing page with no agenda listed root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][340] new_value Meet: General paywall. old_value Meet: Greenroom banner root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][345] new_value Meet: Landing page with agenda listed. old_value Meet: Poll paywall root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][345] new_value Meet: Landing page with agenda listed. old_value Meet: Poll paywall root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][344] new_value Meet: Landing page welcome screen. old_value Meet: Landing page with agenda listed root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][343] new_value Meet: Landing page promo. old_value Meet: Landing page welcome screen root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][346] new_value Meet: Poll paywall. old_value Meet: Premium feature paywall iterable_item_added root['schemas']['AppsExtensionsDuetAiActionStaticPlanData']['properties']['generateUseCase']['enum'][11] SUMMARIZE_FILE root['schemas']['AppsExtensionsDuetAiActionStaticPlanData']['properties']['generateUseCase']['enum'][58] GENERATE_ITEM_NAME_SUGGESTIONS root['schemas']['AppsExtensionsDuetAiActionStaticPlanData']['properties']['generateUseCase']['enumDescriptions'][11] Generate a summary based on the content of a specified file. This use case is now used for 1P Link Summary feature. root['schemas']['AppsExtensionsDuetAiActionStaticPlanData']['properties']['generateUseCase']['enumDescriptions'][58] Generate item name suggestions from the context (e.g. drive item), and the user can apply a generated suggestion as the item name. root['schemas']['AppsIntelligenceGenAiAction']['properties']['actionType']['enum'][19] SHEETS_NAVIGATION root['schemas']['AppsIntelligenceGenAiClientDebugInfo']['properties']['useCase']['enum'][11] SUMMARIZE_FILE root['schemas']['AppsIntelligenceGenAiClientDebugInfo']['properties']['useCase']['enum'][58] GENERATE_ITEM_NAME_SUGGESTIONS root['schemas']['AppsIntelligenceGenAiClientDebugInfo']['properties']['useCase']['enumDescriptions'][11] Generate a summary based on the content of a specified file. This use case is now used for 1P Link Summary feature. root['schemas']['AppsIntelligenceGenAiClientDebugInfo']['properties']['useCase']['enumDescriptions'][58] Generate item name suggestions from the context (e.g. drive item), and the user can apply a generated suggestion as the item name. root['schemas']['AppsIntelligenceGenAiGenerateRequest']['properties']['generateUseCase']['enum'][11] SUMMARIZE_FILE root['schemas']['AppsIntelligenceGenAiGenerateRequest']['properties']['generateUseCase']['enum'][58] GENERATE_ITEM_NAME_SUGGESTIONS root['schemas']['AppsIntelligenceGenAiGenerateRequest']['properties']['generateUseCase']['enumDescriptions'][11] Generate a summary based on the content of a specified file. This use case is now used for 1P Link Summary feature. root['schemas']['AppsIntelligenceGenAiGenerateRequest']['properties']['generateUseCase']['enumDescriptions'][58] Generate item name suggestions from the context (e.g. drive item), and the user can apply a generated suggestion as the item name. root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['classicUseCase']['enum'][19] CLASSIC_USE_CASE_GENERATE_TEXT_DEPENDENT_QUESTIONS root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['classicUseCase']['enum'][20] CLASSIC_USE_CASE_GENERATE_RUBRIC root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['classicUseCase']['enum'][21] CLASSIC_USE_CASE_GENERATE_STORY root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['classicUseCase']['enum'][22] CLASSIC_USE_CASE_TRANSLATE_TEXT root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['classicUseCase']['enum'][23] CLASSIC_USE_CASE_GENERATE_COMMON_MISCONCEPTIONS root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['classicUseCase']['enum'][24] CLASSIC_USE_CASE_GENERATE_PROJECT_ACTIVITIES root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['classicUseCase']['enum'][25] CLASSIC_USE_CASE_GENERATE_INFORMATIVE_ARTICLES root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['classicUseCase']['enum'][26] CLASSIC_USE_CASE_GENERATE_CHOICE_BOARD root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['genAiServiceErrorReason']['enum'][35] VIDEO_GENERATION_INPUT_UNSAFE root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['genAiServiceErrorReason']['enum'][36] VIDEO_GENERATION_OUTPUT_UNSAFE root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['genAiServiceErrorReason']['enum'][37] VIDEO_GENERATION_ALL_GENERATIONS_FAILED root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['genAiServiceErrorReason']['enum'][38] VIDEO_GENERATION_SOFT_PUSHBACK_REWRITTEN root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['genAiServiceErrorReason']['enumDescriptions'][35] The Kopi request failed because the input to the video generation was deemed unsafe. root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['genAiServiceErrorReason']['enumDescriptions'][36] The Kopi request failed because the output of the video generation was deemed unsafe. root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['genAiServiceErrorReason']['enumDescriptions'][37] The Kopi request failed because all requested video generations failed. root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['genAiServiceErrorReason']['enumDescriptions'][38] The Kopi request failed because the video generation tool soft pushback was rewritten. root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['generateUseCase']['enum'][11] SUMMARIZE_FILE root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['generateUseCase']['enum'][58] GENERATE_ITEM_NAME_SUGGESTIONS root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['generateUseCase']['enumDescriptions'][11] Generate a summary based on the content of a specified file. This use case is now used for 1P Link Summary feature. root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['generateUseCase']['enumDescriptions'][58] Generate item name suggestions from the context (e.g. drive item), and the user can apply a generated suggestion as the item name. root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['classicUseCase']['enum'][19] CLASSIC_USE_CASE_GENERATE_TEXT_DEPENDENT_QUESTIONS root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['classicUseCase']['enum'][20] CLASSIC_USE_CASE_GENERATE_RUBRIC root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['classicUseCase']['enum'][21] CLASSIC_USE_CASE_GENERATE_STORY root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['classicUseCase']['enum'][22] CLASSIC_USE_CASE_TRANSLATE_TEXT root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['classicUseCase']['enum'][23] CLASSIC_USE_CASE_GENERATE_COMMON_MISCONCEPTIONS root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['classicUseCase']['enum'][24] CLASSIC_USE_CASE_GENERATE_PROJECT_ACTIVITIES root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['classicUseCase']['enum'][25] CLASSIC_USE_CASE_GENERATE_INFORMATIVE_ARTICLES root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['classicUseCase']['enum'][26] CLASSIC_USE_CASE_GENERATE_CHOICE_BOARD root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['generateUseCase']['enum'][11] SUMMARIZE_FILE root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['generateUseCase']['enum'][58] GENERATE_ITEM_NAME_SUGGESTIONS root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['generateUseCase']['enumDescriptions'][11] Generate a summary based on the content of a specified file. This use case is now used for 1P Link Summary feature. root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['generateUseCase']['enumDescriptions'][58] Generate item name suggestions from the context (e.g. drive item), and the user can apply a generated suggestion as the item name. root['schemas']['AppsIntelligenceGenAiQuestionAnswerListActionParamsQuestionAnswer']['properties']['useCaseForSuggestionFollowup']['enum'][11] SUMMARIZE_FILE root['schemas']['AppsIntelligenceGenAiQuestionAnswerListActionParamsQuestionAnswer']['properties']['useCaseForSuggestionFollowup']['enum'][58] GENERATE_ITEM_NAME_SUGGESTIONS root['schemas']['AppsIntelligenceGenAiQuestionAnswerListActionParamsQuestionAnswer']['properties']['useCaseForSuggestionFollowup']['enumDescriptions'][11] Generate a summary based on the content of a specified file. This use case is now used for 1P Link Summary feature. root['schemas']['AppsIntelligenceGenAiQuestionAnswerListActionParamsQuestionAnswer']['properties']['useCaseForSuggestionFollowup']['enumDescriptions'][58] Generate item name suggestions from the context (e.g. drive item), and the user can apply a generated suggestion as the item name. root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['classicUseCase']['enum'][19] CLASSIC_USE_CASE_GENERATE_TEXT_DEPENDENT_QUESTIONS root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['classicUseCase']['enum'][20] CLASSIC_USE_CASE_GENERATE_RUBRIC root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['classicUseCase']['enum'][21] CLASSIC_USE_CASE_GENERATE_STORY root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['classicUseCase']['enum'][22] CLASSIC_USE_CASE_TRANSLATE_TEXT root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['classicUseCase']['enum'][23] CLASSIC_USE_CASE_GENERATE_COMMON_MISCONCEPTIONS root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['classicUseCase']['enum'][24] CLASSIC_USE_CASE_GENERATE_PROJECT_ACTIVITIES root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['classicUseCase']['enum'][25] CLASSIC_USE_CASE_GENERATE_INFORMATIVE_ARTICLES root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['classicUseCase']['enum'][26] CLASSIC_USE_CASE_GENERATE_CHOICE_BOARD root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['generateUseCase']['enum'][11] SUMMARIZE_FILE root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['generateUseCase']['enum'][58] GENERATE_ITEM_NAME_SUGGESTIONS root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['generateUseCase']['enumDescriptions'][11] Generate a summary based on the content of a specified file. This use case is now used for 1P Link Summary feature. root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['generateUseCase']['enumDescriptions'][58] Generate item name suggestions from the context (e.g. drive item), and the user can apply a generated suggestion as the item name. root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['generateUseCase']['enum'][11] SUMMARIZE_FILE root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['generateUseCase']['enum'][58] GENERATE_ITEM_NAME_SUGGESTIONS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['generateUseCase']['enumDescriptions'][11] Generate a summary based on the content of a specified file. This use case is now used for 1P Link Summary feature. root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['generateUseCase']['enumDescriptions'][58] Generate item name suggestions from the context (e.g. drive item), and the user can apply a generated suggestion as the item name. root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][85] GMAIL_COPY_CREATOR_CUSTOMER_REACTIVATION root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][86] GMAIL_COPY_CREATOR_MARKETING_CAMPAIGN root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][87] GMAIL_COPY_CREATOR_PRODUCT_INTRODUCTION root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][88] GMAIL_CUSTOMER_OUTREACH_SPECIALIST_COMPLAINS_APOLOGY root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][89] GMAIL_CUSTOMER_OUTREACH_SPECIALIST_ENQUIRIES_RESPONSE root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][90] GMAIL_CUSTOMER_SENTIMENT_ANALYZER_CUSTOMERS_SENTIMENT_COMPARISON root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][91] GMAIL_CUSTOMER_SENTIMENT_ANALYZER_FEEDBACK_SUMMARY root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][92] GMAIL_CUSTOMER_SENTIMENT_ANALYZER_NEW_PRODUCT_FEEDBACK_ANALYSIS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][97] GMAIL_HIRING_CONSULTANT_CANDIDATES_OUTREACH_EMAIL_GENERATION root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][98] GMAIL_HIRING_CONSULTANT_INTERVIEW_QUESTION_SUGGESTION root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][99] GMAIL_HIRING_CONSULTANT_NEW_JOB_DESCRIPTION_CREATION root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][101] GMAIL_SALES_PITCH_IDEATOR_BRAINSTORM root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][102] GMAIL_SALES_PITCH_IDEATOR_CRAFT_MESSAGES root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][103] GMAIL_SALES_PITCH_IDEATOR_OBJECTIONS_RESPONSE root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][104] GMAIL_SALES_PITCH_IDEATOR_SALES_PITCH root['schemas']['AppsIntelligenceGenAiTurn']['properties']['generateUseCase']['enum'][11] SUMMARIZE_FILE root['schemas']['AppsIntelligenceGenAiTurn']['properties']['generateUseCase']['enum'][58] GENERATE_ITEM_NAME_SUGGESTIONS root['schemas']['AppsIntelligenceGenAiTurn']['properties']['generateUseCase']['enumDescriptions'][11] Generate a summary based on the content of a specified file. This use case is now used for 1P Link Summary feature. root['schemas']['AppsIntelligenceGenAiTurn']['properties']['generateUseCase']['enumDescriptions'][58] Generate item name suggestions from the context (e.g. drive item), and the user can apply a generated suggestion as the item name. root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['classicUseCase']['enum'][19] CLASSIC_USE_CASE_GENERATE_TEXT_DEPENDENT_QUESTIONS root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['classicUseCase']['enum'][20] CLASSIC_USE_CASE_GENERATE_RUBRIC root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['classicUseCase']['enum'][21] CLASSIC_USE_CASE_GENERATE_STORY root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['classicUseCase']['enum'][22] CLASSIC_USE_CASE_TRANSLATE_TEXT root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['classicUseCase']['enum'][23] CLASSIC_USE_CASE_GENERATE_COMMON_MISCONCEPTIONS root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['classicUseCase']['enum'][24] CLASSIC_USE_CASE_GENERATE_PROJECT_ACTIVITIES root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['classicUseCase']['enum'][25] CLASSIC_USE_CASE_GENERATE_INFORMATIVE_ARTICLES root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['classicUseCase']['enum'][26] CLASSIC_USE_CASE_GENERATE_CHOICE_BOARD root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['generateUseCase']['enum'][11] SUMMARIZE_FILE root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['generateUseCase']['enum'][58] GENERATE_ITEM_NAME_SUGGESTIONS root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['generateUseCase']['enumDescriptions'][11] Generate a summary based on the content of a specified file. This use case is now used for 1P Link Summary feature. root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['generateUseCase']['enumDescriptions'][58] Generate item name suggestions from the context (e.g. drive item), and the user can apply a generated suggestion as the item name. root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enum'][337] MEET_ANDROID_HOMESCREEN_BANNER root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][348] Meet: Recording paywall. root['schemas']['AppsUpsellSharedRecommendationTemplatesCategory']['properties']['promoCategory']['enum'][25] PROMO_CATEGORY_G1_UPSELL root['schemas']['AssistantLamdaWorkspaceToolContentViewNavigationInfo']['properties']['viewDestination']['enum'][2] VIEW_DESTINATION_SHEETS_GRID_RANGE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enum'][337] MEET_ANDROID_HOMESCREEN_BANNER root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][348] Meet: Recording paywall. root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][16] DOCS_GEN_AI_LOCKED_FEATURES_CONSUMER_NOTICE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][305] XXX_TEST_ONLY_XWS_FLAG_PROMO_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][324] GEMRISE_V2_NOTEBOOKLM_DISCOVER_CARD root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][423] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_NO_DISCOUNT_DOCS_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][424] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_DISCOUNT_DOCS_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][425] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_NO_DISCOUNT_SHEETS_AND_SLIDES_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][426] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_DISCOUNT_SHEETS_AND_SLIDES_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][431] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_NO_DISCOUNT_DISCOVER_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][432] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_NO_DISCOUNT_AC_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][433] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_DISCOUNT_DISCOVER_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][434] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_DISCOUNT_AC_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][435] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_NO_DISCOUNT_DISCOVER_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][436] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_NO_DISCOUNT_AC_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][437] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_DISCOUNT_DISCOVER_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][438] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_DISCOUNT_AC_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][439] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_NO_DISCOUNT_DISCOVER_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][440] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_NO_DISCOUNT_AC_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][441] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_DISCOUNT_DISCOVER_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][442] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_DISCOUNT_AC_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][443] CORE_VALUE_E_SIGNATURE_UPSELL_DOCS_TOOLTIP_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][479] ADMIN_CONSOLE_ONBOARDING_ADD_USER_TASK_CARD_WITH_CONTEXT root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][480] ADMIN_CONSOLE_ONBOARDING_LOGO_UPLOAD_TASK_CARD_WITH_CONTEXT root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][481] ADMIN_CONSOLE_ONBOARDING_VERIFY_DOMAIN_TASK_CARD_WITH_CONTEXT root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][482] ADMIN_CONSOLE_ONBOARDING_GMAIL_SETTING_TASK_CARD_WITH_CONTEXT root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][483] ADMIN_CONSOLE_ONBOARDING_TWOSV_ENFORCEMENT_TASK_CARD_WITH_CONTEXT root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][484] ADMIN_CONSOLE_ONBOARDING_MIGRATE_DATA_TASK_CARD_WITH_CONTEXT root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][485] ADMIN_CONSOLE_ONBOARDING_CREATE_EMAIL_ALIAS_TASK_CARD_WITH_CONTEXT root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][486] ADMIN_CONSOLE_ONBOARDING_MX_RECORDS_SETUP_TASK_CARD_WITH_CONTEXT root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][487] ADMIN_CONSOLE_ONBOARDING_ICANN_VERIFICATION_TASK_CARD_WITH_CONTEXT root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][488] AC_BILLING_BUYFLOW_V2_SECURITY_ADVISOR_CHECKOUT_CARD root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][489] AC_BILLING_BUYFLOW_V2_SECURITY_ADVISOR_CHECKOUT_VALUE_PROP_GROUPS root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][490] AC_BILLING_BUYFLOW_V2_APPOINTMENT_SCHEDULING_CHECKOUT_CARD root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][491] AC_BILLING_BUYFLOW_V2_APPOINTMENT_SCHEDULING_CHECKOUT_VALUE_PROP_GROUPS root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][492] AC_BILLING_BUYFLOW_V2_E_SIGNATURE_CHECKOUT_CARD root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][493] AC_BILLING_BUYFLOW_V2_E_SIGNATURE_CHECKOUT_VALUE_PROP_GROUPS root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][494] AC_BILLING_BUYFLOW_V2_DEFAULT_CHECKOUT_CARD root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][495] AC_BILLING_BUYFLOW_V2_DEFAULT_CHECKOUT_VALUE_PROP_GROUPS root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enumDescriptions'][479] go/ac-accordion root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enumDescriptions'][488] go/dvp-design root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][106] CORE_VALUE_E_SIGNATURE_UPSELL_DOCS_TOOLTIP root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][115] DOCS_GEN_AI_LOCKED_FEATURES_CONSUMER root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][316] CORE_VALUE_EMAIL_BUSINESS_STARTER_DISCOUNT_UPSELL_MONTHLY_V2 root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][317] CORE_VALUE_EMAIL_BUSINESS_STARTER_NON_DISCOUNT_UPSELL_MONTHLY_V2 root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][318] CORE_VALUE_EMAIL_BUSINESS_STARTER_UPSELL_MONTHLY_V2 root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][325] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_NO_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][326] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][327] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_NO_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][328] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][329] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_NO_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][330] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][354] XXX_TEST_ONLY_XWS_FLAG_PROMO root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][355] XXX_TEST_ONLY_MEET_ANDROID_HOMESCREEN_BANNER root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][601] G1_GEN_AI_UPSELL_WFAC_WAVE5 root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][700] ABANDONED_BUYFLOW_FOLLOW_UP_EMAIL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][701] AC_BILLING_BUYFLOW_V2_SECURITY_ADVISOR_VALUE_PROP root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][702] AC_BILLING_BUYFLOW_V2_APPOINTMENT_SCHEDULING_VALUE_PROP root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][703] AC_BILLING_BUYFLOW_V2_E_SIGNATURE_VALUE_PROP root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][704] AC_BILLING_BUYFLOW_V2_DEFAULT_VALUE_PROP root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enumDescriptions'][106] eSig Business Standard Upsell http://shortn/_oHS4N2IbSg root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enumDescriptions'][601] go/g1-ai-wfac-w5-experiment-design root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enumDescriptions'][700] go/abandoned-buyflow-follow-up-email-design root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enumDescriptions'][701] go/dvp-design root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enum'][337] MEET_ANDROID_HOMESCREEN_BANNER root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][348] Meet: Recording paywall. root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][106] CORE_VALUE_E_SIGNATURE_UPSELL_DOCS_TOOLTIP root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][115] DOCS_GEN_AI_LOCKED_FEATURES_CONSUMER root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][316] CORE_VALUE_EMAIL_BUSINESS_STARTER_DISCOUNT_UPSELL_MONTHLY_V2 root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][317] CORE_VALUE_EMAIL_BUSINESS_STARTER_NON_DISCOUNT_UPSELL_MONTHLY_V2 root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][318] CORE_VALUE_EMAIL_BUSINESS_STARTER_UPSELL_MONTHLY_V2 root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][325] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_NO_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][326] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][327] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_NO_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][328] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][329] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_NO_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][330] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][354] XXX_TEST_ONLY_XWS_FLAG_PROMO root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][355] XXX_TEST_ONLY_MEET_ANDROID_HOMESCREEN_BANNER root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][601] G1_GEN_AI_UPSELL_WFAC_WAVE5 root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][700] ABANDONED_BUYFLOW_FOLLOW_UP_EMAIL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][701] AC_BILLING_BUYFLOW_V2_SECURITY_ADVISOR_VALUE_PROP root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][702] AC_BILLING_BUYFLOW_V2_APPOINTMENT_SCHEDULING_VALUE_PROP root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][703] AC_BILLING_BUYFLOW_V2_E_SIGNATURE_VALUE_PROP root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][704] AC_BILLING_BUYFLOW_V2_DEFAULT_VALUE_PROP root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enumDescriptions'][106] eSig Business Standard Upsell http://shortn/_oHS4N2IbSg root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enumDescriptions'][601] go/g1-ai-wfac-w5-experiment-design root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enumDescriptions'][700] go/abandoned-buyflow-follow-up-email-design root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enumDescriptions'][701] go/dvp-design root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enum'][337] MEET_ANDROID_HOMESCREEN_BANNER root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][348] Meet: Recording paywall. iterable_item_removed root['schemas']['AppsExtensionsDuetAiActionStaticPlanData']['properties']['generateUseCase']['enum'][94] CATEGORIZE_EMAIL_FOR_DRIVE root['schemas']['AppsIntelligenceGenAiClientDebugInfo']['properties']['useCase']['enum'][94] CATEGORIZE_EMAIL_FOR_DRIVE root['schemas']['AppsIntelligenceGenAiGenerateRequest']['properties']['generateUseCase']['enum'][94] CATEGORIZE_EMAIL_FOR_DRIVE root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['generateUseCase']['enum'][94] CATEGORIZE_EMAIL_FOR_DRIVE root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['generateUseCase']['enum'][94] CATEGORIZE_EMAIL_FOR_DRIVE root['schemas']['AppsIntelligenceGenAiQuestionAnswerListActionParamsQuestionAnswer']['properties']['useCaseForSuggestionFollowup']['enum'][94] CATEGORIZE_EMAIL_FOR_DRIVE root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['generateUseCase']['enum'][94] CATEGORIZE_EMAIL_FOR_DRIVE root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['generateUseCase']['enum'][94] CATEGORIZE_EMAIL_FOR_DRIVE root['schemas']['AppsIntelligenceGenAiTurn']['properties']['generateUseCase']['enum'][94] CATEGORIZE_EMAIL_FOR_DRIVE root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['generateUseCase']['enum'][94] CATEGORIZE_EMAIL_FOR_DRIVE
prod/appsgenaiserver-pa-v1	dictionary_item_added root['schemas']['AppsExtensionsFileMetadataGmailMetadata'] root['schemas']['AppsExtensionsSheetsActionsNavigateAction'] root['schemas']['AppsIntelligenceGenAiReferenceMetadata'] root['schemas']['AppsIntelligenceGenAiSheetsNavigationActionParams'] root['schemas']['AppsIntelligenceGenAiTnfmParams'] root['schemas']['AppsUpsellSharedRecommendationCustomizedactionbehaviorAdminconsoleaccordionTaskRedirect'] root['schemas']['AppsUpsellSharedRecommendationCustomizedactionbehaviorAdminconsoleaccordionTaskRedirectTaskRedirectAction'] root['schemas']['AppsUpsellSharedRecommendationCustomizedactionbehaviorAdminconsoleaccordionTaskRedirectTaskRedirectConfig'] root['schemas']['AppsUpsellSharedRecommendationTemplatesValuePropGroup'] root['schemas']['AppsUpsellSharedRecommendationTemplatesValuePropGroups'] root['schemas']['AssistantLamdaWorkspaceEditorResourceReferenceMetadataOptions'] root['schemas']['AssistantLamdaWorkspaceToolContentViewNavigationInfoSheetsGridRange'] root['schemas']['AppsExtensionsFileMetadata']['properties']['gmailMetadata'] root['schemas']['AppsExtensionsSheetsActions']['properties']['navigateAction'] root['schemas']['AppsIntelligenceGenAiAction']['properties']['sheetsNavigationActionParams'] root['schemas']['AppsIntelligenceGenAiCitationMetadata']['deprecated'] root['schemas']['AppsIntelligenceGenAiCitationMetadata']['properties']['tableMetadata']['deprecated'] root['schemas']['AppsIntelligenceGenAiUseCaseParams']['properties']['tnfmParams'] root['schemas']['AppsIntelligenceGenAiWorkspaceResourceMetadata']['properties']['referenceMetadata'] root['schemas']['AppsIntelligenceGenAiWorkspaceResourceMetadata']['properties']['citations']['deprecated'] root['schemas']['AppsUpsellSharedRecommendationCommonRecommendation']['properties']['valuePropGroups'] root['schemas']['AppsUpsellSharedRecommendationCustomizedactionbehaviorCustomizedActionBehavior']['properties']['adminConsoleAccordionTaskRedirect'] root['schemas']['AssistantLamdaWorkspaceEditorResourceReferenceEditorResourceOptions']['properties']['metadataOptions'] root['schemas']['AssistantLamdaWorkspaceToolContentViewNavigationInfo']['properties']['sheetsGridRange'] dictionary_item_removed root['schemas']['AppsIntelligenceGenAiCitationMetadata']['description'] root['schemas']['AppsIntelligenceGenAiCitationMetadata']['properties']['tableMetadata']['description'] root['schemas']['AppsIntelligenceGenAiWorkspaceResourceMetadata']['properties']['citations']['description'] values_changed root['revision'] new_value 20250310 old_value 20250306 root['schemas']['AppsExtensionsWorkflowDataSource']['description'] new_value Workflow only. In a `TextInput` or `SelectionInput` widget with MULTI_SELECT type or a `DateTimePicker`, provide data source from Google. old_value Workflow only. In a `SelectionInput` or `TextInput` widget with DROPDOWN or MULTI_SELECT type, provide data source from Google. root['schemas']['AppsIntelligenceGenAiAction']['description'] new_value Next ID: 19 old_value Next ID: 18 root['schemas']['AppsIntelligenceGenAiUseCaseParams']['description'] new_value Generate Use Case specific parameters Next ID: 13. old_value Generate Use Case specific parameters Next ID: 12. root['schemas']['AppsIntelligenceGenAiWorkspaceResourceMetadata']['properties']['attributions']['description'] new_value List of citations in the response that point at this resource (go/bk-citations-prd). old_value Metadata about nodes in response that are attributable to this resource. root['schemas']['AppsUpsellSharedRecommendationCommonRecommendation']['description'] new_value A common response for recommendation systems. Next id: 26 old_value A common response for recommendation systems. Next id: 25 root['schemas']['AssistantLamdaEncryptionMetadata']['properties']['isEncrypted']['description'] new_value Indicates if the file contents is encrypted. If true, the keyset must also be specified, otherwise the file contents will not be readable. If the file attachment is read from logs, this may be set to true even if the keyset is not present to indicate that the file was encrypted but can no longer be decrypted. Encrypted files are stored as "plain" files in storage, since file-type specific processing (e.g. transcoding of images) would fail due to the encryption. See: go/bard-storage-encryption This has the side effect that FIFE urls will not be generated for encrypted files. Moreover encrypted files are not copied to persistent storage. Trying to copy them will fail. If false, but a keyset is specified, the file will not be decrypted. If the file contents is encrypted, this will lead to garbage data being returned. old_value Indicates if the file contents is encrypted. If true, the keyset must also be specified, otherwise the file contents will not be readable. If the file attachment is read from logs, this may be set to true even if the keyset is not present to indicate that the file was encrypted but can no longer be decrypted. If false, but a keyset is specified, the file will not be decrypted. If the file contents is encrypted, this will lead to garbage data being returned. root['schemas']['AssistantLamdaNightwingMutatingOp']['description'] new_value An op that generated by the tool. For now it's also used between the server and the client, but we can also translate this proto into the RobinOp in the future. More on go/bard-rfc-802. LINT.IfChange Next ID: 1091. old_value An op that generated by the tool. For now it's also used between the server and the client, but we can also translate this proto into the RobinOp in the future. More on go/bard-rfc-802. LINT.IfChange Next ID: 1090. root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][347] new_value Meet: Premium feature paywall. old_value Meet: Recording paywall root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][340] new_value Meet: General paywall. old_value Meet: Greenroom banner root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][338] new_value Meet: Breakout room paywall. old_value Meet: Carousel root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][338] new_value Meet: Breakout room paywall. old_value Meet: Carousel root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][342] new_value Meet: Landing page with no agenda listed. old_value Meet: Landing page promo root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][347] new_value Meet: Premium feature paywall. old_value Meet: Recording paywall root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][343] new_value Meet: Landing page promo. old_value Meet: Landing page welcome screen root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][343] new_value Meet: Landing page promo. old_value Meet: Landing page welcome screen root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][341] new_value Meet: Greenroom banner. old_value Meet: Landing page with no agenda listed root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][338] new_value Meet: Breakout room paywall. old_value Meet: Carousel root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][347] new_value Meet: Premium feature paywall. old_value Meet: Recording paywall root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][337] new_value Meet Android: Homescreen banner. old_value Meet: Breakout room paywall root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][346] new_value Meet: Poll paywall. old_value Meet: Premium feature paywall root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][339] new_value Meet: Carousel. old_value Meet: General paywall root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][342] new_value Meet: Landing page with no agenda listed. old_value Meet: Landing page promo root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][344] new_value Meet: Landing page welcome screen. old_value Meet: Landing page with agenda listed root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][343] new_value Meet: Landing page promo. old_value Meet: Landing page welcome screen root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][339] new_value Meet: Carousel. old_value Meet: General paywall root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][345] new_value Meet: Landing page with agenda listed. old_value Meet: Poll paywall root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][337] new_value Meet Android: Homescreen banner. old_value Meet: Breakout room paywall root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][342] new_value Meet: Landing page with no agenda listed. old_value Meet: Landing page promo root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][345] new_value Meet: Landing page with agenda listed. old_value Meet: Poll paywall root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][340] new_value Meet: General paywall. old_value Meet: Greenroom banner root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][346] new_value Meet: Poll paywall. old_value Meet: Premium feature paywall root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][340] new_value Meet: General paywall. old_value Meet: Greenroom banner root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][342] new_value Meet: Landing page with no agenda listed. old_value Meet: Landing page promo root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][347] new_value Meet: Premium feature paywall. old_value Meet: Recording paywall root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][339] new_value Meet: Carousel. old_value Meet: General paywall root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][337] new_value Meet Android: Homescreen banner. old_value Meet: Breakout room paywall root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][346] new_value Meet: Poll paywall. old_value Meet: Premium feature paywall root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][344] new_value Meet: Landing page welcome screen. old_value Meet: Landing page with agenda listed root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][341] new_value Meet: Greenroom banner. old_value Meet: Landing page with no agenda listed root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][338] new_value Meet: Breakout room paywall. old_value Meet: Carousel root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][344] new_value Meet: Landing page welcome screen. old_value Meet: Landing page with agenda listed root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][339] new_value Meet: Carousel. old_value Meet: General paywall root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][341] new_value Meet: Greenroom banner. old_value Meet: Landing page with no agenda listed root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][337] new_value Meet Android: Homescreen banner. old_value Meet: Breakout room paywall root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][341] new_value Meet: Greenroom banner. old_value Meet: Landing page with no agenda listed root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][340] new_value Meet: General paywall. old_value Meet: Greenroom banner root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][345] new_value Meet: Landing page with agenda listed. old_value Meet: Poll paywall root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][345] new_value Meet: Landing page with agenda listed. old_value Meet: Poll paywall root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][344] new_value Meet: Landing page welcome screen. old_value Meet: Landing page with agenda listed root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][343] new_value Meet: Landing page promo. old_value Meet: Landing page welcome screen root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][346] new_value Meet: Poll paywall. old_value Meet: Premium feature paywall iterable_item_added root['schemas']['AppsExtensionsDuetAiActionStaticPlanData']['properties']['generateUseCase']['enum'][11] SUMMARIZE_FILE root['schemas']['AppsExtensionsDuetAiActionStaticPlanData']['properties']['generateUseCase']['enum'][58] GENERATE_ITEM_NAME_SUGGESTIONS root['schemas']['AppsExtensionsDuetAiActionStaticPlanData']['properties']['generateUseCase']['enumDescriptions'][11] Generate a summary based on the content of a specified file. This use case is now used for 1P Link Summary feature. root['schemas']['AppsExtensionsDuetAiActionStaticPlanData']['properties']['generateUseCase']['enumDescriptions'][58] Generate item name suggestions from the context (e.g. drive item), and the user can apply a generated suggestion as the item name. root['schemas']['AppsIntelligenceGenAiAction']['properties']['actionType']['enum'][19] SHEETS_NAVIGATION root['schemas']['AppsIntelligenceGenAiClientDebugInfo']['properties']['useCase']['enum'][11] SUMMARIZE_FILE root['schemas']['AppsIntelligenceGenAiClientDebugInfo']['properties']['useCase']['enum'][58] GENERATE_ITEM_NAME_SUGGESTIONS root['schemas']['AppsIntelligenceGenAiClientDebugInfo']['properties']['useCase']['enumDescriptions'][11] Generate a summary based on the content of a specified file. This use case is now used for 1P Link Summary feature. root['schemas']['AppsIntelligenceGenAiClientDebugInfo']['properties']['useCase']['enumDescriptions'][58] Generate item name suggestions from the context (e.g. drive item), and the user can apply a generated suggestion as the item name. root['schemas']['AppsIntelligenceGenAiGenerateRequest']['properties']['generateUseCase']['enum'][11] SUMMARIZE_FILE root['schemas']['AppsIntelligenceGenAiGenerateRequest']['properties']['generateUseCase']['enum'][58] GENERATE_ITEM_NAME_SUGGESTIONS root['schemas']['AppsIntelligenceGenAiGenerateRequest']['properties']['generateUseCase']['enumDescriptions'][11] Generate a summary based on the content of a specified file. This use case is now used for 1P Link Summary feature. root['schemas']['AppsIntelligenceGenAiGenerateRequest']['properties']['generateUseCase']['enumDescriptions'][58] Generate item name suggestions from the context (e.g. drive item), and the user can apply a generated suggestion as the item name. root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['classicUseCase']['enum'][19] CLASSIC_USE_CASE_GENERATE_TEXT_DEPENDENT_QUESTIONS root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['classicUseCase']['enum'][20] CLASSIC_USE_CASE_GENERATE_RUBRIC root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['classicUseCase']['enum'][21] CLASSIC_USE_CASE_GENERATE_STORY root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['classicUseCase']['enum'][22] CLASSIC_USE_CASE_TRANSLATE_TEXT root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['classicUseCase']['enum'][23] CLASSIC_USE_CASE_GENERATE_COMMON_MISCONCEPTIONS root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['classicUseCase']['enum'][24] CLASSIC_USE_CASE_GENERATE_PROJECT_ACTIVITIES root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['classicUseCase']['enum'][25] CLASSIC_USE_CASE_GENERATE_INFORMATIVE_ARTICLES root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['classicUseCase']['enum'][26] CLASSIC_USE_CASE_GENERATE_CHOICE_BOARD root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['genAiServiceErrorReason']['enum'][35] VIDEO_GENERATION_INPUT_UNSAFE root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['genAiServiceErrorReason']['enum'][36] VIDEO_GENERATION_OUTPUT_UNSAFE root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['genAiServiceErrorReason']['enum'][37] VIDEO_GENERATION_ALL_GENERATIONS_FAILED root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['genAiServiceErrorReason']['enum'][38] VIDEO_GENERATION_SOFT_PUSHBACK_REWRITTEN root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['genAiServiceErrorReason']['enumDescriptions'][35] The Kopi request failed because the input to the video generation was deemed unsafe. root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['genAiServiceErrorReason']['enumDescriptions'][36] The Kopi request failed because the output of the video generation was deemed unsafe. root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['genAiServiceErrorReason']['enumDescriptions'][37] The Kopi request failed because all requested video generations failed. root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['genAiServiceErrorReason']['enumDescriptions'][38] The Kopi request failed because the video generation tool soft pushback was rewritten. root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['generateUseCase']['enum'][11] SUMMARIZE_FILE root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['generateUseCase']['enum'][58] GENERATE_ITEM_NAME_SUGGESTIONS root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['generateUseCase']['enumDescriptions'][11] Generate a summary based on the content of a specified file. This use case is now used for 1P Link Summary feature. root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['generateUseCase']['enumDescriptions'][58] Generate item name suggestions from the context (e.g. drive item), and the user can apply a generated suggestion as the item name. root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['classicUseCase']['enum'][19] CLASSIC_USE_CASE_GENERATE_TEXT_DEPENDENT_QUESTIONS root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['classicUseCase']['enum'][20] CLASSIC_USE_CASE_GENERATE_RUBRIC root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['classicUseCase']['enum'][21] CLASSIC_USE_CASE_GENERATE_STORY root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['classicUseCase']['enum'][22] CLASSIC_USE_CASE_TRANSLATE_TEXT root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['classicUseCase']['enum'][23] CLASSIC_USE_CASE_GENERATE_COMMON_MISCONCEPTIONS root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['classicUseCase']['enum'][24] CLASSIC_USE_CASE_GENERATE_PROJECT_ACTIVITIES root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['classicUseCase']['enum'][25] CLASSIC_USE_CASE_GENERATE_INFORMATIVE_ARTICLES root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['classicUseCase']['enum'][26] CLASSIC_USE_CASE_GENERATE_CHOICE_BOARD root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['generateUseCase']['enum'][11] SUMMARIZE_FILE root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['generateUseCase']['enum'][58] GENERATE_ITEM_NAME_SUGGESTIONS root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['generateUseCase']['enumDescriptions'][11] Generate a summary based on the content of a specified file. This use case is now used for 1P Link Summary feature. root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['generateUseCase']['enumDescriptions'][58] Generate item name suggestions from the context (e.g. drive item), and the user can apply a generated suggestion as the item name. root['schemas']['AppsIntelligenceGenAiQuestionAnswerListActionParamsQuestionAnswer']['properties']['useCaseForSuggestionFollowup']['enum'][11] SUMMARIZE_FILE root['schemas']['AppsIntelligenceGenAiQuestionAnswerListActionParamsQuestionAnswer']['properties']['useCaseForSuggestionFollowup']['enum'][58] GENERATE_ITEM_NAME_SUGGESTIONS root['schemas']['AppsIntelligenceGenAiQuestionAnswerListActionParamsQuestionAnswer']['properties']['useCaseForSuggestionFollowup']['enumDescriptions'][11] Generate a summary based on the content of a specified file. This use case is now used for 1P Link Summary feature. root['schemas']['AppsIntelligenceGenAiQuestionAnswerListActionParamsQuestionAnswer']['properties']['useCaseForSuggestionFollowup']['enumDescriptions'][58] Generate item name suggestions from the context (e.g. drive item), and the user can apply a generated suggestion as the item name. root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['classicUseCase']['enum'][19] CLASSIC_USE_CASE_GENERATE_TEXT_DEPENDENT_QUESTIONS root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['classicUseCase']['enum'][20] CLASSIC_USE_CASE_GENERATE_RUBRIC root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['classicUseCase']['enum'][21] CLASSIC_USE_CASE_GENERATE_STORY root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['classicUseCase']['enum'][22] CLASSIC_USE_CASE_TRANSLATE_TEXT root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['classicUseCase']['enum'][23] CLASSIC_USE_CASE_GENERATE_COMMON_MISCONCEPTIONS root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['classicUseCase']['enum'][24] CLASSIC_USE_CASE_GENERATE_PROJECT_ACTIVITIES root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['classicUseCase']['enum'][25] CLASSIC_USE_CASE_GENERATE_INFORMATIVE_ARTICLES root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['classicUseCase']['enum'][26] CLASSIC_USE_CASE_GENERATE_CHOICE_BOARD root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['generateUseCase']['enum'][11] SUMMARIZE_FILE root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['generateUseCase']['enum'][58] GENERATE_ITEM_NAME_SUGGESTIONS root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['generateUseCase']['enumDescriptions'][11] Generate a summary based on the content of a specified file. This use case is now used for 1P Link Summary feature. root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['generateUseCase']['enumDescriptions'][58] Generate item name suggestions from the context (e.g. drive item), and the user can apply a generated suggestion as the item name. root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['generateUseCase']['enum'][11] SUMMARIZE_FILE root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['generateUseCase']['enum'][58] GENERATE_ITEM_NAME_SUGGESTIONS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['generateUseCase']['enumDescriptions'][11] Generate a summary based on the content of a specified file. This use case is now used for 1P Link Summary feature. root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['generateUseCase']['enumDescriptions'][58] Generate item name suggestions from the context (e.g. drive item), and the user can apply a generated suggestion as the item name. root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][85] GMAIL_COPY_CREATOR_CUSTOMER_REACTIVATION root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][86] GMAIL_COPY_CREATOR_MARKETING_CAMPAIGN root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][87] GMAIL_COPY_CREATOR_PRODUCT_INTRODUCTION root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][88] GMAIL_CUSTOMER_OUTREACH_SPECIALIST_COMPLAINS_APOLOGY root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][89] GMAIL_CUSTOMER_OUTREACH_SPECIALIST_ENQUIRIES_RESPONSE root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][90] GMAIL_CUSTOMER_SENTIMENT_ANALYZER_CUSTOMERS_SENTIMENT_COMPARISON root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][91] GMAIL_CUSTOMER_SENTIMENT_ANALYZER_FEEDBACK_SUMMARY root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][92] GMAIL_CUSTOMER_SENTIMENT_ANALYZER_NEW_PRODUCT_FEEDBACK_ANALYSIS root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][97] GMAIL_HIRING_CONSULTANT_CANDIDATES_OUTREACH_EMAIL_GENERATION root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][98] GMAIL_HIRING_CONSULTANT_INTERVIEW_QUESTION_SUGGESTION root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][99] GMAIL_HIRING_CONSULTANT_NEW_JOB_DESCRIPTION_CREATION root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][101] GMAIL_SALES_PITCH_IDEATOR_BRAINSTORM root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][102] GMAIL_SALES_PITCH_IDEATOR_CRAFT_MESSAGES root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][103] GMAIL_SALES_PITCH_IDEATOR_OBJECTIONS_RESPONSE root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['starterTileType']['enum'][104] GMAIL_SALES_PITCH_IDEATOR_SALES_PITCH root['schemas']['AppsIntelligenceGenAiTurn']['properties']['generateUseCase']['enum'][11] SUMMARIZE_FILE root['schemas']['AppsIntelligenceGenAiTurn']['properties']['generateUseCase']['enum'][58] GENERATE_ITEM_NAME_SUGGESTIONS root['schemas']['AppsIntelligenceGenAiTurn']['properties']['generateUseCase']['enumDescriptions'][11] Generate a summary based on the content of a specified file. This use case is now used for 1P Link Summary feature. root['schemas']['AppsIntelligenceGenAiTurn']['properties']['generateUseCase']['enumDescriptions'][58] Generate item name suggestions from the context (e.g. drive item), and the user can apply a generated suggestion as the item name. root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['classicUseCase']['enum'][19] CLASSIC_USE_CASE_GENERATE_TEXT_DEPENDENT_QUESTIONS root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['classicUseCase']['enum'][20] CLASSIC_USE_CASE_GENERATE_RUBRIC root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['classicUseCase']['enum'][21] CLASSIC_USE_CASE_GENERATE_STORY root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['classicUseCase']['enum'][22] CLASSIC_USE_CASE_TRANSLATE_TEXT root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['classicUseCase']['enum'][23] CLASSIC_USE_CASE_GENERATE_COMMON_MISCONCEPTIONS root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['classicUseCase']['enum'][24] CLASSIC_USE_CASE_GENERATE_PROJECT_ACTIVITIES root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['classicUseCase']['enum'][25] CLASSIC_USE_CASE_GENERATE_INFORMATIVE_ARTICLES root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['classicUseCase']['enum'][26] CLASSIC_USE_CASE_GENERATE_CHOICE_BOARD root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['generateUseCase']['enum'][11] SUMMARIZE_FILE root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['generateUseCase']['enum'][58] GENERATE_ITEM_NAME_SUGGESTIONS root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['generateUseCase']['enumDescriptions'][11] Generate a summary based on the content of a specified file. This use case is now used for 1P Link Summary feature. root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['generateUseCase']['enumDescriptions'][58] Generate item name suggestions from the context (e.g. drive item), and the user can apply a generated suggestion as the item name. root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enum'][337] MEET_ANDROID_HOMESCREEN_BANNER root['schemas']['AppsUpsellSharedRecommendationRecommendationSurface']['properties']['onramp']['enumDescriptions'][348] Meet: Recording paywall. root['schemas']['AppsUpsellSharedRecommendationTemplatesCategory']['properties']['promoCategory']['enum'][25] PROMO_CATEGORY_G1_UPSELL root['schemas']['AssistantLamdaWorkspaceToolContentViewNavigationInfo']['properties']['viewDestination']['enum'][2] VIEW_DESTINATION_SHEETS_GRID_RANGE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enum'][337] MEET_ANDROID_HOMESCREEN_BANNER root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['onramp']['enumDescriptions'][348] Meet: Recording paywall. root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][16] DOCS_GEN_AI_LOCKED_FEATURES_CONSUMER_NOTICE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][305] XXX_TEST_ONLY_XWS_FLAG_PROMO_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][324] GEMRISE_V2_NOTEBOOKLM_DISCOVER_CARD root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][423] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_NO_DISCOUNT_DOCS_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][424] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_DISCOUNT_DOCS_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][425] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_NO_DISCOUNT_SHEETS_AND_SLIDES_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][426] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_DISCOUNT_SHEETS_AND_SLIDES_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][431] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_NO_DISCOUNT_DISCOVER_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][432] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_NO_DISCOUNT_AC_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][433] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_DISCOUNT_DISCOVER_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][434] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_DISCOUNT_AC_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][435] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_NO_DISCOUNT_DISCOVER_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][436] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_NO_DISCOUNT_AC_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][437] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_DISCOUNT_DISCOVER_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][438] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_DISCOUNT_AC_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][439] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_NO_DISCOUNT_DISCOVER_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][440] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_NO_DISCOUNT_AC_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][441] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_DISCOUNT_DISCOVER_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][442] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_DISCOUNT_AC_UPSELL_BANNER_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][443] CORE_VALUE_E_SIGNATURE_UPSELL_DOCS_TOOLTIP_TEMPLATE root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][479] ADMIN_CONSOLE_ONBOARDING_ADD_USER_TASK_CARD_WITH_CONTEXT root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][480] ADMIN_CONSOLE_ONBOARDING_LOGO_UPLOAD_TASK_CARD_WITH_CONTEXT root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][481] ADMIN_CONSOLE_ONBOARDING_VERIFY_DOMAIN_TASK_CARD_WITH_CONTEXT root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][482] ADMIN_CONSOLE_ONBOARDING_GMAIL_SETTING_TASK_CARD_WITH_CONTEXT root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][483] ADMIN_CONSOLE_ONBOARDING_TWOSV_ENFORCEMENT_TASK_CARD_WITH_CONTEXT root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][484] ADMIN_CONSOLE_ONBOARDING_MIGRATE_DATA_TASK_CARD_WITH_CONTEXT root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][485] ADMIN_CONSOLE_ONBOARDING_CREATE_EMAIL_ALIAS_TASK_CARD_WITH_CONTEXT root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][486] ADMIN_CONSOLE_ONBOARDING_MX_RECORDS_SETUP_TASK_CARD_WITH_CONTEXT root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][487] ADMIN_CONSOLE_ONBOARDING_ICANN_VERIFICATION_TASK_CARD_WITH_CONTEXT root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][488] AC_BILLING_BUYFLOW_V2_SECURITY_ADVISOR_CHECKOUT_CARD root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][489] AC_BILLING_BUYFLOW_V2_SECURITY_ADVISOR_CHECKOUT_VALUE_PROP_GROUPS root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][490] AC_BILLING_BUYFLOW_V2_APPOINTMENT_SCHEDULING_CHECKOUT_CARD root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][491] AC_BILLING_BUYFLOW_V2_APPOINTMENT_SCHEDULING_CHECKOUT_VALUE_PROP_GROUPS root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][492] AC_BILLING_BUYFLOW_V2_E_SIGNATURE_CHECKOUT_CARD root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][493] AC_BILLING_BUYFLOW_V2_E_SIGNATURE_CHECKOUT_VALUE_PROP_GROUPS root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][494] AC_BILLING_BUYFLOW_V2_DEFAULT_CHECKOUT_CARD root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enum'][495] AC_BILLING_BUYFLOW_V2_DEFAULT_CHECKOUT_VALUE_PROP_GROUPS root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enumDescriptions'][479] go/ac-accordion root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoTemplateId']['enumDescriptions'][488] go/dvp-design root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][106] CORE_VALUE_E_SIGNATURE_UPSELL_DOCS_TOOLTIP root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][115] DOCS_GEN_AI_LOCKED_FEATURES_CONSUMER root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][316] CORE_VALUE_EMAIL_BUSINESS_STARTER_DISCOUNT_UPSELL_MONTHLY_V2 root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][317] CORE_VALUE_EMAIL_BUSINESS_STARTER_NON_DISCOUNT_UPSELL_MONTHLY_V2 root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][318] CORE_VALUE_EMAIL_BUSINESS_STARTER_UPSELL_MONTHLY_V2 root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][325] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_NO_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][326] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][327] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_NO_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][328] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][329] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_NO_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][330] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][354] XXX_TEST_ONLY_XWS_FLAG_PROMO root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][355] XXX_TEST_ONLY_MEET_ANDROID_HOMESCREEN_BANNER root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][601] G1_GEN_AI_UPSELL_WFAC_WAVE5 root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][700] ABANDONED_BUYFLOW_FOLLOW_UP_EMAIL root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][701] AC_BILLING_BUYFLOW_V2_SECURITY_ADVISOR_VALUE_PROP root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][702] AC_BILLING_BUYFLOW_V2_APPOINTMENT_SCHEDULING_VALUE_PROP root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][703] AC_BILLING_BUYFLOW_V2_E_SIGNATURE_VALUE_PROP root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enum'][704] AC_BILLING_BUYFLOW_V2_DEFAULT_VALUE_PROP root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enumDescriptions'][106] eSig Business Standard Upsell http://shortn/_oHS4N2IbSg root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enumDescriptions'][601] go/g1-ai-wfac-w5-experiment-design root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enumDescriptions'][700] go/abandoned-buyflow-follow-up-email-design root['schemas']['CccHostedUpsellProtoEventsDerivedRecommendationInteractionDetails']['properties']['promoType']['enumDescriptions'][701] go/dvp-design root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enum'][337] MEET_ANDROID_HOMESCREEN_BANNER root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['onramp']['enumDescriptions'][348] Meet: Recording paywall. root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][106] CORE_VALUE_E_SIGNATURE_UPSELL_DOCS_TOOLTIP root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][115] DOCS_GEN_AI_LOCKED_FEATURES_CONSUMER root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][316] CORE_VALUE_EMAIL_BUSINESS_STARTER_DISCOUNT_UPSELL_MONTHLY_V2 root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][317] CORE_VALUE_EMAIL_BUSINESS_STARTER_NON_DISCOUNT_UPSELL_MONTHLY_V2 root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][318] CORE_VALUE_EMAIL_BUSINESS_STARTER_UPSELL_MONTHLY_V2 root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][325] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_NO_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][326] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_E_SIGNATURE_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][327] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_NO_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][328] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_SA_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][329] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_NO_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][330] CORE_VALUE_MONTHLY_V2_BIZ_STARTER_CA_DISCOUNT_DISCOVER_AC_UPSELL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][354] XXX_TEST_ONLY_XWS_FLAG_PROMO root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][355] XXX_TEST_ONLY_MEET_ANDROID_HOMESCREEN_BANNER root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][601] G1_GEN_AI_UPSELL_WFAC_WAVE5 root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][700] ABANDONED_BUYFLOW_FOLLOW_UP_EMAIL root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][701] AC_BILLING_BUYFLOW_V2_SECURITY_ADVISOR_VALUE_PROP root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][702] AC_BILLING_BUYFLOW_V2_APPOINTMENT_SCHEDULING_VALUE_PROP root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][703] AC_BILLING_BUYFLOW_V2_E_SIGNATURE_VALUE_PROP root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enum'][704] AC_BILLING_BUYFLOW_V2_DEFAULT_VALUE_PROP root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enumDescriptions'][106] eSig Business Standard Upsell http://shortn/_oHS4N2IbSg root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enumDescriptions'][601] go/g1-ai-wfac-w5-experiment-design root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enumDescriptions'][700] go/abandoned-buyflow-follow-up-email-design root['schemas']['CccHostedUpsellProtoSourceAttributionSource']['properties']['promoType']['enumDescriptions'][701] go/dvp-design root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enum'][337] MEET_ANDROID_HOMESCREEN_BANNER root['schemas']['GoogleInternalSubscriptionsFirstpartyV1CallToActionInAppPurchase']['properties']['onramp']['enumDescriptions'][348] Meet: Recording paywall. iterable_item_removed root['schemas']['AppsExtensionsDuetAiActionStaticPlanData']['properties']['generateUseCase']['enum'][94] CATEGORIZE_EMAIL_FOR_DRIVE root['schemas']['AppsIntelligenceGenAiClientDebugInfo']['properties']['useCase']['enum'][94] CATEGORIZE_EMAIL_FOR_DRIVE root['schemas']['AppsIntelligenceGenAiGenerateRequest']['properties']['generateUseCase']['enum'][94] CATEGORIZE_EMAIL_FOR_DRIVE root['schemas']['AppsIntelligenceGenAiGenerationIteration']['properties']['generateUseCase']['enum'][94] CATEGORIZE_EMAIL_FOR_DRIVE root['schemas']['AppsIntelligenceGenAiGetQuotaSummaryRequest']['properties']['generateUseCase']['enum'][94] CATEGORIZE_EMAIL_FOR_DRIVE root['schemas']['AppsIntelligenceGenAiQuestionAnswerListActionParamsQuestionAnswer']['properties']['useCaseForSuggestionFollowup']['enum'][94] CATEGORIZE_EMAIL_FOR_DRIVE root['schemas']['AppsIntelligenceGenAiRecordFeatureUsageRequest']['properties']['generateUseCase']['enum'][94] CATEGORIZE_EMAIL_FOR_DRIVE root['schemas']['AppsIntelligenceGenAiStarterTile']['properties']['generateUseCase']['enum'][94] CATEGORIZE_EMAIL_FOR_DRIVE root['schemas']['AppsIntelligenceGenAiTurn']['properties']['generateUseCase']['enum'][94] CATEGORIZE_EMAIL_FOR_DRIVE root['schemas']['AppsIntelligenceGenAiWriteAuditLogRequest']['properties']['generateUseCase']['enum'][94] CATEGORIZE_EMAIL_FOR_DRIVE
prod/arcore-	values_changed root['revision'] new_value 20250313 old_value 20250309
prod/arcore-v1	values_changed root['revision'] new_value 20250313 old_value 20250309
prod/arcore-v1beta2	values_changed root['revision'] new_value 20250313 old_value 20250309
prod/arcorecloudanchor-	values_changed root['revision'] new_value 20250313 old_value 20250309
prod/arcorecloudanchor-v1beta2	values_changed root['revision'] new_value 20250313 old_value 20250309
prod/asia-east1-connectgateway-	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/asia-east1-connectgateway-v1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/asia-east1-connectgateway-v1beta1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/asia-east1-containerfilesystem-	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/asia-east1-containerfilesystem-v1	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/asia-east1-dataproccontrol-	values_changed root['revision'] new_value 20250311 old_value 20250224
prod/asia-east1-dataproccontrol-v1	values_changed root['revision'] new_value 20250311 old_value 20250224
prod/asia-south1-dataproccontrol-	values_changed root['revision'] new_value 20250311 old_value 20250224
prod/asia-south1-dataproccontrol-v1	values_changed root['revision'] new_value 20250311 old_value 20250224
prod/asia-southeast1-chronicle-	values_changed root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['get']['parameters']['name']['description'] new_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{region}/instances/{instance} root['revision'] new_value 20250310 old_value 20250227 root['schemas'] new_value AIOverview description AI generated overview for the search results. id AIOverview properties aiSummary description AI summary for the search results. Markdown formatted. type string complete description Whether AI overview generation is complete. type boolean suggestions description Suggested actions to continue the investigation in chat. items $ref Action type array type object Action description Action represents an action that can be performed in the host UI. id Action properties actionType description Output only. Type of action. enum ACTION_TYPE_UNSPECIFIED FOLLOW_UP NAVIGATION EXECUTION enumDescriptions The action type is unspecified. The action is a follow up action. The action is a navigation action. The action is an execution action. readOnly True type string displayText description Output only. The text that'll be displayed to the user if this is rendered in the UI as a suggested action. readOnly True type string execution $ref Execution description Metadata for execution action. followUp $ref FollowUp description Metadata for follow up action. navigation $ref Navigation description Metadata for navigation action. useCaseId description Output only. The use case ID of the action. It's used internally to identify in which context the action is used. readOnly True type string type object AlertFieldAggregation id AlertFieldAggregation properties alertCount format int32 type integer allValues items $ref AlertFieldValueCount type array baselineAlertCount format int32 type integer bottomValues items $ref AlertFieldValueCount type array fieldName type string tooManyValues type boolean topValues items $ref AlertFieldValueCount type array valueCount format int32 type integer type object AlertFieldAggregations id AlertFieldAggregations properties fields items $ref AlertFieldAggregation type array type object AlertFieldValue id AlertFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string stringValue type string uint32Value format uint32 type integer uint64Value format uint64 type string type object AlertFieldValueCount id AlertFieldValueCount properties alertCount format int32 type integer baselineAlertCount format int32 type integer value $ref AlertFieldValue type object AnalystVerdict description Verdict provided by the human analyst. These fields are used to model Mandiant sources. id AnalystVerdict properties confidenceScore description Confidence score of the verdict. format int32 type integer verdictResponse description Details of the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp at which the verdict was generated. format google-datetime type string type object AnalyticsMetadata description Stores information about an analytics metric used in a rule. id AnalyticsMetadata properties analytic description Name of the analytic. type string type object Annotation description Extra parameters that don't fit anywhere else, captured as key/value. For example "VendorID/42" in BlackBerry user agents. The following keys are modified with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference): * "Chrome" (see `browser_version`) * "ChromiumBrowser" (unavailable) * "ChromeWebview" (unavailable) * "OS_VERSION" (see `os`) * "Rest" (unavailable) * "misc" (see `device`) id Annotation properties key type string value type string type object Artifact description Information about an artifact. The artifact can only be an IP. id Artifact properties anonymous description Whether the VPN tunnels are configured for anonymous browsing or not. type boolean artifactClient $ref ArtifactClient description Entity or software accessing or utilizing network resources. asOwner description Owner of the Autonomous System to which the IP address belongs. type string asn description Autonomous System Number to which the IP address belongs. format int64 type string firstSeenTime description First seen timestamp of the IP in the customer's environment. format google-datetime type string ip description IP address of the artifact. This field can be used as an entity indicator for an external destination IP entity. type string jarm description The JARM hash for the IP address. (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a). type string lastHttpsCertificate $ref SSLCertificate description SSL certificate information about the IP address. lastHttpsCertificateDate description Most recent date for the certificate in VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the IP address in the customer's environment. format google-datetime type string location $ref Location description Location of the Artifact's IP address. network $ref Network description Network information related to the Artifact's IP address. prevalence $ref Prevalence description The prevalence of the artifact within the customer's environment. regionalInternetRegistry description RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC). type string risks description This field lists potential risks associated with the network activity. items type string type array tags description Identification attributes items type string type array tunnels description VPN tunnels. items $ref Tunnels type array whois description WHOIS information as returned from the pertinent WHOIS server. type string whoisDate description Date of the last update of the WHOIS record in VirusTotal. format google-datetime type string type object ArtifactClient description Entity or software accessing or utilizing network resources. id ArtifactClient properties behaviors description The behaviors of the client accessing the network. items type string type array proxies description The type of proxies used by the client. items type string type array type object Asset description Information about a compute asset such as a workstation, laptop, phone, virtual desktop, or VM. id Asset properties assetId description The asset ID. Value must contain the ':' character. For example, cs:abcdd23434. This field can be used as an entity indicator for asset entities. type string attribute $ref Attribute description Generic entity metadata attributes of the asset. category description The category of the asset (e.g. "End User Asset", "Workstation", "Server"). type string creationTime deprecated True description Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. format google-datetime type string deploymentStatus description The deployment status of the asset for device lifecycle purposes. enum DEPLOYMENT_STATUS_UNSPECIFIED ACTIVE PENDING_DECOMISSION DECOMISSIONED enumDescriptions Unspecified deployment status. Asset is active, functional and deployed. Asset is pending decommission and no longer deployed. Asset is decommissioned. type string firstDiscoverTime description Time the asset was first discovered (by asset management/discoverability software). format google-datetime type string firstSeenTime description The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string hardware description The asset hardware specifications. items $ref Hardware type array hostname description Asset hostname or domain name field. This field can be used as an entity indicator for asset entities. type string ip description A list of IP addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array labels deprecated True description Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata. items $ref Label type array lastBootTime description Time the asset was last boot started. format google-datetime type string lastDiscoverTime description Time the asset was last discovered (by asset management/discoverability software). format google-datetime type string location $ref Location description Location of the asset. mac description List of MAC addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array natIp description List of NAT IP addresses associated with an asset. items type string type array networkDomain description The network domain of the asset (e.g. "corp.acme.com") type string platformSoftware $ref PlatformSoftware description The asset operating system platform software. productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID or similar). This field can be used as an entity indicator for asset entities. type string software description The asset software details. items $ref Software type array systemLastUpdateTime description Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a VM), use Attribute.last_update_time. format google-datetime type string type description The type of the asset (e.g. workstation or laptop or server). enum ROLE_UNSPECIFIED WORKSTATION LAPTOP IOT NETWORK_ATTACHED_STORAGE PRINTER SCANNER SERVER TAPE_LIBRARY MOBILE enumDescriptions Unspecified asset role. A workstation or desktop. A laptop computer. An IOT asset. A network attached storage device. A printer. A scanner. A server. A tape library device. A mobile device such as a mobile phone or PDA. type string vulnerabilities description Vulnerabilities discovered on asset. items $ref Vulnerability type array type object Association description Associations represents different metadata about malware and threat actors involved with an IoC. id Association properties alias description Different aliases of the threat actor given by different sources. items $ref AssociationAlias type array associatedActors description List of associated threat actors for a malware. Not applicable for threat actors. items $ref Association type array countryCode description Country from which the threat actor/ malware is originated. items type string type array description description Human readable description about the association. type string firstReferenceTime description First time the threat actor was referenced or seen. format google-datetime type string id description Unique association id generated by mandiant. type string industriesAffected description List of industries the threat actor affects. items type string type array lastReferenceTime description Last time the threat actor was referenced or seen. format google-datetime type string name description Name of the threat actor/malware. type string regionCode $ref Location description Name of the country, the threat is originating from. role description Role of the malware. Not applicable for threat actor. type string sourceCountry deprecated True description Name of the country the threat originated from. type string sponsorRegion $ref Location description Sponsor region of the threat actor. tags description Tags. items type string type array targetedRegions description Targeted regions. items $ref Location type array type description Signifies the type of association. enum ASSOCIATION_TYPE_UNSPECIFIED THREAT_ACTOR MALWARE enumDescriptions The default Association Type. Association type Threat actor. Association type Malware. type string type object AssociationAlias description Association Alias used to represent Mandiant Threat Intelligence. id AssociationAlias properties company description Name of the provider who gave the association's name. type string name description Name of the alias. type string type object AttackDetails description MITRE ATT&CK details. id AttackDetails properties tactics description Tactics employed. items $ref Tactic type array techniques description Techniques employed. items $ref Technique type array version description ATT&CK version (e.g. 12.1). type string type object Attribute description Attribute is a container for generic entity attributes including common attributes across core entities (such as, user or asset). For example, Cloud is a generic entity attribute since it can apply to an asset (for example, a VM) or a user (for example, an identity service account). id Attribute properties cloud $ref Cloud description Cloud metadata attributes such as project ID, account ID, or organizational hierarchy. creationTime description Time the resource or entity was created or provisioned. format google-datetime type string labels description Set of labels for the entity. Should only be used for product labels (for example, Google Cloud resource labels or Azure AD sensitivity labels. Should not be used for arbitrary key-value mappings. items $ref Label type array lastUpdateTime description Time the resource or entity was last updated. format google-datetime type string permissions description System permissions for IAM entity (human principal, service account, group). items $ref Permission type array roles description System IAM roles to be assumed by resources to use the role's permissions for access control. items $ref Role type array type object Authentication description The Authentication extension captures details specific to authentication events. General guidelines for authentication events: * Details about the source of the authentication event (for example, client IP or hostname), should be captured in principal. The principal may be empty if we have no details about the source of the login. * Details about the target of the authentication event (for example, details about the machine that is being logged into or logged out of) should be captured in target. * Some authentication events may involve a third-party. For example, a user logs into a cloud service (for example, Chronicle) via their company's SSO (the event is logged by their SSO solution). In this case, the principal captures information about the user's device, the target captures details about the cloud service they logged into, and the intermediary captures details about the SSO solution. id Authentication properties authDetails description The vendor defined details of the authentication. type string mechanism description The authentication mechanism. items enum MECHANISM_UNSPECIFIED USERNAME_PASSWORD OTP HARDWARE_KEY LOCAL REMOTE REMOTE_INTERACTIVE MECHANISM_OTHER BADGE_READER NETWORK BATCH SERVICE UNLOCK NETWORK_CLEAR_TEXT NEW_CREDENTIALS INTERACTIVE CACHED_INTERACTIVE CACHED_REMOTE_INTERACTIVE CACHED_UNLOCK BIOMETRIC WEARABLE enumDescriptions The default mechanism. Username + password authentication. OTP authentication. Hardware key authentication. Local authentication. Remote authentication. RDP, Terminal Services, or VNC. Some other mechanism that is not defined here. Badge reader authentication Network authentication. Batch authentication. Service authentication Direct human-interactive unlock authentication. Network clear text authentication. Authentication with new credentials. Interactive authentication. Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Biometric device such as a fingerprint reader. Wearable such as an Apple Watch. type string type array type description The type of authentication. enum AUTHTYPE_UNSPECIFIED MACHINE SSO VPN PHYSICAL TACACS enumDescriptions The default type. A machine authentication. An SSO authentication. A VPN authentication. A Physical authentication (e.g. "Badge reader"). A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+). type string type object AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. id AuthorityKeyId properties keyid description Key hexdump. type string serialNumber description Serial number hexdump. type string type object BackstoryEntity description An Entity provides additional context about an item in a UDM event. For example, a PROCESS_LAUNCH event describes that user 'abc@example.corp' launched process 'shady.exe'. The event does not include information that user 'abc@example.com' is a recently terminated employee who administers a server storing finance data. Information stored in one or more Entities can add this additional context. id BackstoryEntity properties additional additionalProperties description Properties of the object. type any description Important entity data that cannot be adequately represented within the formal sections of the Entity. type object entity $ref Noun description Noun in the UDM event that this entity represents. metadata $ref EntityMetadata description Entity metadata such as timestamp, product, etc. metric $ref Metric description Stores statistical metrics about the entity. Used if metadata.entity_type is METRIC. relations description One or more relationships between the entity (a) and other entities, including the relationship type and related entity. items $ref Relation type array riskScore $ref EntityRisk description Stores information related to the entity's risk score. type object BackstoryFile description Information about a file. id BackstoryFile properties ahash deprecated True description Deprecated. Use authentihash instead. type string authentihash description Authentihash of the file. type string capabilitiesTags description Capabilities tags. items type string type array createTime description Timestamp when the file was created. format google-datetime type string embeddedDomains description Embedded domains found in the file. items type string type array embeddedIps description Embedded IP addresses found in the file. items type string type array embeddedUrls description Embedded urls found in the file. items type string type array exifInfo $ref ExifInfo description Exif metadata from different file formats extracted by exiftool. fileMetadata $ref FileMetadata deprecated True description Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File. fileType description FileType field. enum FILE_TYPE_UNSPECIFIED FILE_TYPE_PE_EXE FILE_TYPE_PE_DLL FILE_TYPE_MSI FILE_TYPE_NE_EXE FILE_TYPE_NE_DLL FILE_TYPE_DOS_EXE FILE_TYPE_DOS_COM FILE_TYPE_COFF FILE_TYPE_ELF FILE_TYPE_LINUX_KERNEL FILE_TYPE_RPM FILE_TYPE_LINUX FILE_TYPE_MACH_O FILE_TYPE_JAVA_BYTECODE FILE_TYPE_DMG FILE_TYPE_DEB FILE_TYPE_PKG FILE_TYPE_PYC FILE_TYPE_LNK FILE_TYPE_DESKTOP_ENTRY FILE_TYPE_JPEG FILE_TYPE_TIFF FILE_TYPE_GIF FILE_TYPE_PNG FILE_TYPE_BMP FILE_TYPE_GIMP FILE_TYPE_IN_DESIGN FILE_TYPE_PSD FILE_TYPE_TARGA FILE_TYPE_XWD FILE_TYPE_DIB FILE_TYPE_JNG FILE_TYPE_ICO FILE_TYPE_FPX FILE_TYPE_EPS FILE_TYPE_SVG FILE_TYPE_EMF FILE_TYPE_WEBP FILE_TYPE_DWG FILE_TYPE_DXF FILE_TYPE_THREEDS FILE_TYPE_OGG FILE_TYPE_FLC FILE_TYPE_FLI FILE_TYPE_MP3 FILE_TYPE_FLAC FILE_TYPE_WAV FILE_TYPE_MIDI FILE_TYPE_AVI FILE_TYPE_MPEG FILE_TYPE_QUICKTIME FILE_TYPE_ASF FILE_TYPE_DIVX FILE_TYPE_FLV FILE_TYPE_WMA FILE_TYPE_WMV FILE_TYPE_RM FILE_TYPE_MOV FILE_TYPE_MP4 FILE_TYPE_T3GP FILE_TYPE_WEBM FILE_TYPE_MKV FILE_TYPE_PDF FILE_TYPE_PS FILE_TYPE_DOC FILE_TYPE_DOCX FILE_TYPE_PPT FILE_TYPE_PPTX FILE_TYPE_XLS FILE_TYPE_XLSX FILE_TYPE_RTF FILE_TYPE_PPSX FILE_TYPE_ODP FILE_TYPE_ODS FILE_TYPE_ODT FILE_TYPE_HWP FILE_TYPE_GUL FILE_TYPE_ODF FILE_TYPE_ODG FILE_TYPE_ONE_NOTE FILE_TYPE_OOXML FILE_TYPE_SLK FILE_TYPE_EBOOK FILE_TYPE_LATEX FILE_TYPE_TTF FILE_TYPE_EOT FILE_TYPE_WOFF FILE_TYPE_CHM FILE_TYPE_ZIP FILE_TYPE_GZIP FILE_TYPE_BZIP FILE_TYPE_RZIP FILE_TYPE_DZIP FILE_TYPE_SEVENZIP FILE_TYPE_CAB FILE_TYPE_JAR FILE_TYPE_RAR FILE_TYPE_MSCOMPRESS FILE_TYPE_ACE FILE_TYPE_ARC FILE_TYPE_ARJ FILE_TYPE_ASD FILE_TYPE_BLACKHOLE FILE_TYPE_KGB FILE_TYPE_ZLIB FILE_TYPE_TAR FILE_TYPE_ZST FILE_TYPE_LZFSE FILE_TYPE_PYTHON_WHL FILE_TYPE_PYTHON_PKG FILE_TYPE_MSIX FILE_TYPE_TEXT FILE_TYPE_SCRIPT FILE_TYPE_PHP FILE_TYPE_PYTHON FILE_TYPE_PERL FILE_TYPE_RUBY FILE_TYPE_C FILE_TYPE_CPP FILE_TYPE_JAVA FILE_TYPE_SHELLSCRIPT FILE_TYPE_PASCAL FILE_TYPE_AWK FILE_TYPE_DYALOG FILE_TYPE_FORTRAN FILE_TYPE_JAVASCRIPT FILE_TYPE_POWERSHELL FILE_TYPE_VBA FILE_TYPE_M4 FILE_TYPE_OBJETIVEC FILE_TYPE_JMOD FILE_TYPE_MAKEFILE FILE_TYPE_INI FILE_TYPE_CLJ FILE_TYPE_PDB FILE_TYPE_SQL FILE_TYPE_NEKO FILE_TYPE_WER FILE_TYPE_GOLANG FILE_TYPE_M3U FILE_TYPE_BAT FILE_TYPE_MSC FILE_TYPE_RDP FILE_TYPE_SYMBIAN FILE_TYPE_PALMOS FILE_TYPE_WINCE FILE_TYPE_ANDROID FILE_TYPE_IPHONE FILE_TYPE_HTML FILE_TYPE_XML FILE_TYPE_SWF FILE_TYPE_FLA FILE_TYPE_COOKIE FILE_TYPE_TORRENT FILE_TYPE_EMAIL_TYPE FILE_TYPE_OUTLOOK FILE_TYPE_SGML FILE_TYPE_JSON FILE_TYPE_CSV FILE_TYPE_HTA FILE_TYPE_INTERNET_SHORTCUT FILE_TYPE_CAP FILE_TYPE_ISOIMAGE FILE_TYPE_SQUASHFS FILE_TYPE_VHD FILE_TYPE_APPLE FILE_TYPE_MACINTOSH FILE_TYPE_APPLESINGLE FILE_TYPE_APPLEDOUBLE FILE_TYPE_MACINTOSH_HFS FILE_TYPE_APPLE_PLIST FILE_TYPE_MACINTOSH_LIB FILE_TYPE_APPLESCRIPT FILE_TYPE_APPLESCRIPT_COMPILED FILE_TYPE_CRX FILE_TYPE_XPI FILE_TYPE_ROM FILE_TYPE_IPS FILE_TYPE_PEM FILE_TYPE_PGP FILE_TYPE_CRT enumDescriptions File type is UNSPECIFIED. File type is PE_EXE. Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL. File type is MSI. File type is NE_EXE. File type is NE_DLL. File type is DOS_EXE. File type is DOS_COM. File type is COFF. File type is ELF. File type is LINUX_KERNEL. File type is RPM. File type is LINUX. File type is MACH_O. File type is JAVA_BYTECODE. File type is DMG. File type is DEB. File type is PKG. File type is PYC. File type is LNK. File type is DESKTOP_ENTRY. File type is JPEG. File type is TIFF. File type is GIF. File type is PNG. File type is BMP. File type is GIMP. File type is Adobe InDesign. File type is PSD. Adobe Photoshop. File type is TARGA. File type is XWD. File type is DIB. File type is JNG. File type is ICO. File type is FPX. File type is EPS. File type is SVG. File type is EMF. File type is WEBP. File type is DWG. File type is DXF. File type is 3DS. File type is OGG. File type is FLC. File type is FLI. File type is MP3. File type is FLAC. File type is WAV. File type is MIDI. File type is AVI. File type is MPEG. File type is QUICKTIME. File type is ASF. File type is DIVX. File type is FLV. File type is WMA. File type is WMV. File type is RM. RealMedia type. File type is MOV. File type is MP4. File type is T3GP. File type is WEBM. File type is MKV. File type is PDF. File type is PS. File type is DOC. File type is DOCX. File type is PPT. File type is PPTX. File type is XLS. File type is XLSX. File type is RTF. File type is PPSX. File type is ODP. File type is ODS. File type is ODT. File type is HWP. File type is GUL. File type is ODF. File type is ODG. File type is ONE_NOTE. File type is OOXML. File type is SLK. File type is EBOOK. File type is LATEX. File type is TTF. File type is EOT. File type is WOFF. File type is CHM. File type is ZIP. File type is GZIP. File type is BZIP. File type is RZIP. File type is DZIP. File type is SEVENZIP. File type is CAB. File type is JAR. File type is RAR. File type is MSCOMPRESS. File type is ACE. File type is ARC. File type is ARJ. File type is ASD. File type is BLACKHOLE. File type is KGB. File type is ZLIB. File type is TAR. File type is ZST. File type is LZFSE. File type is PYTHON_WHL. File type is PYTHON_PKG. File type is MSIX, new Windows app package format. File type is TEXT. File type is SCRIPT. File type is PHP. File type is PYTHON. File type is PERL. File type is RUBY. File type is C. File type is CPP. File type is JAVA. File type is SHELLSCRIPT. File type is PASCAL. File type is AWK. File type is DYALOG. File type is FORTRAN. File type is JAVASCRIPT. File type is POWERSHELL. File type is VBA. File type is M4. File type is OBJETIVEC. File type is JMOD. File type is MAKEFILE. File type is INI. File type is CLJ. File type is PDB. File type is SQL. File type is NEKO. File type is WER. File type is GOLANG. File type is M3U. File type is BAT, Windows .bat/.cmd (old files are tagged as SHELLSCRIPT). File type is MSC, Microsoft Management Console (MMC). File type is RDP, Microsoft Remote Desktop Protocol (RDP) file. File type is SYMBIAN. File type is PALMOS. File type is WINCE. File type is ANDROID. File type is IPHONE. File type is HTML. File type is XML. File type is SWF. File type is FLA. File type is COOKIE. File type is TORRENT. File type is EMAIL_TYPE. File type is OUTLOOK. File type is SGML. File type is JSON. File type is CSV. File type is HTA (HTML Application). File type is MSHTML .url. File type is CAP. File type is ISOIMAGE. File type is SQUASHFS. File type is VHD. File type is APPLE. File type is MACINTOSH. File type is APPLESINGLE. File type is APPLEDOUBLE. File type is MACINTOSH_HFS. File type is APPLE_PLIST. File type is MACINTOSH_LIB. File type is APPLESCRIPT. File type is APPLESCRIPT_COMPILED . File type is CRX. File type is XPI. File type is ROM. File type is IPS. File type is PEM. File type is PGP. File type is CRT. type string firstSeenTime description Timestamp the file was first seen in the customer's environment. format google-datetime type string firstSubmissionTime description First submission time of the file. format google-datetime type string fullPath description The full path identifying the location of the file on the system. This field can be used as an entity indicator for file entities. type string lastAccessTime description Timestamp when the file was accessed. format google-datetime type string lastAnalysisTime description Timestamp the file was last analysed. format google-datetime type string lastModificationTime description Timestamp when the file was last updated. format google-datetime type string lastSeenTime description Timestamp the file was last seen in the customer's environment. format google-datetime type string lastSubmissionTime description Last submission time of the file. format google-datetime type string mainIcon $ref Favicon description Icon's relevant hashes. md5 description The MD5 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string mimeType description The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script". type string names description Names fields. items type string type array ntfs $ref NtfsFileMetadata description NTFS metadata. pdfInfo $ref PDFInfo description Information about the PDF file structure. peFile $ref FileMetadataPE description Metadata about the Portable Executable (PE) file. prevalence $ref Prevalence description Prevalence of the file hash in the customer's environment. securityResult $ref SecurityResult description Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata. sha1 description The SHA1 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string sha256 description The SHA256 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string signatureInfo $ref SignatureInfo description File signature information extracted from different tools. size description The size of the file in bytes. format uint64 type string ssdeep description Ssdeep of the file type string statDev description The file system identifier to which the object belongs. format uint64 type string statFlags description User defined flags for file. format uint32 type integer statInode description The file identifier. Unique identifier of object within a file system. format uint64 type string statMode description The mode of the file. A bit string indicating the permissions and privileges of the file. format uint64 type string statNlink description Number of links to file. format uint64 type string symhash description SymHash of the file. Used for Mach-O (e.g. MacOS) binaries, to identify similar files based on their symbol table. type string tags description Tags for the file. items type string type array vhash description Vhash of the file. type string type object BoolSequence description BoolSequence represents a sequence of bools. id BoolSequence properties boolVals description bool sequence. items type boolean type array type object BytesSequence description BytesSequence represents a sequence of bytes. id BytesSequence properties bytesVals description bytes sequence. items format byte type string type array type object CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CertSignature description Certificate's signature and algorithm. id CertSignature properties signature description Signature. type string signatureAlgorithm description Algorithm. type string type object Certificate description Certificate information id Certificate properties issuer description Issuer of the certificate. type string md5 description The MD5 hash of the certificate, as a hex-encoded string. type string notAfter description Indicates when the certificate is no longer valid. format google-datetime type string notBefore description Indicates when the certificate is first valid. format google-datetime type string serial description Certificate serial number. type string sha1 description The SHA1 hash of the certificate, as a hex-encoded string. type string sha256 description The SHA256 hash of the certificate, as a hex-encoded string. type string subject description Subject of the certificate. type string version description Certificate version. type string type object Chip id Chip properties text type string type enum UNSPECIFIED ALERT NETWORK_CONNECTION EDR UNPARSED_RAW_LOG LOGIN_EVENT EMAIL_EVENT GENERIC TELEMETRY enumDescriptions type string type object Client description Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash). id Client properties certificate $ref Certificate description Client certificate. ja3 description JA3 hash from the TLS ClientHello, as a hex-encoded string. type string serverName description Host name of the server, that the client is connecting to. type string supportedCiphers description Ciphers supported by the client during client hello. items type string type array type object Cloud description Metadata related to the cloud environment. id Cloud properties availabilityZone description The cloud environment availability zone (different from region which is location.name). type string environment description The Cloud environment. enum UNSPECIFIED_CLOUD_ENVIRONMENT GOOGLE_CLOUD_PLATFORM AMAZON_WEB_SERVICES MICROSOFT_AZURE enumDescriptions Default. Google Cloud Platform. Amazon Web Services. Microsoft Azure. type string project $ref Resource deprecated True description The cloud environment project information. Deprecated: Use Resource.resource_ancestors vpc $ref Resource deprecated True description The cloud environment VPC. Deprecated. type object Collection description Collection represents a container of objects (such as events, entity context metadata, detection finding metadata) and state (such as investigation details). BEGIN GOOGLE-INTERNAL See go/udm:collections for additional details. END GOOGLE-INTERNAL An example use case for Collection is to model a detection and investigation from detection finding metadata to investigative state collected in the course of the investigation. For more complex investigation and response workflows a Collection could represent an incident consisting of multiple child findings or incidents. This can be expanded on to model remediation elements of a full detection and response workflow. NEXT TAG: 20 id Collection properties caseName description The resource name of the Case that this collection belongs to. Example: projects/{project id}/locations/{region}/chronicle/cases/{internal_case_id} type string collectionElements description Constituent elements of the collection. Each element shares an association that groups it together and is a component of the overall collection. For example, a detection collection may have several constituent elements that each share a correlation association that together represent a particular pattern or behavior. items $ref Element type array createdTime description Time the collection was created. format google-datetime type string dataAccessScope description The resource name of the DataAccessScope of this collection. BEGIN GOOGLE-INTERNAL We may change this name based on the final resource design of the scope. END GOOGLE-INTERNAL type string detection description Detection metadata for findings that represent detections, can include rule details, machine learning model metadata, and indicators implicated in the detection (using the .about field). items $ref SecurityResult type array detectionTime description Timestamp within the time_window related to the time of the collection_elements. For Rule Detections, this timestamp is the end of the the time_window for multi-event rules or the time of the event for single event rules. For late-arriving events that trigger new alerts, the detection_time will be the event time of the event. format google-datetime type string feedbackHistory description The history of feedback submitted by analysts for this finding, in descending order by timestamp. This field is limited to the most recent 1000 feedback events. The primary feedback will also be included in this list. items $ref Feedback type array feedbackSummary $ref Feedback description The current primary analyst feedback. This does not include the history of feedback given, which may be supplied in `feedback`. id description Unique ID for the collection. The ID is specific to the type of collection. For example, with rule detections this is the detection ID. type string idNamespace description The ID namespace used for the Collection. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string investigation $ref Investigation description Consolidated investigation details (categorization, status, etc) typically for collections that begin as detection findings and then evolve with analyst action and feedback into investigations around the detection output. lastUpdatedTime description Time the collection was last updated. format google-datetime type string responsePlatformInfo $ref ResponsePlatformInfo description Alert related info of this same alert in customer's SOAR platform. soarAlert description A boolean field indicating that the alert is present in SOAR. type boolean soarAlertMetadata $ref SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems via SOAR. tags description Tags set by UC/DSML/RE for the Finding during creation. items type string type array timeWindow $ref Interval description Time interval that the collection represents. type description What the collection represents. enum COLLECTION_TYPE_UNSPECIFIED TELEMETRY_ALERT GCTI_FINDING UPPERCASE_ALERT RULE_DETECTION MACHINE_INTELLIGENCE_ALERT SOAR_ALERT enumDescriptions An unspecified collection type. An alert reported in customer telemetry. A finding from the Uppercase team. A detection found by applying a rule. An alert generated by Chronicle machine learning models. An alert coming from other SIEMs via Chronicle SOAR. type string type object ColumnNames id ColumnNames properties names items type string type array type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DNSRecord description DNS record. id DNSRecord properties expire description Expire. format google-duration type string minimum description Minimum. format google-duration type string priority description Priority. format int64 type string refresh description Refresh. format google-duration type string retry description Retry. format int64 type string rname description Rname. type string serial description Serial. format int64 type string ttl description Time to live. format google-duration type string type description Type. type string value description Value. type string type object DataAccessIngestionLabel id DataAccessIngestionLabel properties key description The key. type string value description The value. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessLabels id DataAccessLabels properties allowScopedAccess description Are the labels ready for scoped access type boolean customLabels description All the complex labels (UDM search syntax based). items type string type array ingestionKvLabels description All the ingestion labels (key/value pairs). items $ref DataAccessIngestionLabel type array ingestionLabels deprecated True description All the ingestion labels. items type string type array logTypes description All the LogType labels. items type string type array namespaces description All the namespaces. items type string type array type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Date description Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values. * A month and day, with a zero year (for example, an anniversary). * A year on its own, with a zero month and a zero day. * A year and month, with a zero day (for example, a credit card expiration date). Related types: * google.type.TimeOfDay * google.type.DateTime * google.protobuf.Timestamp id Date properties day description Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. format int32 type integer month description Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. format int32 type integer year description Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. format int32 type integer type object Detections id Detections properties baselineAlertsCount format int32 type integer complete type boolean detectionFieldAggregations $ref AlertFieldAggregations detections items $ref Collection type array filteredAlertsCount format int32 type integer tooManyDetections type boolean validSnapshotQuery type boolean type object Dhcp description DHCP information. id Dhcp properties chaddr description Client hardware address (chaddr). type string ciaddr description Client IP address (ciaddr). type string clientHostname description Client hostname. See RFC2132, section 3.14. type string clientIdentifier description Client identifier. See RFC2132, section 9.14. Note: Make sure to update the client_identifier_string field as well if you update this field. format byte type string clientIdentifierString description Client identifier as string. See RFC2132, section 9.14. This field holds the string value of the client_identifier. type string file description Boot image filename. type string flags description Flags. format uint32 type integer giaddr description Relay agent IP address (giaddr). type string hlen description Hardware address length. format uint32 type integer hops description Hardware ops. format uint32 type integer htype description Hardware address type. format uint32 type integer leaseTimeSeconds description Lease time in seconds. See RFC2132, section 9.2. format uint32 type integer opcode description The BOOTP op code. enum UNKNOWN_OPCODE BOOTREQUEST BOOTREPLY enumDescriptions Default opcode. Request. Reply. type string options description List of DHCP options. items $ref Option type array requestedAddress description Requested IP address. See RFC2132, section 9.1. type string seconds description Seconds elapsed since client began address acquisition/renewal process. format uint32 type integer siaddr description IP address of the next bootstrap server. type string sname description Server name that the client wishes to boot from. type string transactionId description Transaction ID. format uint32 type integer type description DHCP message type. enum UNKNOWN_MESSAGE_TYPE DISCOVER OFFER REQUEST DECLINE ACK NAK RELEASE INFORM WIN_DELETED WIN_EXPIRED enumDescriptions Default message type. DHCPDISCOVER. DHCPOFFER. DHCPREQUEST. DHCPDECLINE. DHCPACK. DHCPNAK. DHCPRELEASE. DHCPINFORM. Microsoft Windows DHCP "lease deleted". Microsoft Windows DHCP "lease expired". type string yiaddr description Your IP address (yiaddr). type string type object Dns description DNS information. id Dns properties additional description A list of additional domain name servers that can be used to verify the answer to the domain. items $ref ResourceRecord type array answers description A list of answers to the domain name query. items $ref ResourceRecord type array authoritative description Other DNS header flags. See RFC1035, section 4.1.1. type boolean authority description A list of domain name servers which verified the answers to the domain name queries. items $ref ResourceRecord type array id description DNS query id. format uint32 type integer opcode description The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS). format uint32 type integer questions description A list of domain protocol message questions. items $ref Question type array recursionAvailable description Whether a recursive DNS lookup is available. type boolean recursionDesired description Whether a recursive DNS lookup is desired. type boolean response description Set to true if the event is a DNS response. See QR field from RFC1035. type boolean responseCode description Response code. See RCODE from RFC1035. format uint32 type integer truncated description Whether the DNS response was truncated. type boolean type object Domain description Information about a domain. id Domain properties admin $ref User description Parsed contact information for the administrative contact for the domain. auditUpdateTime description Audit updated time. format google-datetime type string billing $ref User description Parsed contact information for the billing contact of the domain. categories description Categories assign to the domain as retrieved from VirusTotal. items type string type array contactEmail description Contact email address. type string creationTime description Domain creation time. format google-datetime type string expirationTime description Expiration time. format google-datetime type string favicon $ref Favicon description Includes difference hash and MD5 hash of the domain's favicon. firstSeenTime description First seen timestamp of the domain in the customer's environment. format google-datetime type string ianaRegistrarId description IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml format int32 type integer jarm description Domain's JARM hash. type string lastDnsRecords description Domain's DNS records from the last scan. items $ref DNSRecord type array lastDnsRecordsTime description Date when the DNS records list was retrieved by VirusTotal. format google-datetime type string lastHttpsCertificate $ref SSLCertificate description SSL certificate object retrieved last time the domain was analyzed. lastHttpsCertificateTime description When the certificate was retrieved by VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the domain in the customer's environment. format google-datetime type string name description The domain name. This field can be used as an entity indicator for Domain entities. type string nameServer description Repeated list of name servers. items type string type array popularityRanks description Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc items $ref PopularityRank type array prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. privateRegistration description Indicates whether the domain appears to be using a private registration service to mask the owner's contact information. type boolean registrant $ref User description Parsed contact information for the registrant of the domain. registrar description Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM". type string registryDataRawText description Registry Data raw text. format byte type string status description Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values type string tags description List of representative attributes. items type string type array tech $ref User description Parsed contact information for the technical contact for the domain updateTime description Last updated time. format google-datetime type string whoisRecordRawText description WHOIS raw text. format byte type string whoisServer description Whois server name. type string whoisTime description Date of the last update of the WHOIS record. format google-datetime type string zone $ref User description Parsed contact information for the zone. type object DoubleSequence description DoubleSequence represents a sequence of doubles. id DoubleSequence properties doubleVals description double sequence. items format double type number type array type object EC description EC public key information. id EC properties oid description Curve name. type string pub description Public key hexdump. type string type object Element description NEXT TAG: 5 id Element properties association $ref SecurityResult description Metadata that provides the relevant association for the references in the element. For a detection, this can be the correlated aspect of the references that contributed to the overall detection. For example, may include sub-rule condition, machine learning model metadata, and/or indicators implicated in this component of the detection (using the .about field). label description A name that labels the entire references group. type string references description References to model primatives including events and entities that share a common association. Even though a reference can have both UDM and entity, a collection of references (of a single element) will only have one type of message in it (either UDM / Entity). items $ref Reference type array referencesSampled description Copied from the detection event_sample.too_many_event_samples field. If true, the number of references will be capped at the sample limit (set at rule service). This is applicable to both UDM references and Entity references. type boolean type object Email description Email info. id Email properties bcc description A list of 'bcc' addresses. items type string type array bounceAddress description The envelope from address. https://en.wikipedia.org/wiki/Bounce_address type string cc description A list of 'cc' addresses. items type string type array from description The 'from' address. type string mailId description The mail (or message) ID. type string replyTo description The 'reply to' address. type string subject description The subject line(s) of the email. items type string type array to description A list of 'to' addresses. items type string type array type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityChangedCountTimelineBucket id EntityChangedCountTimelineBucket properties entityChangedInfo items $ref EntityChangedInfo type array totalChangedEntitiesCount format int32 type integer type object EntityChangedInfo id EntityChangedInfo properties artifacts $ref FieldAndValue entityCount format int32 type integer type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityMetadata description Information about the Entity and the product where the entity was created. Next Tag: 17 id EntityMetadata properties collectedTimestamp description GMT timestamp when the entity information was collected by the vendor's local collection infrastructure. format google-datetime type string creationTimestamp description GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected. format google-datetime type string description description Human-readable description of the entity. type string entityType description Entity type. If an entity has multiple possible types, this specifies the most specific type. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string eventMetadata $ref Metadata description Metadata field from the event. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object feed description Vendor feed name for a threat indicator feed. type string interval $ref Interval description Valid existence time range for the version of the entity represented by this entity data. productEntityId description A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar). type string productName description Product name that produced the entity information. type string productVersion description Version of the product that produced the entity information. type string sourceLabels description Entity source metadata labels. items $ref Label type array sourceType description The source of the entity. enum SOURCE_TYPE_UNSPECIFIED ENTITY_CONTEXT DERIVED_CONTEXT GLOBAL_CONTEXT enumDescriptions Default source type Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT) Entities derived from customer data such as prevalence, artifact first/last seen, or asset/user first seen stats. Global contextual entities such as WHOIS or Safe Browsing. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Structured fields extracted from the log. type object threat description Metadata provided by a threat intelligence feed that identified the entity as malicious. items $ref SecurityResult type array vendorName description Vendor name of the product that produced the entity information. type string type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object EntityRisk description Stores information related to the risk score of an entity. Next ID: 15 id EntityRisk properties DEPRECATEDRiskScore deprecated True description Deprecated risk score. format int32 type integer detailUri description Link to the Google Security Operations UI with information about the entity risk score. If the SecOps instance has multiple frontend paths configured, this will be a relative path that can be used to construct the full URL. type string detectionsCount description Number of detections that make up the risk score within the time window. format int32 type integer firstDetectionTime description Timestamp of the first detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastDetectionTime description Timestamp of the last detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastResetTime description Timestamp for UEBA risk score reset based deduplication. Used specifically for risk based meta rules. format google-datetime type string normalizedRiskScore description Normalized risk score for the entity. This value is between 0-1000. format int32 type integer rawRiskDelta $ref RiskDelta description Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window. riskDelta $ref RiskDelta description Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window. riskScore description Raw risk score for the entity. format float type number riskVersion description Version of the risk score calculation algorithm. type string riskWindow $ref Interval description Time window used when computing the risk score for an entity, for example 24 hours or 7 days. riskWindowHasNewDetections description Whether there are new detections for the risk window. type boolean riskWindowSize description Risk window duration for the entity. format google-duration type string type object ErrorMessage id ErrorMessage properties errorText type string type enum UNDEFINED_ERROR_TYPE INVALID_QUERY_TYPE INVALID_FIELD_PATH_TYPE UNCLOSED_BRACKET_TYPE BACKEND_ERROR_TYPE UNCLOSED_QUOTES_TYPE QUERY_TOO_LARGE_TYPE enumDescriptions type string type object EventCountTimeline id EventCountTimeline properties buckets items $ref EventCountTimelineBucket type array sizeOfBucketMs format int64 type string type object EventCountTimelineBucket id EventCountTimelineBucket properties alertCount format int32 type integer baselineAlertCount format int32 type integer baselineEventCount format int32 type integer baselineTimedEntityCount format int32 type integer entityChangedCount $ref EntityChangedCountTimelineBucket eventCount format int32 type integer filteredTimedEntityCount format int32 type integer type object Execution description Execution can be used to store metadata required for what action the UI should execute. id Execution properties metadata additionalProperties type string description Output only. The payload to use when executing the action. readOnly True type object type object ExifInfo description Exif information. id ExifInfo properties company description company name. type string compilationTime description Compilation time. format google-datetime type string entryPoint description entry point. format int64 type string fileDescription description description of a file. type string originalFile description original file name. type string product description product name. type string type object Extension description Certificate's extensions. id Extension properties authorityKeyId $ref AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. ca description Whether the subject acts as a certificate authority (CA) or not. type boolean caInfoAccess description Authority information access locations are URLs that are added to a certificate in its authority information access extension. type string certTemplateNameDc description BMP data value "DomainController". See MS Q291010. type string certificatePolicies description Different certificate policies will relate to different applications which may use the certified key. type string crlDistributionPoints description CRL distribution points to which a certificate user should refer to ascertain if the certificate has been revoked. type string extendedKeyUsage description One or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field. type string keyUsage description The purpose for which the certified public key is used. type string netscapeCertComment description Used to include free-form text comments inside certificates. type string netscapeCertificate description Identify whether the certificate subject is an SSL client, an SSL server, or a CA. type boolean oldAuthorityKeyId description Whether the certificate has an old authority key identifier extension. type boolean peLogotype description Whether the certificate includes a logotype. type boolean subjectAlternativeName description Contains one or more alternative names, using any of a variety of name forms, for the entity that is bound by the CA to the certified public key. type string subjectKeyId description Identifies the public key being certified. type string type object Extensions description Extensions to a UDM event. id Extensions properties auth $ref Authentication description An authentication extension. entityRisk $ref EntityRisk description An entity risk change extension. vulns $ref Vulnerabilities description A vulnerability extension. type object Favicon description Difference hash and MD5 hash of the domain's favicon. id Favicon properties dhash description Difference hash. type string rawMd5 description Favicon's MD5 hash. type string type object Feedback id Feedback properties comment description Optional. type string confidenceScore format int32 type integer createdTime format google-datetime type string disregarded type boolean idpUserId type string priority description Optional. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string priorityDisplay description Optional. type string reason description Optional. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore format int32 type integer rootCause description Optional. type string severity format int32 type integer severityDisplay description Optional. type string status description Optional. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object FieldAndValue id FieldAndValue properties entityNamespace type string fieldPath type string kvalueType enum UNKNOWN COLLECTOR_ID EVENT_SHARD ASSET_IP_ADDRESS MAC HOSTNAME PRODUCT_SPECIFIC_ID NAMESPACE DOMAIN_NAME RESOLVED_IP_ADDRESS STEMMED_DOMAIN_NAME PROCESS_ID FULL_COMMAND_LINE FILE_NAME FILE_PATH HASH_MD5 HASH_SHA256 HASH_SHA1 RAW_PID PARENT_PROCESS_ID EMAIL USERNAME WINDOWS_SID EMPLOYEE_ID PRODUCT_OBJECT_ID USER_DISPLAY_NAME CLOUD_RESOURCE_NAME REGISTRY_KEY REGISTRY_VALUE_DATA REGISTRY_VALUE_NAME enumDescriptions type string value type string type object FileMetadata description Metadata about a file. Place metadata about different file types here, for example data from the Microsoft Windows VersionInfo block or digital signer details. Use a different sub-message per file type. id FileMetadata properties pe $ref PeFileMetadata deprecated True description Metadata for Microsoft Windows PE files. Deprecate PeFileMetadata in favor of single File proto. type object FileMetadataCodesign description File metadata from the codesign utility. id FileMetadataCodesign properties compilationTime description Code sign timestamp format google-datetime type string format description Code sign format. type string id description Code sign identifier. type string teamId description The assigned team identifier of the developer who signed the application. type string type object FileMetadataImports description File metadata imports. id FileMetadataImports properties functions description Function field. items type string type array library description Library field. type string type object FileMetadataPE description Metadata about the Portable Executable (PE) file. id FileMetadataPE properties compilationExiftoolTime description info.exiftool.TimeStamp. format google-datetime type string compilationTime description info.pe-timestamp. format google-datetime type string entryPoint description info.pe-entry-point. format int64 type string entryPointExiftool description info.exiftool.EntryPoint. format int64 type string imphash description Imphash of the file. type string imports description FilemetadataImports fields. items $ref FileMetadataImports type array resource description FilemetadataPeResourceInfo fields. items $ref FileMetadataPeResourceInfo type array resourcesLanguageCount deprecated True description Deprecated: use resources_language_count_str. items $ref StringToInt64MapEntry type array resourcesLanguageCountStr description Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10 items $ref Label type array resourcesTypeCount deprecated True description Deprecated: use resources_type_count_str. items $ref StringToInt64MapEntry type array resourcesTypeCountStr description Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5 items $ref Label type array section description FilemetadataSection fields. items $ref FileMetadataSection type array signatureInfo $ref FileMetadataSignatureInfo deprecated True description FilemetadataSignatureInfo field. deprecated, user File.signature_info instead. type object FileMetadataPeResourceInfo description File metadata for PE resource. id FileMetadataPeResourceInfo properties entropy description Entropy of the resource. format double type number fileType description File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum. type string filetypeMagic description Type of resource content, as identified by the magic Python module. type string languageCode description Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US | type string sha256Hex description SHA256_hex field.. type string type object FileMetadataSection description File metadata section. id FileMetadataSection properties entropy description Entropy of the section. format double type number md5Hex description MD5 hex of the file. type string name description Name of the section. type string rawSizeBytes description Raw file size in bytes. format int64 type string virtualSizeBytes description Virtual file size in bytes. format int64 type string type object FileMetadataSignatureInfo description Signature information. id FileMetadataSignatureInfo properties signer deprecated True description Deprecated: use signers field. items type string type array signers description File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority. items $ref SignerInfo type array verificationMessage description Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found. type string verified description True if verification_message == "Signed" type boolean x509 description List of certificates. items $ref X509 type array type object FilterProperties id FilterProperties properties hidden type boolean stringProperties additionalProperties $ref StringValues type object type object FindingVariable description A structure that holds the value and associated metadata for values extracted while producing a Finding. id FindingVariable properties boolSeq $ref BoolSequence description The value in boolsequence format. boolVal description The value in boolean format. type boolean bytesSeq $ref BytesSequence description The value in bytessequence format. bytesVal description The value in bytes format. format byte type string doubleSeq $ref DoubleSequence description The value in doublesequence format. doubleVal description The value in double format. format double type number int64Seq $ref Int64Sequence description The value in int64sequence format. int64Val description The value in int64 format. format int64 type string nullVal description Whether the value is null. type boolean sourcePath description The UDM field path for the field which this value was derived from. Example: `principal.user.username` type string stringSeq $ref StringSequence description The value in stringsequence format. stringVal description The value in string format. Enum values are returned as strings. type string type description The type of the variable. enum TYPE_UNSPECIFIED MATCH OUTCOME enumDescriptions An unspecified variable type. A variable coming from the match conditions. A variable representing significant data that was found in the detection logic. type string uint64Seq $ref Uint64Sequence description The value in uint64sequence format. uint64Val description The value in uint64 format. format uint64 type string value description The value in string form. type string type object FollowUp description FollowUp can be used to store metadata required to send a follow up message by the UI. id FollowUp properties followUp description Output only. The text to use as input when generating the follow up message. readOnly True type string type object Ftp description FTP info. id Ftp properties command description The FTP command. type string type object FunctionResponse id FunctionResponse properties rows items $ref FunctionResponseRow type array tooManyRows type boolean type object FunctionResponseRow id FunctionResponseRow properties values items $ref UdmFieldValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description LINT.IfChange(stats_data) Stats results when the query is for statistics NEXT TAG = 6; id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats properties dataQueryExpression description Expression that represent the subset of the requested query used to filter data. The expression will be used to enable features such as drill-down from stats results to UDM events. In that case, the new query will be composed by this expression and the expression related to a stats result. type string results description Result rows that are queried. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData type array sortOrder description Indicates the columns used for sorting and the order in which they are sorted. If no ORDER section is specified in the query, this will be empty. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort type array tooManyResults description If true, there are too many results to return and some have been omitted. type boolean totalResults description The total number of results returned. format int32 type integer type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData description Represents a single column in the set of columns returned as the stats query result. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData properties column description Used to store column names. type string filterExpression description Expression used to compose a query for filtering/drill-downs related to the data in this column. type string filterable description To identify if the column can be used for filtering/drill-downs. type boolean values description To store store column data. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort description Contains the column name and which direction the column is sorted (ascending or descenging). id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort properties descending description Whether the column is sorted in descending order (ascending by default); type boolean name description Name of the column. type string type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType description Singular vs list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType properties list $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description List of values in a column e.g. IPs value $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Single value in a column. type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description Store list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList properties values description List of values in one cell of the column. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Value of the column based on data type id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue properties boolVal description Boolean value. type boolean bytesVal description Bytes value. format byte type string dateVal $ref Date description Date values. doubleVal description Double value. format double type number int64Val description Integer value (signed). format int64 type string nullVal description True if the value is NULL. type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any description For any proto values that are not any of the above. type object stringVal description String value. Enum values are returned as strings. type string timestampVal description Timestamp values. format google-datetime type string uint64Val description Un-signed integer value. format uint64 type string type object Group description Information about an organizational group. id Group properties attribute $ref Attribute description Generic entity metadata attributes of the group. creationTime deprecated True description Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata. format google-datetime type string emailAddresses description Email addresses of the group. items type string type array groupDisplayName description Group display name. e.g. "Finance". type string productObjectId description Product globally unique user object identifier, such as an LDAP Object Identifier. type string windowsSid description Microsoft Windows SID of the group. type string type object GroupAggregationByField id GroupAggregationByField properties baselineEventCount format int32 type integer eventCount format int32 type integer fieldName type string fieldValue $ref UdmFieldValue fields items $ref UdmFieldAggregation type array valueCount format int32 type integer type object Hardware description Hardware specification details for a resource, including both physical and virtual hardware. id Hardware properties cpuClockSpeed description Clock speed of the hardware CPU in MHz. format uint64 type string cpuMaxClockSpeed description Maximum possible clock speed of the hardware CPU in MHz. format uint64 type string cpuModel description Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5"). type string cpuNumberCores description Number of CPU cores. format uint64 type string cpuPlatform description Platform of the hardware CPU (e.g. "Intel Broadwell"). type string manufacturer description Hardware manufacturer. type string model description Hardware model. type string ram description Amount of the hardware ramdom access memory (RAM) in Mb. format uint64 type string serialNumber description Hardware serial number. type string type object Http description Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target". id Http properties method description The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE"). type string parsedUserAgent $ref UserAgentProto description The parsed user_agent string. referralUrl description The URL for the HTTP referer. type string responseCode description The response status code, for example 200, 302, 404, or 500. format int32 type integer userAgent description The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent. type string type object Id description Identifier to identify a UDM object like a UDM event, Entity, Collection. The full identifier for persistence is created by setting the 32 most significant bits as the Id.Namespace enum and the rest according to go/udm:ids. This is a convenience wrapper to define the id space enum values and provide an easy interface for RPCs, most persistence use cases should use a denormalized form. See go/udm:ids for background and details. id Id properties id description Full raw ID. format byte type string namespace description Namespace the id belongs to. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string stringId description Some ids are stored as strings that are not able to be translated to bytes, so store these separately. Ex. detection id of the form de_aaaaaaaa-aaaa... type string type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{location}/instances/{instance} readOnly True type string type object InstanceUdmSearchResponse id InstanceUdmSearchResponse properties baselineEventsCount format int32 type integer complete type boolean detections $ref Detections filteredEventsCount format int32 type integer instanceId type string prevalence $ref UdmPrevalenceResponse progress format double type number runtimeErrors $ref RuntimeError timeline $ref EventCountTimeline tooManyEvents type boolean type object Int64Sequence description Int64Sequence represents a sequence of int64s. id Int64Sequence properties int64Vals description int64 sequence. items format int64 type string type array type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object Investigation description Represents the aggregated state of an investigation such as categorization, severity, and status. Can be expanded to include analyst assignment details and more. id Investigation properties comments description Comment added by the Analyst. items type string type array priority description Priority of the Alert or Finding set by analyst. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string reason description Reason for closing the Case or Alert. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation description Describes whether a finding was useful or not-useful. enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore description Risk score for a finding set by an analyst. format uint32 type integer rootCause description Root cause of the Alert or Finding set by analyst. type string severityScore description Severity score for a finding set by an analyst. format uint32 type integer status description Describes the workflow status of a finding. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict description Describes reason a finding investigation was resolved. enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object IoCStats description Information about the threat intelligence source. These fields are used to model Mandiant sources. id IoCStats properties benignCount description Count of responses where the IoC was identified as benign. format int32 type integer firstLevelSource description Name of first level IoC source, for example Mandiant or a third-party. type string iocStatsType description Describes the source of the IoCStat. enum UNSPECIFIED_IOC_STATS_TYPE MANDIANT_SOURCES THIRD_PARTY_SOURCES THREAT_INTELLIGENCE_IOC_STATS enumDescriptions IoCStat source is unidentified. IoCStat is from a Mandiant Source. IoCStat is from a third-party source. IoCStat is from a threat intelligence feed. type string maliciousCount description Count of responses where the IoC was identified as malicious. format int32 type integer quality description Level of confidence in the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total number of response from the source. format int32 type integer secondLevelSource description Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph. type string sourceCount description Number of sources from which information was extracted. format int32 type integer type object Label description Key value labels. id Label properties key description The key. type string rbacEnabled description Indicates whether this label can be used for Data RBAC type boolean source description Where the label is derived from. type string value description The value. type string type object LatLng description An object that represents a latitude/longitude pair. This is expressed as a pair of doubles to represent degrees latitude and degrees longitude. Unless specified otherwise, this object must conform to the WGS84 standard. Values must be within normalized ranges. id LatLng properties latitude description The latitude in degrees. It must be in the range [-90.0, +90.0]. format double type number longitude description The longitude in degrees. It must be in the range [-180.0, +180.0]. format double type number type object LegacyFederatedUdmSearchViewResponse description Response to a Federated UDM Search query. This will be used by StreamSearchOperation RPC to return the results of a federated search operation. id LegacyFederatedUdmSearchViewResponse properties activityTimeline $ref EventCountTimeline description Timeline of event counts broken into hourly/daily buckets to identify activity. aiOverview $ref AIOverview description LINT.ThenChange( //depot/google3/google/cloud/chronicle/v1main/dashboard_query.proto:data_sources, //depot/google3/googlex/security/malachite/proto/udm_search.proto:data_sources ) AI generated overview for the search results. Only populated if the AI features are enabled for the customer and generate_ai_overview is set to true in the request. baselineEventsCount description The number of events in the baseline query. format int32 type integer complete description Streaming for this response is done. There will be no additional updates. type boolean dataSources description Datasource of the query and results in case of a statistics query items enum SEARCH_DATA_SOURCE_UNSPECIFIED SEARCH_UDM SEARCH_ENTITY SEARCH_RULE_DETECTIONS SEARCH_RULESETS enumDescriptions Unspecified data source. Events Entities To be used for detections data source. To be used for ruleset with detections datasource. type string type array detectionFieldAggregations $ref AlertFieldAggregations description List of detection fields with aggregated values. This enabled filtering in the Alerts panel for federated search. events $ref UdmEventList description List of UDM events. NOTE: After complete is set to true, the `UdmEventList` message will be omitted from the response. The latest message should be used as reference. If the `UdmEventList` message is returned again, then it should replace the previous value. fieldAggregations $ref UdmFieldAggregations description List of UDM fields with aggregated values. filteredEventsCount description The number of events in the snapshot that match the snapshot_query. This is <= `baseline_events_count`. If the snapshot query is empty this will be equivalent to `baseline_events_count`. format int32 type integer groupedFieldAggregations $ref UdmFieldAggregations description List of grouped fields with aggregated values. instanceAggregations $ref UdmFieldAggregations description Instance aggregations for the search results. Provides information on the number of events per instance for the aggregations panel in the UI. This allows users to easily drill-down into the individual instances. instanceUdmSearchResponses description All the instance specific UDM search responses. items $ref InstanceUdmSearchResponse type array operation description The name of the operation resource representing the UDM Search operation. This can be passed to `StreamSearchOperation` to fetch stored results or stream the results of an in-progress operation. The metadata type of the operation is `UdmSearchMetadata`. The response type is `LegacyFetchUdmSearchViewResponse`. Format: projects/{project}/locations/{location}/instances/{instance}/operations/{operation} type string progress description Progress of the query represented as a double between 0 and 1. format double type number queryValidationErrors description Parse error for the baseline_query and/or the snapshot_query. items $ref ErrorMessage type array runtimeErrors description Runtime errors. items $ref RuntimeError type array stats $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description Stats results when the query is for statistics statsFunctionParameterValidationErrorMessage description If the request's stats_function_parameter` is invalid, this field will contain the detailed error message. type string statsFunctionResponse $ref FunctionResponse description Result for statistical function. timeline $ref EventCountTimeline description Timeline of event counts broken into buckets. This populates the trend-over-time chart in the UI. tooLargeResponse description If true, the response to be returned to the UI is too large and some events have been omitted. type boolean tooManyEvents description If true, there are too many events to return and some have been omitted. type boolean validBaselineQuery description Indicates whether the request baseline_query is a valid structured query or not. If not, `query_validation_errors` will include the parse error. type boolean validSnapshotQuery description Indicates whether the request baseline and snapshot queries are valid. If not, `query_validation_errors` will include the parse error. type boolean type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Location description Information about a location. id Location properties city description The city. type string countryOrRegion description The country or region. type string deskName description Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D"). type string floorName description Floor name, number or a combination of the two for a building. (e.g. "1-A"). type string name description Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2"). type string regionCoordinates $ref LatLng description Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. regionLatitude deprecated True description Deprecated: use region_coordinates. format float type number regionLongitude deprecated True description Deprecated: use region_coordinates. format float type number state description The state. type string type object Manual description Entities are added manually. id Manual properties type object Measure description Describes the precomputed measure. id Measure properties aggregateFunction description Function used to calculate the aggregated measure. enum AGGREGATE_FUNCTION_UNSPECIFIED MIN MAX COUNT SUM AVG STDDEV enumDescriptions Default value. Minimum. Maximum. Count. Sum. Average. Standard Deviation. type string value description Value of the aggregated measure. format double type number type object Metadata description General information associated with a UDM event. id Metadata properties baseLabels $ref DataAccessLabels description Data access labels on the base event. collectedTimestamp description The GMT timestamp when the event was collected by the vendor's local collection infrastructure. format google-datetime type string description description A human-readable unparsable description of the event. type string enrichmentLabels $ref DataAccessLabels description Data access labels from all the contextual events used to enrich the base event. enrichmentState description The enrichment state. enum ENRICHMENT_STATE_UNSPECIFIED ENRICHED UNENRICHED enumDescriptions Unspecified. The event has been enriched by Chronicle. The event has not been enriched by Chronicle. type string eventTimestamp description The GMT timestamp when the event was generated. format google-datetime type string eventType description The event type. If an event has multiple possible types, this specifies the most specific type. enum EVENTTYPE_UNSPECIFIED PROCESS_UNCATEGORIZED PROCESS_LAUNCH PROCESS_INJECTION PROCESS_PRIVILEGE_ESCALATION PROCESS_TERMINATION PROCESS_OPEN PROCESS_MODULE_LOAD REGISTRY_UNCATEGORIZED REGISTRY_CREATION REGISTRY_MODIFICATION REGISTRY_DELETION SETTING_UNCATEGORIZED SETTING_CREATION SETTING_MODIFICATION SETTING_DELETION MUTEX_UNCATEGORIZED MUTEX_CREATION FILE_UNCATEGORIZED FILE_CREATION FILE_DELETION FILE_MODIFICATION FILE_READ FILE_COPY FILE_OPEN FILE_MOVE FILE_SYNC USER_UNCATEGORIZED USER_LOGIN USER_LOGOUT USER_CREATION USER_CHANGE_PASSWORD USER_CHANGE_PERMISSIONS USER_STATS USER_BADGE_IN USER_DELETION USER_RESOURCE_CREATION USER_RESOURCE_UPDATE_CONTENT USER_RESOURCE_UPDATE_PERMISSIONS USER_COMMUNICATION USER_RESOURCE_ACCESS USER_RESOURCE_DELETION GROUP_UNCATEGORIZED GROUP_CREATION GROUP_DELETION GROUP_MODIFICATION EMAIL_UNCATEGORIZED EMAIL_TRANSACTION EMAIL_URL_CLICK NETWORK_UNCATEGORIZED NETWORK_FLOW NETWORK_CONNECTION NETWORK_FTP NETWORK_DHCP NETWORK_DNS NETWORK_HTTP NETWORK_SMTP STATUS_UNCATEGORIZED STATUS_HEARTBEAT STATUS_STARTUP STATUS_SHUTDOWN STATUS_UPDATE SCAN_UNCATEGORIZED SCAN_FILE SCAN_PROCESS_BEHAVIORS SCAN_PROCESS SCAN_HOST SCAN_VULN_HOST SCAN_VULN_NETWORK SCAN_NETWORK SCHEDULED_TASK_UNCATEGORIZED SCHEDULED_TASK_CREATION SCHEDULED_TASK_DELETION SCHEDULED_TASK_ENABLE SCHEDULED_TASK_DISABLE SCHEDULED_TASK_MODIFICATION SYSTEM_AUDIT_LOG_UNCATEGORIZED SYSTEM_AUDIT_LOG_WIPE SERVICE_UNSPECIFIED SERVICE_CREATION SERVICE_DELETION SERVICE_START SERVICE_STOP SERVICE_MODIFICATION GENERIC_EVENT RESOURCE_CREATION RESOURCE_DELETION RESOURCE_PERMISSIONS_CHANGE RESOURCE_READ RESOURCE_WRITTEN DEVICE_FIRMWARE_UPDATE DEVICE_CONFIG_UPDATE DEVICE_PROGRAM_UPLOAD DEVICE_PROGRAM_DOWNLOAD ANALYST_UPDATE_VERDICT ANALYST_UPDATE_REPUTATION ANALYST_UPDATE_SEVERITY_SCORE ANALYST_UPDATE_STATUS ANALYST_ADD_COMMENT ANALYST_UPDATE_PRIORITY ANALYST_UPDATE_ROOT_CAUSE ANALYST_UPDATE_REASON ANALYST_UPDATE_RISK_SCORE ENTITY_RISK_CHANGE enumDeprecated False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False enumDescriptions Default event type Activity related to a process which does not match any other event types. Process launch. Process injecting into another process. Process privilege escalation. Process termination. Process being opened. Process loading a module. Registry event which does not match any of the other event types. Registry creation. Registry modification. Registry deletion. Settings-related event which does not match any of the other event types. Setting creation. Setting modification. Setting deletion. Any mutex event other than creation. Mutex creation. File event which does not match any of the other event types. File created. File deleted. File modified. File read. File copied. Used for file copies, for example, to a thumb drive. File opened. File moved or renamed. File synced (for example, Google Drive, Dropbox, backup). User activity which does not match any of the other event types. User login. User logout. User creation. User password change event. Change in user permissions. Deprecated. Used to update user info for an LDAP dump. User physically badging into a location. User deletion. User creating a virtual resource. This is equivalent to RESOURCE_CREATION. User updating content of a virtual resource. This is equivalent to RESOURCE_WRITTEN. User updating permissions of a virtual resource. This is equivalent to RESOURCE_PERMISSIONS_CHANGE. User initiating communication through a medium (for example, video). User accessing a virtual resource. This is equivalent to RESOURCE_READ. User deleting a virtual resource. This is equivalent to RESOURCE_DELETION. A group activity that does not fall into one of the other event types. A group creation. A group deletion. A group modification. Email messages An email transaction. Deprecated: use NETWORK_HTTP instead. An email URL click event. A network event that does not fit into one of the other event types. Aggregated flow stats like netflow. Network connection details like from a FW. FTP telemetry. DHCP payload. DNS payload. HTTP telemetry. SMTP telemetry. A status message that does not fit into one of the other event types. Heartbeat indicating product is alive. An agent startup. An agent shutdown. A software or fingerprint update. Scan item that does not fit into one of the other event types. A file scan. Scan process behaviors. Please use SCAN_PROCESS instead. Scan process. Scan results from scanning an entire host device for threats/sensitive documents. Vulnerability scan logs about host vulnerabilities (e.g., out of date software) and network vulnerabilities (e.g., unprotected service detected via a network scan). Vulnerability scan logs about network vulnerabilities. Scan network for suspicious activity Scheduled task event that does not fall into one of the other event types. Scheduled task creation. Scheduled task deletion. Scheduled task being enabled. Scheduled task being disabled. Scheduled task being modified. A system audit log event that is not a wipe. A system audit log wipe. Service event that does not fit into one of the other event types. A service creation. A service deletion. A service start. A service stop. A service modification. Operating system events that are not described by any of the other event types. Might include uncategorized Microsoft Windows event logs. The resource was created/provisioned. This is equivalent to USER_RESOURCE_CREATION. The resource was deleted/deprovisioned. This is equivalent to USER_RESOURCE_DELETION. The resource had it's permissions or ACLs updated. This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS. The resource was read. This is equivalent to USER_RESOURCE_ACCESS. The resource was written to. This is equivalent to USER_RESOURCE_UPDATE_CONTENT. Firmware update. Configuration update. A program or application uploaded to a device. A program or application downloaded to a device. Analyst update about the Verdict (such as true positive, false positive, or disregard) of a finding. Analyst update about the Reputation (such as useful or not useful) of a finding. Analyst update about the Severity score (0-100) of a finding. Analyst update about the finding status. Analyst addition of a comment for a finding. Analyst update about the priority (such as low, medium, or high) for a finding. Analyst update about the root cause for a finding. Analyst update about the reason (such as malicious or not malicious) for a finding. Analyst update about the risk score (0-100) of a finding. An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. type string id description ID of the UDM event. Can be used for raw and normalized event retrieval. format byte type string ingestedTimestamp description The GMT timestamp when the event was ingested (received) by Chronicle. format google-datetime type string ingestionLabels description User-configured ingestion metadata labels. items $ref Label type array logType description The string value of log type. type string productDeploymentId description The deployment identifier assigned by the vendor for a product deployment. type string productEventType description A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start"). type string productLogId description A vendor-specific event identifier to uniquely identify the event (e.g. a GUID). type string productName description The name of the product. type string productVersion description The version of the product. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Flattened fields extracted from the log. type object tags $ref Tags description Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser. urlBackToProduct description A URL that takes the user to the source product console for this event. type string vendorName description The name of the product vendor. type string type object Metric description Stores precomputed aggregated analytic data for an entity. id Metric properties dimensions description All group by clauses used to calculate the metric. items enum DIMENSION_UNSPECIFIED PRINCIPAL_DEVICE TARGET_USER TARGET_DEVICE PRINCIPAL_USER TARGET_IP PRINCIPAL_FILE_HASH PRINCIPAL_COUNTRY SECURITY_CATEGORY NETWORK_ASN CLIENT_CERTIFICATE_HASH DNS_QUERY_TYPE DNS_DOMAIN HTTP_USER_AGENT EVENT_TYPE PRODUCT_NAME PRODUCT_EVENT_TYPE PARENT_FOLDER_PATH TARGET_RESOURCE_NAME PRINCIPAL_APPLICATION TARGET_APPLICATION EMAIL_TO_ADDRESS EMAIL_FROM_ADDRESS MAIL_ID PRINCIPAL_IP SECURITY_ACTION SECURITY_RULE_ID TARGET_NETWORK_ORGANIZATION_NAME PRINCIPAL_NETWORK_ORGANIZATION_NAME PRINCIPAL_PROCESS_FILE_PATH PRINCIPAL_PROCESS_FILE_HASH SECURITY_RESULT_RULE_NAME TARGET_RESOURCE_LABEL_KEY VENDOR_NAME TARGET_RESOURCE_TYPE TARGET_LOCATION_NAME enumDescriptions Default Principal Device Target User Target Device Principal User Target IP Principal File Hash Principal Country Security Category Network ASN Client Certificate Hash DNS Query Type DNS Domain HTTP User Agent Event Type Product Name Product Event Type Parent Folder Path Target resource Name Principal Application. Target Application. Email To Address. Email From Address. Mail Id. Principal IP. Security Action. Security Rule Id. Target Network Organization name. Principal Network Organization name. Principal Process File Path. Principal Process File SHA256 Hash. Security Result rule name. Target Resource label key. Vendor name. Target Resource type. Target Location name. type string type array exportWindow description Export window for which the metric was exported. format int64 type string firstSeen description Timestamp of the first time the entity was seen in the environment. format google-datetime type string lastSeen description Time stamp of the last time last time the entity was seen in the environment. format google-datetime type string metricName description Name of the analytic. enum METRIC_NAME_UNSPECIFIED NETWORK_BYTES_INBOUND NETWORK_BYTES_OUTBOUND NETWORK_BYTES_TOTAL AUTH_ATTEMPTS_SUCCESS AUTH_ATTEMPTS_FAIL AUTH_ATTEMPTS_TOTAL DNS_BYTES_OUTBOUND NETWORK_FLOWS_INBOUND NETWORK_FLOWS_OUTBOUND NETWORK_FLOWS_TOTAL DNS_QUERIES_SUCCESS DNS_QUERIES_FAIL DNS_QUERIES_TOTAL FILE_EXECUTIONS_SUCCESS FILE_EXECUTIONS_FAIL FILE_EXECUTIONS_TOTAL HTTP_QUERIES_SUCCESS HTTP_QUERIES_FAIL HTTP_QUERIES_TOTAL WORKSPACE_EMAILS_SENT_TOTAL WORKSPACE_TOTAL_DOWNLOAD_ACTIONS WORKSPACE_TOTAL_CHANGE_ACTIONS WORKSPACE_AUTH_ATTEMPTS_TOTAL WORKSPACE_NETWORK_BYTES_OUTBOUND WORKSPACE_NETWORK_BYTES_TOTAL ALERT_EVENT_NAME_COUNT RESOURCE_CREATION_TOTAL RESOURCE_CREATION_SUCCESS RESOURCE_READ_SUCCESS RESOURCE_READ_FAIL RESOURCE_DELETION_SUCCESS enumDescriptions Default Total received network bytes. Total network sent bytes. Total network sent bytes and received bytes. Successful authentication attempts. Failed authentication attempts. Total authentication attempts. Total number of sent bytes for DNS events. Total number of events having non-null received bytes. Total number of events having non-null sent bytes. Total events having non-null sent or received bytes. DNS query success count - Number of events with response_code = 0. Number of events with response_code != 0. Total number of DNS queries made. Number of successfule file executions. Number of failed file executions. Total number file executions. Number of successful HTTP queries. Number of failed HTTP queries. Total number of HTTP queries. Total number of emails sent in Google Workspace. Total number of download actions in Google Workspace. Total number of change actions in Google Workspace. Total number of authentication attempts in Google Workspace. Number of outbound network bytes (total sent) in Google Workspace. Total number of network bytes (both sent and received) in Google Workspace. Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH. First-time analytic tracking successful resource creations. Volume-based analytic tracking successful resource creations. Volume-based analytic tracking successful resource reads. Volume-based analytic tracking failed resource reads. Volume-based analytic tracking successful resource deletions. type string sumMeasure $ref Measure description Sum of all precomputed measures for the given metric. totalEvents description Total number of events used to calculate the given precomputed metric. format int64 type string type object Navigation description Navigation can be used to store the metadata required to navigate the user to a new URL. id Navigation properties targetUri description Output only. The URI to redirect the user to. readOnly True type string type object Network description A network event. id Network properties applicationProtocol description The application protocol. enum UNKNOWN_APPLICATION_PROTOCOL AFP APPC AMQP ATOM BEEP BITCOIN BIT_TORRENT CFDP CIP COAP COTP DCERPC DDS DEVICE_NET DHCP DICOM DNP3 DNS E_DONKEY ENRP FAST_TRACK FINGER FREENET FTAM GOOSE GOPHER GRPC HL7 H323 HTTP HTTPS IEC104 IRCP KADEMLIA KRB5 LDAP LPD MIME MMS MODBUS MQTT NETCONF NFS NIS NNTP NTCIP NTP OSCAR PNRP PTP QUIC RDP RELP RIP RLOGIN RPC RTMP RTP RTPS RTSP SAP SDP SIP SLP SMB SMTP SNMP SNTP SSH SSMS STYX SV TCAP TDS TOR TSP VTP WHOIS WEB_DAV X400 X500 XMPP enumDescriptions The default application protocol. Apple Filing Protocol. Advanced Program-to-Program Communication. Advanced Message Queuing Protocol. Publishing Protocol. Block Extensible Exchange Protocol. Crypto currency protocol. Peer-to-peer file sharing. Coherent File Distribution Protocol. Common Industrial Protocol. Constrained Application Protocol. Connection Oriented Transport Protocol. DCE/RPC. Data Distribution Service. Automation industry protocol. DHCP. Digital Imaging and Communications in Medicine Protocol. Distributed Network Protocol 3 (DNP3) DNS. Classic file sharing protocol. Endpoint Handlespace Redundancy Protocol. Filesharing peer-to-peer protocol. User Information Protocol. Censorship resistant peer-to-peer network. File Transfer Access and Management. GOOSE Protocol. Gopher protocol. gRPC Remote Procedure Call. Health Level Seven. Packet-based multimedia communications system. HTTP. HTTPS. IEC 60870-5-104 (IEC 104) Protocol. Internet Relay Chat Protocol. Peer-to-peer hashtables. Kerberos 5. Lightweight Directory Access Protocol. Line Printer Daemon Protocol. Multipurpose Internet Mail Extensions and Secure MIME. Multimedia Messaging Service. Serial communications protocol. Message Queuing Telemetry Transport. Network Configuration. Network File System. Network Information Service. Network News Transfer Protocol. National Transportation Communications for Intelligent Transportation System. Network Time Protocol. AOL Instant Messenger Protocol. Peer Name Resolution Protocol. Precision Time Protocol. QUIC. Remote Desktop Protocol. Reliable Event Logging Protocol. Routing Information Protocol. Remote Login in UNIX Systems. Remote Procedure Call. Real Time Messaging Protocol. Real-time Transport Protocol. Real Time Publish Subscribe. Real Time Streaming Protocol. Session Announcement Protocol. Session Description Protocol. Session Initiation Protocol. Service Location Protocol. Server Message Block. Simple Mail Transfer Protocol. Simple Network Management Protocol. Simple Network Time Protocol. Secure Shell. Secure SMS Messaging Protocol. Styx/9P - Plan 9 from Bell Labs distributed file system protocol. Sampled Values Protocol. Transaction Capabilities Application Part. Tabular Data Stream. Anonymity network. Time Stamp Protocol. Virtual Terminal Protocol. Remote Directory Access Protocol. Web Distributed Authoring and Versioning. Message Handling Service Protocol. Directory Access Protocol (DAP). Extensible Messaging and Presence Protocol. type string applicationProtocolVersion description The version of the application protocol. e.g. "1.1, 2.0" type string asn description Autonomous system number. type string carrierName description Carrier identification. type string communityId description Community ID network flow value. type string dhcp $ref Dhcp description DHCP info. direction description The direction of network traffic. enum UNKNOWN_DIRECTION INBOUND OUTBOUND BROADCAST enumDescriptions The default direction. An inbound request. An outbound request. A broadcast. type string dns $ref Dns description DNS info. dnsDomain description DNS domain name. type string email $ref Email description Email info for the sender/recipient. ftp $ref Ftp description FTP info. http $ref Http description HTTP info. ipProtocol description The IP protocol. enum UNKNOWN_IP_PROTOCOL ICMP IGMP TCP UDP IP6IN4 GRE ESP ICMP6 EIGRP ETHERIP PIM VRRP SCTP enumDescriptions The default protocol. ICMP. IGMP TCP. UDP. IPv6 Encapsulation Generic Routing Encapsulation Encapsulating Security Payload ICMPv6 Enhanced Interior Gateway Routing Ethernet-within-IP Encapsulation Protocol Independent Multicast Virtual Router Redundancy Protocol Stream Control Transmission Protocol type string ipSubnetRange description Associated human-readable IP subnet range (e.g. 10.1.2.0/24). type string organizationName description Organization name (e.g Google). type string parentSessionId description The ID of the parent network session. type string receivedBytes description The number of bytes received. format uint64 type string receivedPackets description The number of packets received. format int64 type string sentBytes description The number of bytes sent. format uint64 type string sentPackets description The number of packets sent. format int64 type string sessionDuration description The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer. format google-duration type string sessionId description The ID of the network session. type string smtp $ref Smtp description SMTP info. Store fields specific to SMTP not covered by Email. tls $ref Tls description TLS info. type object Noun description The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event. id Noun properties administrativeDomain description Domain which the device belongs to (for example, the Microsoft Windows domain). type string application description The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle". type string artifact $ref Artifact description Information about an artifact. asset $ref Asset description Information about the asset. assetId description The asset ID. This field can be used as an entity indicator for asset entities. type string cloud $ref Cloud deprecated True description Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud). domain $ref Domain description Information about the domain. email description Email address. Only filled in for security_result.about type string file $ref BackstoryFile description Information about the file. group $ref Group description Information about the group. hostname description Client hostname or domain name field. Hostname also doubles as the domain for remote entities. This field can be used as an entity indicator for asset entities. type string investigation $ref Investigation description Analyst feedback/investigation for alerts. ip description A list of IP addresses associated with a network connection. This field can be used as an entity indicator for asset entities. items type string type array ipGeoArtifact description Enriched geographic information corresponding to an IP address. Specifically, location and network data. items $ref Artifact type array ipLocation deprecated True description Deprecated: use ip_geo_artifact.location instead. items $ref Location type array labels deprecated True description Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels). items $ref Label type array location $ref Location description Physical location. For cloud environments, set the region in location.name. mac description List of MAC addresses associated with a device. This field can be used as an entity indicator for asset entities. items type string type array namespace description Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition. This field can be used along with an asset indicator to identify an asset. type string natIp description A list of NAT translated IP addresses associated with a network connection. items type string type array natPort description NAT external network port number when a specific network connection is described within an event. format int32 type integer network $ref Network description Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). objectReference $ref Id description Finding to which the Analyst updated the feedback. platform description Platform. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description Platform patch level. For example, "Build 17134.48" type string platformVersion description Platform version. For example, "Microsoft Windows 1803". type string port description Source or destination network port number when a specific network connection is described within an event. format int32 type integer process $ref Process description Information about the process. processAncestors description Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery. items $ref Process type array registry $ref Registry description Registry information. resource $ref Resource description Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun. resourceAncestors description Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource). items $ref Resource type array securityResult description A list of security results. items $ref SecurityResult type array url description The URL. type string urlMetadata $ref Url description Information about the URL. user $ref User description Information about the user. userManagementChain description Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery. items $ref User type array type object NtfsFileMetadata description NTFS-specific file metadata. id NtfsFileMetadata properties changeTime description NTFS MFT entry changed timestamp. format google-datetime type string filenameAccessTime description NTFS $FILE_NAME attribute accessed timestamp. format google-datetime type string filenameChangeTime description NTFS $FILE_NAME attribute changed timestamp. format google-datetime type string filenameCreateTime description NTFS $FILE_NAME attribute created timestamp. format google-datetime type string filenameModifyTime description NTFS $FILE_NAME attribute modified timestamp. format google-datetime type string type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object Option description DHCP options. id Option properties code description Code. See RFC1533. format uint32 type integer data description Data. format byte type string type object PDFInfo description Information about the PDF file structure. See https://developers.virustotal.com/reference/pdf_info id PDFInfo properties acroform description Number of /AcroForm tags found in the PDF. format int64 type string autoaction description Number of /AA tags found in the PDF. format int64 type string embeddedFile description Number of /EmbeddedFile tags found in the PDF. format int64 type string encrypted description Whether the document is encrypted or not. This is defined by the /Encrypt tag. format int64 type string endobjCount description Number of object definitions (endobj keyword). format int64 type string endstreamCount description Number of defined stream objects (stream keyword). format int64 type string flash description Number of /RichMedia tags found in the PDF. format int64 type string header description PDF version. type string javascript description Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios. format int64 type string jbig2Compression description Number of /JBIG2Decode tags found in the PDF. format int64 type string js description Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios. format int64 type string launchActionCount description Number of /Launch tags found in the PDF file. format int64 type string objCount description Number of objects definitions (obj keyword). format int64 type string objectStreamCount description Number of object streams. format int64 type string openaction description Number of /OpenAction tags found in the PDF. format int64 type string pageCount description Number of pages in the PDF. format int64 type string startxref description Number of startxref keywords in the PDF. format int64 type string streamCount description Number of defined stream objects (stream keyword). format int64 type string suspiciousColors description Number of colors expressed with more than 3 bytes (CVE-2009-3459). format int64 type string trailer description Number of trailer keywords in the PDF. format int64 type string xfa description Number of \XFA tags found in the PDF. format int64 type string xref description Number of xref keywords in the PDF. format int64 type string type object PeFileMetadata description Metadata about a Microsoft Windows Portable Executable. id PeFileMetadata properties importHash description Hash of PE imports. type string type object Permission description System permission for resource access and modification. id Permission properties description description Description of the permission (e.g. 'Ability to update detect rules'). type string name description Name of the permission (e.g. chronicle.analyst.updateRule). type string type description Type of the permission. enum UNKNOWN_PERMISSION_TYPE ADMIN_WRITE ADMIN_READ DATA_WRITE DATA_READ enumDescriptions Default permission type. Administrator write permission. Administrator read permission. Data resource access write permission. Data resource access read permission. type string type object PlatformSoftware description Platform software information about an operating system. id PlatformSoftware properties platform description The platform operating system. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description The platform software patch level ( e.g. "Build 17134.48", "SP1"). type string platformVersion description The platform software version ( e.g. "Microsoft Windows 1803"). type string type object PopularityRank description Domain's position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo. id PopularityRank properties giver description Name of the rank serial number hexdump. type string ingestionTime description Timestamp when the rank was ingested. format google-datetime type string rank description Rank position. format int64 type string type object Prevalence description The prevalence of a resource within the customer's environment. This measures how common it is for assets to access the resource. id Prevalence properties dayCount description The number of days over which rolling_max is calculated. format int32 type integer dayMax description The max prevalence score in a day interval window. format int32 type integer dayMaxSubDomains description The max prevalence score in a day interval window across sub-domains. This field is only valid for domains. format int32 type integer rollingMax description The maximum number of assets per day accessing the resource over the trailing day_count days. format int32 type integer rollingMaxSubDomains description The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains. format int32 type integer type object Process description Information about a process. id Process properties accessMask description A bit mask representing the level of access. format uint64 type string commandLine description The command line command that created the process. This field can be used as an entity indicator for process entities. type string commandLineHistory description The command line history of the process. items type string type array egid description The effective group ID of the process. type string euid description The effective user ID of the process. type string file $ref BackstoryFile description Information about the file in use by the process. integrityLevelRid description The Microsoft Windows integrity level relative ID (RID) of the process. format uint64 type string parentPid deprecated True description The ID of the parent process. Deprecated: use parent_process.pid instead. type string parentProcess $ref Process description Information about the parent process. pgid description The identifier that points to the process group ID leader. type string pid description The process ID. This field can be used as an entity indicator for process entities. type string productSpecificParentProcessId deprecated True description A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. type string productSpecificProcessId description A product specific process id. type string rgid description The real group ID of the process. type string ruid description The real user ID of the process. type string sessionLeaderPid description The process ID of the session leader process. type string tokenElevationType description The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled. enum UNKNOWN TYPE_1 TYPE_2 TYPE_3 enumDescriptions An undetermined token type. A full token with no privileges removed or groups disabled. An elevated token with no privileges removed or groups disabled. Used when running as administrator. A limited token with administrative privileges removed and administrative groups disabled. type string tty description The teletype terminal which the command was executed within. type string type object ProviderMLVerdict description Deprecated. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. id ProviderMLVerdict properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer confidenceScore description Confidence score of the verdict. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer mandiantSources description List of mandiant sources from which the verdict was generated. items $ref Source type array sourceProvider description Source provider giving the ML verdict. type string thirdPartySources description List of third-party sources from which the verdict was generated. items $ref Source type array type object PublicKey description Subject public key info. id PublicKey properties algorithm description Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the certificate. type string rsa $ref RSA description RSA public key information. type object Question description DNS Questions. See RFC1035, section 4.1.2. id Question properties class description The code specifying the class of the query. format uint32 type integer name description The domain name. type string prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. type description The code specifying the type of the query. format uint32 type integer type object RSA description RSA public key information. id RSA properties exponent description Key exponent hexdump. type string keySize description Key size. format int64 type string modulus description Key modulus hexdump. type string type object Reference description Reference to model primatives including event and entity. As support is added for fast retrieval of objects by identifiers, this will be expanded to include ID references rather than full object copies. BEGIN GOOGLE-INTERNAL See go/udm:ids for additional details. END GOOGLE-INTERNAL id Reference properties entity $ref BackstoryEntity description Entity being referenced. End one-of event $ref UDM description Only one of event or entity will be populated for a single reference. Start one-of Event being referenced. id $ref Id description Id being referenced. This field will also be populated for both event and entity with the event id. For detections, only this field will be populated. type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Registry description Information about a registry key or value. id Registry properties registryKey description Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...). type string registryValueData description Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp). type string registryValueName description Name of the registry value associated with an application or system component (e.g. TEMP). type string registryValueType description Type of the registry value. enum TYPE_UNSPECIFIED NONE SZ EXPAND_SZ BINARY DWORD DWORD_LITTLE_ENDIAN DWORD_BIG_ENDIAN LINK MULTI_SZ RESOURCE_LIST QWORD QWORD_LITTLE_ENDIAN enumDescriptions Default registry value type used when the type is unknown. The registry value is not set and only the key exists. A null-terminated string. A null-terminated string that contains unexpanded references to environment variables Binary data in any form. A 32-bit number. A 32-bit number in little-endian format. A 32-bit number in big-endian format. A null-terminated Unicode string that contains the target path of a symbolic link. A sequence of null-terminated strings, terminated by an empty string A device driver resource list. A 64-bit number. A 64-bit number in little-endian format. type string type object Relation description Defines the relationship between the entity (a) and another entity (b). id Relation properties direction description Directionality of relationship between primary entity (a) and the related entity (b). enum DIRECTIONALITY_UNSPECIFIED BIDIRECTIONAL UNIDIRECTIONAL enumDescriptions Default value. Modeled in both directions. Primary entity (a) to related entity (b) and related entity (b) to primary entity (a). Modeled in a single direction. Primary entity (a) to related entity (b). type string entity $ref Noun description Entity (b) that the primary entity (a) is related to. entityLabel description Label to identify the Noun of the relation. enum ENTITY_LABEL_UNSPECIFIED PRINCIPAL TARGET OBSERVER SRC NETWORK SECURITY_RESULT INTERMEDIARY enumDescriptions Default value. The Noun represents a principal type object. The Noun represents a target type object. The Noun represents an observer type object. The Noun represents src type object. The Noun represents a network type object. The Noun represents a SecurityResult object. The Noun represents an intermediary type object. type string entityType description Type of the related entity (b) in this relationship. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string relationship description Type of relationship. enum RELATIONSHIP_UNSPECIFIED OWNS ADMINISTERS MEMBER EXECUTES DOWNLOADED_FROM CONTACTS enumDescriptions Default value Related entity is owned by the primary entity (e.g. user owns device asset). Related entity is administered by the primary entity (e.g. user administers a group). Primary entity is a member of the related entity (e.g. user is a member of a group). Primary entity may have executed the related entity. Primary entity may have been downloaded from the related entity. Primary entity contacts the related entity. type string uid description UID of the relationship. format byte type string type object Resource description Information about a resource such as a task, Cloud Storage bucket, database, disk, logical policy, or something similar. id Resource properties attribute $ref Attribute description Generic entity metadata attributes of the resource. id deprecated True description Deprecated: Use resource.name or resource.product_object_id. type string name description The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. type string parent deprecated True description The parent of the resource. For a database table, the parent is the database. For a storage object, the bucket name. Deprecated: use resource_ancestors.name. type string productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) This field can be used as an entity indicator for a Resource entity. type string resourceSubtype description Resource sub-type (e.g. "BigQuery", "Bigtable"). type string resourceType description Resource type. enum UNSPECIFIED MUTEX TASK PIPE DEVICE FIREWALL_RULE MAILBOX_FOLDER VPC_NETWORK VIRTUAL_MACHINE STORAGE_BUCKET STORAGE_OBJECT DATABASE TABLE CLOUD_PROJECT CLOUD_ORGANIZATION SERVICE_ACCOUNT ACCESS_POLICY CLUSTER SETTING DATASET BACKEND_SERVICE POD CONTAINER FUNCTION RUNTIME IP_ADDRESS DISK VOLUME IMAGE SNAPSHOT REPOSITORY CREDENTIAL LOAD_BALANCER GATEWAY SUBNET USER enumDescriptions Default type. Mutex. Task. Named pipe. Device. Firewall rule. Mailbox folder. VPC Network. Virtual machine. Storage bucket. Storage object. Database. Data table. Cloud project. Cloud organization. Service account. Access policy. Cluster. Settings. Dataset. Endpoint that receive traffic from a load balancer or proxy. Pod, which is a collection of containers. Often used in Kubernetes. Container. Cloud function. Runtime. IP address. Disk. Volume. Machine image. Snapshot. Repository. Credential, e.g. access keys, ssh keys, tokens, certificates. Load balancer. Gateway. Subnet. User. type string type deprecated True description Deprecated: use resource_type instead. type string type object ResourceRecord description DNS Resource Records. See RFC1035, section 4.1.3. id ResourceRecord properties binaryData description The raw bytes of any non-UTF8 strings that might be included as part of a DNS response. format byte type string class description The code specifying the class of the resource record. format uint32 type integer data description The payload or response to the DNS question for all responses encoded in UTF-8 format type string name description The name of the owner of the resource record. type string ttl description The time interval for which the resource record can be cached before the source of the information should again be queried. format uint32 type integer type description The code specifying the type of the resource record. format uint32 type integer type object ResponsePlatformInfo description Related info of an Alert in customer's SOAR platform. id ResponsePlatformInfo properties alertId description Id of the alert in SOAR product. type string responsePlatformType description Type of SOAR product. enum RESPONSE_PLATFORM_TYPE_UNSPECIFIED RESPONSE_PLATFORM_TYPE_SIEMPLIFY enumDescriptions Response platform not specified. Siemplify type string type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object RiskDelta description Describes the difference in risk score between two points in time. id RiskDelta properties previousRangeEndTime description End time of the previous time window. format google-datetime type string previousRiskScore description Risk score from previous risk window format int32 type integer riskScoreDelta description Difference in the normalized risk score from the previous recorded value. format int32 type integer riskScoreNumericDelta description Numeric change between current and previous risk score format int32 type integer type object Role description System role for resource access and modification. id Role properties description description System role description for user. type string name description System role name for user. type string type description System role type for well known roles. enum TYPE_UNSPECIFIED ADMINISTRATOR SERVICE_ACCOUNT enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object RuntimeError id RuntimeError properties errorText type string timeRange $ref Interval type object SSLCertificate description SSL certificate. id SSLCertificate properties certExtensions additionalProperties description Properties of the object. type any description Certificate's extensions. type object certSignature $ref CertSignature description Certificate's signature and algorithm. ec $ref EC description EC public key information. extension $ref Extension deprecated True description (DEPRECATED) certificate's extension. firstSeenTime description Date the certificate was first retrieved by VirusTotal. format google-datetime type string issuer $ref Subject description Certificate's issuer data. publicKey $ref PublicKey description Public key information. serialNumber description Certificate's serial number hexdump. type string signatureAlgorithm description Algorithm used for the signature (for example, "sha1RSA"). type string size description Certificate content length. format int64 type string subject $ref Subject description Certificate's subject data. thumbprint description Certificate's content SHA1 hash. type string thumbprintSha256 description Certificate's content SHA256 hash. type string validity $ref Validity description Certificate's validity period. version description Certificate version (typically "V1", "V2" or "V3"). type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object SearchDataTableColumnInfo id SearchDataTableColumnInfo properties isDefault type boolean originalColumn type string type object SearchDataTableInfo id SearchDataTableInfo properties columnInfo items $ref SearchDataTableColumnInfo type array dataTable type string type object SearchDataTableRow id SearchDataTableRow properties column type string value type string type object SearchDataTableRowInfo id SearchDataTableRowInfo properties dataTable type string rows items $ref SearchDataTableRow type array type object SecurityResult description Security related metadata for the event. A security result might be something like "virus detected and quarantined," "malicious connection blocked," or "sensitive data included in document foo.doc." Each security result, of which there may be more than one, may either pertain to the whole event, or to a specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (such as process, user, IP, domain, URL, IP, or email address) in the about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty. id SecurityResult properties about $ref Noun description If the security result is about a specific entity (Noun), add it here. This field is not populated when the SecurityResult appears in a finding (a detection or alert). action description Actions taken for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_ACTION ALLOW BLOCK ALLOW_WITH_MODIFICATION QUARANTINE FAIL CHALLENGE enumDescriptions The default action. Allowed. Blocked. Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded). Put somewhere for later analysis (does NOT imply block). Failed (e.g. the event was allowed but failed). Challenged (e.g. the user was challenged by a Captcha, 2FA). type string type array actionDetails description The detail of the action taken as provided by the vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string alertState description The alerting types of this security result. This is primarily set for rule-generated detections and alerts. enum UNSPECIFIED NOT_ALERTING ALERTING enumDescriptions The security result type is not known. The security result is not an alert. The security result is an alert. type string analyticsMetadata description Stores metadata about each risk analytic metric the rule uses. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref AnalyticsMetadata type array associations description Associations related to the threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref Association type array attackDetails $ref AttackDetails description MITRE ATT&CK details. This field is not populated when the SecurityResult appears in a finding (a detection or alert). campaigns description Campaigns using this IOC threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array category description The security category. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_CATEGORY SOFTWARE_MALICIOUS SOFTWARE_SUSPICIOUS SOFTWARE_PUA NETWORK_MALICIOUS NETWORK_SUSPICIOUS NETWORK_CATEGORIZED_CONTENT NETWORK_DENIAL_OF_SERVICE NETWORK_RECON NETWORK_COMMAND_AND_CONTROL ACL_VIOLATION AUTH_VIOLATION EXPLOIT DATA_EXFILTRATION DATA_AT_REST DATA_DESTRUCTION TOR_EXIT_NODE MAIL_SPAM MAIL_PHISHING MAIL_SPOOFING POLICY_VIOLATION SOCIAL_ENGINEERING PHISHING enumDescriptions The default category. Malware, spyware, rootkit. Below the conviction threshold; probably bad. Potentially Unwanted App (such as adware). Includes C&C or network exploit. Suspicious activity, such as potential reverse tunnel. Non-security related: URL has category like gambling or porn. DoS, DDoS. Port scan detected by an IDS, probing of web app. If we know this is a C&C channel. Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc. Authentication failed (e.g. bad password or bad 2-factor authentication). Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits. DLP: Sensitive data transmission, copy to thumb drive. DLP: Sensitive data found at rest in a scan. Attempt to destroy/delete data. TOR Exit Nodes. Spam email, message, etc. Phishing email, chat messages, etc. Spoofed source email address, etc. Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action). Threats which manipulate to break normal security procedures. Phishing pages, pops, https phishing etc. type string type array categoryDetails description For vendor-specific categories. For web categorization, put type in here such as "gambling" or "porn". This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array confidence description The confidence level of the result as estimated by the product. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string confidenceDetails description Additional detail with regards to the confidence of a security event as estimated by the product vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string confidenceScore description The confidence score of the security result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format float type number description description A human-readable description (e.g. "user password was wrong"). This can be more detailed than the summary. type string detectionDepth description The depth of the detection chain. Applies only to composite detections. format int64 type string detectionFields description An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (the security result matched variables). This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array firstDiscoveredTime description First time the IoC threat was discovered in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastDiscoveredTime description Last time the IoC was seen in the provider data. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastUpdatedTime description Last time the IoC threat was updated in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string outcomes description A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to a stringified version of their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array priority description The priority of the result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_PRIORITY LOW_PRIORITY MEDIUM_PRIORITY HIGH_PRIORITY enumDescriptions Default priority level. Low priority. Medium priority. High priority. type string priorityDetails description Vendor-specific information about the security result priority. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string reports description Reports that reference this IOC threat. These are the report IDs. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array riskScore description The risk score of the security result. format float type number ruleAuthor description Author of the security rule. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string ruleId description A vendor-specific ID for a rule, varying by observer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe"). type string ruleLabels description A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John"). This is primarily set in rule-generated detections and alerts. items $ref Label type array ruleName description Name of the security rule (e.g. "BlockInboundToOracle"). type string ruleSet description The curated detection's rule set identifier. (for example, "windows-threats") This is primarily set in rule-generated detections and alerts. type string ruleSetDisplayName description The curated detections rule set display name. This is primarily set in rule-generated detections and alerts. type string ruleType description The type of security rule. type string ruleVersion description Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed. type string rulesetCategoryDisplayName description The curated detection rule set category display name. (for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration", the rule_set_category is "Cloud Threats"). This is primarily set in rule-generated detections and alerts. type string severity description The severity of the result. enum UNKNOWN_SEVERITY INFORMATIONAL ERROR NONE LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Info severity. An error. No malicious result. Low-severity malicious result. Medium-severity malicious result. High-severity malicious result. Critical-severity malicious result. type string severityDetails description Vendor-specific severity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string summary description A short human-readable summary (e.g. "failed login occurred") type string threatFeedName description Vendor feed name for a threat indicator feed. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatId description Vendor-specific ID for a threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatIdNamespace description The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string threatName description A vendor-assigned classification common across multiple customers (for example, "W32/File-A", "Slammer"). This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatStatus description Current status of the threat This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_STATUS_UNSPECIFIED ACTIVE CLEARED FALSE_POSITIVE enumDescriptions Default threat status Active threat. Cleared threat. False positive. type string threatVerdict description GCTI threat verdict on the security result entity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_VERDICT_UNSPECIFIED UNDETECTED SUSPICIOUS MALICIOUS enumDescriptions Unspecified threat verdict level. Undetected threat verdict level. Suspicious threat verdict level. Malicious threat verdict level. type string urlBackToProduct description URL that takes the user to the source product console for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string variables additionalProperties $ref FindingVariable description A list of outcomes and match variables that represent the results of this security finding. This list represents a mapping of names of the requested outcomes or match variables, to their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). type object verdict $ref Verdict deprecated True description Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead. verdictInfo description Verdict information about the IoC from the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref VerdictInfo type array type object Server description Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash). id Server properties certificate $ref Certificate description Server certificate. ja3s description JA3 hash from the TLS ServerHello, as a hex-encoded string. type string type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object SignatureInfo description File signature information extracted from different tools. id SignatureInfo properties codesign $ref FileMetadataCodesign description Signature information extracted from the codesign utility. sigcheck $ref FileMetadataSignatureInfo description Signature information extracted from the sigcheck tool. type object SignerInfo description File metadata related to the signer information. id SignerInfo properties certIssuer description Company that issued the certificate. type string name description Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority. type string status description It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid."). type string validUsage description Indicates which situations the certificate is valid for (e.g. "Code Signing"). type string type object Smtp description SMTP info. See RFC 2821. id Smtp properties helo description The client's 'HELO'/'EHLO' string. type string isTls description If the connection switched to TLS. type boolean isWebmail description If the message was sent via a webmail client. type boolean mailFrom description The client's 'MAIL FROM' string. type string messagePath description The message's path (extracted from the headers). type string rcptTo description The client's 'RCPT TO' string(s). items type string type array serverResponse description The server's response(s) to the client. items type string type array type object SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems. id SoarAlertMetadata properties alertId description Alert ID in the source SIEM system. type string product description Name of the product the alert is coming from. type string sourceRule description Name of the rule triggering the alert in the source SIEM. type string sourceSystem description Name of the Source SIEM system. type string sourceSystemTicketId description Ticket id for the alert in the source system. type string sourceSystemUri description Url to the source SIEM system. type string vendor description Name of the vendor. type string type object Software description Information about a software package or application. id Software properties description description The description of the software. type string name description The name of the software. type string permissions description System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE" items $ref Permission type array vendorName description The name of the software vendor. type string version description The version of the software. type string type object Source description Deprecated. Information about the threat intelligence source. These fields are used to model Mandiant sources. id Source properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer name description Name of the IoC source. type string quality description Quality of the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total response count from this source. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer threatIntelligenceSources description Different threat intelligence sources from which IoC info was extracted. items $ref Source type array type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object StringSequence description StringSequence represents a sequence of string. id StringSequence properties stringVals description string sequence. items type string type array type object StringToInt64MapEntry id StringToInt64MapEntry properties key description Key field. type string value description Value field. format int64 type string type object StringValue id StringValue properties displayValue type string rawValue type string type object StringValues id StringValues properties values items $ref StringValue type array type object Subject description Subject data. id Subject properties commonName description CN: CommonName. type string countryName description C: Country name. type string locality description L: Locality. type string organization description O: Organization. type string organizationalUnit description OU: OrganizationalUnit. type string stateOrProvinceName description ST: StateOrProvinceName. type string type object Tactic description Tactic information related to an attack or threat. id Tactic properties id description Tactic ID (e.g. "TA0043"). type string name description Tactic Name (e.g. "Reconnaissance") type string type object Tags description Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenant_id based on certain customer-defined parameters. id Tags properties dataTapConfigName description A list of sink name values defined in DataTap configurations. items type string type array tenantId description A list of subtenant ids that this event belongs to. items format byte type string type array type object Technique description Technique information related to an attack or threat. id Technique properties id description Technique ID (e.g. "T1595"). type string name description Technique Name (e.g. "Active Scanning"). type string subtechniqueId description Subtechnique ID (e.g. "T1595.001"). type string subtechniqueName description Subtechnique Name (e.g. "Scanning IP Blocks"). type string type object TimeOff description System record for leave/time-off from a Human Capital Management (HCM) system. id TimeOff properties description description Description of the leave if available (e.g. 'Vacation'). type string interval $ref Interval description Interval duration of the leave. type object Tls description Transport Layer Security (TLS) information. id Tls properties cipher description Cipher used during the connection. type string client $ref Client description Certificate information for the client certificate. curve description Elliptical curve used for a given cipher. type string established description Indicates whether the TLS negotiation was successful. type boolean nextProtocol description Protocol to be used for tunnel. type string resumed description Indicates whether the TLS connection was resumed from a previous TLS negotiation. type boolean server $ref Server description Certificate information for the server certificate. version description TLS version. type string versionProtocol description Protocol. type string type object Tracker description URL Tracker. id Tracker properties id description Tracker ID, if available. type string timestamp description Tracker ingestion date. format google-datetime type string tracker description Tracker name. type string url description Tracker script URL. type string type object Tunnels description VPN tunnels. id Tunnels properties provider description The provider of the VPN tunnels being used. type string type description The type of the VPN tunnels. type string type object UDM description A Unified Data Model event. id UDM properties about description Represents entities referenced by the event that are not otherwise described in principal, src, target, intermediary or observer. For example, it could be used to track email file attachments, domains/URLs/IPs embedded within an email body, and DLLs that are loaded during a PROCESS_LAUNCH event. items $ref Noun type array additional additionalProperties description Properties of the object. type any description Any important vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model. type object extensions $ref Extensions description All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object intermediary description Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a proxy server or SMTP relay server. If an active event (that has a principal and possibly target) passes through any intermediaries, they're added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that 'principal', 'target', and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C). items $ref Noun type array metadata $ref Metadata description Event metadata such as timestamp, source product, etc. network $ref Network description All network details go here, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). observer $ref Noun description Represents an observer entity (for example, a packet sniffer or network-based vulnerability scanner), which is not a direct intermediary, but which observes and reports on the event in question. principal $ref Noun description Represents the acting entity that originates the activity described in the event. The principal must include at least one machine detail (hostname, MACs, IPs, port, product-specific identifiers like an EDR asset ID) or user detail (for example, username), and optionally include process details. It must NOT include any of the following fields: email, files, registry keys or values. securityResult description A list of security results. items $ref SecurityResult type array src $ref Noun description Represents a source entity being acted upon by the participant along with the device or process context for the source object (the machine where the source object resides). For example, if user U copies file A on machine X to file B on machine Y, both file A and machine X would be specified in the src portion of the UDM event. target $ref Noun description Represents a target entity being referenced by the event or an object on the target entity. For example, in a firewall connection from device A to device B, A is described as the principal and B is described as the target. For a process injection by process C into target process D, process C is described as the principal and process D is described as the target. type object UdmColumnList id UdmColumnList properties values items $ref UdmColumnValue type array type object UdmColumnType id UdmColumnType properties list $ref UdmColumnList value $ref UdmColumnValue type object UdmColumnValue id UdmColumnValue properties boolVal type boolean bytesVal format byte type string dateVal $ref Date doubleVal format double type number int64Val format int64 type string nullVal type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any type object stringVal type string timestampVal format google-datetime type string uint64Val format uint64 type string type object UdmEventInfo id UdmEventInfo properties alertNumber format int32 type integer annotations items enum ANNOTATION_UNSPECIFIED ANNOTATION_ALERT enumDescriptions type string type array chip $ref Chip deprecated True connectedComponentLabel description Optional. format byte type string datatableRowInfo items $ref SearchDataTableRowInfo type array detections items $ref Collection type array displayName deprecated True type string entity $ref BackstoryEntity event $ref UDM eventLogToken type string filterProperties $ref FilterProperties deprecated True outcomes items $ref UdmColumnType type array tenantId description Optional. type string uid format byte type string type object UdmEventList id UdmEventList properties columnNames $ref ColumnNames complete type boolean datatableInfo items $ref SearchDataTableInfo type array events items $ref UdmEventInfo type array progress format double type number tooManyEvents type boolean type object UdmFieldAggregation id UdmFieldAggregation properties aggregationType enum UNSPECIFIED_FIELD_AGGREGATION_TYPE UDM_FIELD_AGGREGATION_TYPE ENTITY_FIELD_AGGREGATION_TYPE enumDescriptions type string allValues items $ref UdmValueCount type array baselineEventCount format int32 type integer bottomValues items $ref UdmValueCount type array eventCount format int32 type integer fieldName type string tooManyValues type boolean topValues items $ref UdmValueCount type array valueCount format int32 type integer type object UdmFieldAggregations id UdmFieldAggregations properties complete type boolean fields items $ref UdmFieldAggregation type array groupByFields items $ref GroupAggregationByField type array type object UdmFieldValue id UdmFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string isNull type boolean stringValue type string timestampValue format google-datetime type string uint32Value format uint32 type integer uint64Value format uint64 type string type object UdmPrevalence id UdmPrevalence properties artifacts items $ref FieldAndValue type array prevalence format int32 type integer type object UdmPrevalenceBucket id UdmPrevalenceBucket properties prevalence items $ref UdmPrevalence type array type object UdmPrevalenceResponse id UdmPrevalenceResponse properties buckets items $ref UdmPrevalenceBucket type array partialPrevalence type boolean type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UdmValueCount id UdmValueCount properties baselineEventCount format int32 type integer eventCount format int32 type integer value $ref UdmFieldValue type object Uint64Sequence description Uint64Sequence represents a sequence of uint64s. id Uint64Sequence properties uint64Vals description uint64 sequence. items format uint64 type string type array type object Url description Url. id Url properties categories description Categorisation done by VirusTotal partners. items type string type array favicon $ref Favicon description Difference hash and MD5 hash of the URL's. htmlMeta additionalProperties description Properties of the object. type any description Meta tags (only for URLs downloading HTML). type object lastFinalUrl description If the original URL redirects, where does it end. type string lastHttpResponseCode description HTTP response code of the last response. format int32 type integer lastHttpResponseContentLength description Length in bytes of the content received. format int64 type string lastHttpResponseContentSha256 description URL response body's SHA256 hash. type string lastHttpResponseCookies additionalProperties description Properties of the object. type any description Website's cookies. type object lastHttpResponseHeaders additionalProperties description Properties of the object. type any description Headers and values of the last HTTP response. type object tags description Tags. items type string type array title description Webpage title. type string trackers description Trackers found in the URL in a historical manner. items $ref Tracker type array url description URL. type string type object User description Information about a user. id User properties accountExpirationTime description User account expiration timestamp. format google-datetime type string accountLockoutTime description User account lockout timestamp. format google-datetime type string accountType description Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/ enum ACCOUNT_TYPE_UNSPECIFIED DOMAIN_ACCOUNT_TYPE LOCAL_ACCOUNT_TYPE CLOUD_ACCOUNT_TYPE SERVICE_ACCOUNT_TYPE DEFAULT_ACCOUNT_TYPE enumDescriptions Default user account type. A human account part of some domain in directory services. A local machine account. A SaaS service account type (such as Slack or GitHub). A non-human account for data access. A system built in default account. type string attribute $ref Attribute description Generic entity metadata attributes of the user. companyName description User job company name. type string department description User job department items type string type array emailAddresses description Email addresses of the user. This field can be used as an entity indicator for user entities. items type string type array employeeId description Human capital management identifier. This field can be used as an entity indicator for user entities. type string firstName description First name of the user (e.g. "John"). type string firstSeenTime description The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string groupIdentifiers description Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar). items type string type array groupid deprecated True description The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. type string hireDate description User job employment hire date. format google-datetime type string lastBadPasswordAttemptTime description User last bad password attempt timestamp. format google-datetime type string lastLoginTime description User last login timestamp. format google-datetime type string lastName description Last name of the user (e.g. "Locke"). type string lastPasswordChangeTime description User last password change timestamp. format google-datetime type string managers description User job manager(s). items $ref User type array middleName description Middle name of the user. type string officeAddress $ref Location description User job office location. passwordExpirationTime description User password expiration timestamp. format google-datetime type string personalAddress $ref Location description Personal address of the user. phoneNumbers description Phone numbers for the user. items type string type array productObjectId description A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar). This field can be used as an entity indicator for user entities. type string roleDescription deprecated True description System role description for user. Deprecated: use attribute.roles. type string roleName deprecated True description System role name for user. Deprecated: use attribute.roles. type string terminationDate description User job employment termination date. format google-datetime type string timeOff description User time off leaves from active work. items $ref TimeOff type array title description User job title. type string userAuthenticationStatus description System authentication status for user. enum UNKNOWN_AUTHENTICATION_STATUS ACTIVE SUSPENDED NO_ACTIVE_CREDENTIALS DELETED enumDescriptions The default authentication status. The authentication method is in active state. The authentication method is in suspended/disabled state. The authentication method has no active credentials. The authentication method has been deleted. type string userDisplayName description The display name of the user (e.g. "John Locke"). type string userRole deprecated True description System role for user. Deprecated: use attribute.roles. enum UNKNOWN_ROLE ADMINISTRATOR SERVICE_ACCOUNT enumDeprecated False False True enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. Deprecated: not a role, instead set User.account_type. type string userid description The ID of the user. This field can be used as an entity indicator for user entities. type string windowsSid description The Microsoft Windows SID of the user. This field can be used as an entity indicator for user entities. type string type object UserAgentProto id UserAgentProto properties annotation items $ref Annotation type array browser description Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents. type string browserEngineVersion description Version of the rendering engine e.g. "8.01" for "Opera/8.01" type string browserVersion description Minor and lower versions unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string carrier description Mobile specific: name of mobile carrier type string device description (Usually) Mobile specific: name of hardware device, may or may not contain the full model name. e.g. iPhone, Palm750, SPH-M800. Reduced to "K" for Android devices with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string deviceVersion description (Usually) Mobile specific: version of hardware device Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string family description User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.. enum USER_DEFINED MSIE GECKO APPLEWEBKIT OPERA KHTML OTHER APPLE BLACKBERRY DOCOMO GOOGLE OPENWAVE POLARIS OBIGO TELECA MICROSOFT NOKIA NETFRONT SEMC SMIT KOREAN CLIENT_HINTS enumDescriptions Used to represent new families supported by user-defined parsers Desktop user agent families WebKit based browsers e.g. Safari e.g. Konqueror Mobile and non-browser user agent families UA's w/o enough data to fit into a family Apple apps e.g. YouTube on iPhone Google Earth, Sketchup, UpdateChecker etc... UP.Browser Windows Media Player, RSS platform etc... Sony Ericsson Mobile Communications SKT, LGT Constructed from UA-CH instead of UserAgent string. type string googleToolbarVersion description Version number of GoogleToolbar, if installed. Applies only to MSIE and Firefox at this time. type string javaConfiguration description Mobile specific: e.g. Configuration/CLDC-1.1 type string javaConfigurationVersion type string javaProfile description Mobile specific: e.g. Profile/MIDP-2.0 type string javaProfileVersion type string locale description Locale in which the browser is running as country code and optionally language pair. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string messaging description Mobile specific: e.g. MMP/2.0 type string messagingVersion type string os description Full name of the operating system e.g. "Darwin/9.7.0", "Android 1.5", "Windows 98" Version is reduced, and other data might also be missing, for reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string osVariant description Extra qualifier for the OS e.g. "(i386)", "Build/CUPCAKE", "PalmSource/Palm-D061" Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string platform description The platform describes the environment in which the browser or app runs. For desktop user agents, Platform is a string describing the OS family e.g. Windows, Macintosh, Linux. For mobile user agents, Platform either describes the OS family (if available) or the hardware maker. e.g. Linux, or HTC, LG, Palm. type string security description Security level reported by user agent, either U, I or N. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string subFamily description Sub-family identifies individual regexps when a family has more than 1. This is used to generate the right UA string from a protobuf. Examples in the AppleWebKit family: Chrome and Safari. Can also be an arbitrary identifier. type string type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Validity description Defines certificate's validity period. id Validity properties expiryTime description Expiry date. format google-datetime type string issueTime description Issue date. format google-datetime type string type object Verdict description Deprecated. Encapsulates the threat verdict provided by human analysts and ML models. These fields are used to model Mandiant sources. id Verdict properties analystVerdict $ref AnalystVerdict description Human analyst verdict provided by sources like Mandiant. neighbourInfluence description Describes the neighbour influence of the verdict. type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer verdict $ref ProviderMLVerdict description ML Verdict provided by sources like Mandiant. type object VerdictInfo description Describes the threat verdict provided by human analysts and machine learning models. These fields are used to model Mandiant sources. id VerdictInfo properties benignCount description Count of responses where this IoC was marked as benign. format int32 type integer categoryDetails description Tags related to the verdict. type string confidenceScore description Confidence score of the verdict. format int32 type integer globalCustomerCount description Global customer count over the last 30 days format int32 type integer globalHitsCount description Global hit count over the last 30 days. format int32 type integer iocStats description List of IoCStats from which the verdict was generated. items $ref IoCStats type array maliciousCount description Count of responses where this IoC was marked as malicious. format int32 type integer neighbourInfluence description Describes the near neighbor influence of the verdict. type string pwn description Whether one or more Mandiant incident response customers had this indicator in their environment. type boolean pwnFirstTaggedTime description The timestamp of the first time a pwn was associated to this entity. format google-datetime type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer sourceProvider description Source provider giving the machine learning verdict. type string verdictResponse description Details about the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp when the verdict was generated. format google-datetime type string verdictType description Type of verdict. enum VERDICT_TYPE_UNSPECIFIED PROVIDER_ML_VERDICT ANALYST_VERDICT enumDescriptions Verdict category not specified. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. Verdict provided by the human analyst. These fields are used to model Mandiant sources. type string type object Vulnerabilities description The Vulnerabilities extension captures details on observed/detected vulnerabilities. id Vulnerabilities properties vulnerabilities description A list of vulnerabilities. items $ref Vulnerability type array type object Vulnerability description A vulnerability. id Vulnerability properties about $ref Noun description If the vulnerability is about a specific noun (e.g. executable), then add it here. cveDescription description Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record type string cveId description Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id type string cvssBaseScore description CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting. format float type number cvssVector description Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator type string cvssVersion description Version of CVSS Vector/Score. type string description description Description of the vulnerability. type string firstFound description Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset. format google-datetime type string lastFound description Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset. format google-datetime type string name description Name of the vulnerability (e.g. "Unsupported OS Version detected"). type string scanEndTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable. format google-datetime type string scanStartTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable. format google-datetime type string severity description The severity of the vulnerability. enum UNKNOWN_SEVERITY LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Low severity. Medium severity. High severity. Critical severity. type string severityDetails description Vendor-specific severity type string vendor description Vendor of scan that discovered vulnerability. type string vendorKnowledgeBaseArticleId description Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase type string vendorVulnerabilityId description Vendor specific vulnerability id (e.g. Microsoft security bulletin id). type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object X509 description File certificate. id X509 properties algorithm description Certificate algorithm. type string certIssuer description Issuer of the certificate. type string name description Certificate name. type string serialNumber description Certificate serial number. type string thumbprint description Certificate thumbprint. type string type object old_value CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{region}/instances/{instance} readOnly True type string type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Manual description Entities are added manually. id Manual properties type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object
prod/asia-southeast1-chronicle-v1alpha	dictionary_item_added root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['delete'] root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['undelete'] root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['legacy']['methods']['legacyCreateOrUpdateCase'] root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['legacy']['methods']['legacyCreateSoarAlert'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue'] root['schemas']['GoogleCloudStorageEventDrivenSettings'] root['schemas']['InstanceUdmSearchResponse'] root['schemas']['LegacyCreateOrUpdateCaseRequest'] root['schemas']['LegacyCreateSoarAlertRequest'] root['schemas']['LegacyFederatedUdmSearchViewResponse'] root['schemas']['LegacySoarAlert'] root['schemas']['SQSV2AccessKeySecretAuth'] root['schemas']['SoarEvent'] root['schemas']['UndeleteInstanceRequest'] root['schemas']['BackstoryFile']['properties']['symhash'] root['schemas']['ColumnMetadata']['properties']['latitude'] root['schemas']['ColumnMetadata']['properties']['longitude'] root['schemas']['EntityRisk']['properties']['riskWindowHasNewDetections'] root['schemas']['Extensions']['properties']['entityRisk'] root['schemas']['FeedDetails']['properties']['googleCloudStorageEventDrivenSettings'] root['schemas']['Instance']['properties']['customerCode'] root['schemas']['Instance']['properties']['deleteTime'] root['schemas']['Instance']['properties']['purgeTime'] root['schemas']['Instance']['properties']['wipeoutStatus'] root['schemas']['SQSAuthV2']['properties']['sqsV2AccessKeySecretAuth'] dictionary_item_removed root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['findings'] root['schemas']['FetchSimilarFindingsResponse'] root['schemas']['OmniflowAmazonS3Settings'] root['schemas']['OmniflowAmazonSQSSettings'] root['schemas']['OmniflowGoogleCloudStorageSettings'] root['schemas']['OmniflowS3Auth'] root['schemas']['FeedDetails']['properties']['omniflowAmazonS3Settings'] root['schemas']['FeedDetails']['properties']['omniflowAmazonSqsSettings'] root['schemas']['FeedDetails']['properties']['omniflowGcsSettings'] root['schemas']['FeedDetails']['properties']['feedSourceType']['enumDeprecated'] root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enumDeprecated'] root['schemas']['PackLogType']['properties']['recommendedSourceType']['enumDeprecated'] values_changed root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['generateCollectionAgentAuth']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to generate a collection agent auth json file for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to generate a collection agent auth json file for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['generateSoarAuthJwt']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['generateWorkspaceConnectionToken']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to create workspace token for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to create workspace token for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['get']['parameters']['name']['description'] new_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['report']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['legacy']['methods']['legacyBatchGetCases']['parameters']['instance']['description'] new_value Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}/legacy old_value Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}/legacy root['revision'] new_value 20250310 old_value 20250227 root['schemas']['EntityRisk']['description'] new_value Stores information related to the risk score of an entity. Next ID: 15 old_value Stores information related to the risk score of an entity. Next ID: 14 root['schemas']['EntityRisk']['properties']['riskWindowSize']['description'] new_value Risk window duration for the entity. old_value Risk window duration for the Entity. root['schemas']['Instance']['properties']['name']['description'] new_value Output only. The resource name of this instance. Format: projects/{project}/locations/{location}/instances/{instance} old_value Output only. The resource name of this instance. Format: projects/{project}/locations/{region}/instances/{instance} root['schemas']['SQSAuthV2']['properties']['additionalS3AccessKeySecretAuth']['description'] new_value Required. Deprecated. If the S3 objects referred to by the SQS queue require different auth info other than the SQS auth, that can be specified here. Additional S3AccessKeySecret. Required. old_value Required. If the S3 objects referred to by the SQS queue require different auth info other than the SQS auth, that can be specified here. Additional S3AccessKeySecret. Required. root['schemas']['StatusProto']['properties']['canonicalCode']['description'] new_value copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional int32 canonical_code = 6; old_value The canonical error code (see codes.proto) that most closely corresponds to this status. This may be missing, and in the common case of the generic space, it definitely will be. copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional int32 canonical_code = 6; root['schemas']['StatusProto']['properties']['space']['description'] new_value copybara:strip_begin(b/383363683) Space to which this status belongs copybara:strip_end_and_replace optional string space = 2; // Space to which this status belongs old_value The following are usually only present when code != 0 Space to which this status belongs copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional string space = 2; iterable_item_added root['schemas']['AnalyticValue']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['AnalyticValue']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['EnrichmentDisablementTarget']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['EnrichmentDisablementTarget']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['EventTypesSuggestion']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['EventTypesSuggestion']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][19] GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN root['schemas']['FeedDetails']['properties']['feedSourceType']['enumDescriptions'][19] Google Cloud Storage Feed backed by Omniflow STS driven by pubsub events. root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][19] GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enumDescriptions'][19] Google Cloud Storage Feed backed by Omniflow STS driven by pubsub events. root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][1412] BLOCKDAEMON_METOMIC root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2124] JIT root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2125] PROCORE root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2126] HP_INC_MFP root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2127] MERU_CONTENTKEEPER_PROXY root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2128] KPMG_JAPAN_HR root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2129] FORD_ADFS_IDP root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2130] FORD_BLUE_DNS root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2131] TSA_VMS root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2132] ALLIANZ_CPAM root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2133] HKBK_ASE1_DIGITALGUARDIAN_NDLP root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2134] PANORAYS root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2135] BBVA_BAEMPRE root['schemas']['Metadata']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['Metadata']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][19] GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN root['schemas']['PackLogType']['properties']['recommendedSourceType']['enumDescriptions'][19] Google Cloud Storage Feed backed by Omniflow STS driven by pubsub events. root['schemas']['RawLog']['properties']['type']['enum'][1412] BLOCKDAEMON_METOMIC root['schemas']['RawLog']['properties']['type']['enum'][2124] JIT root['schemas']['RawLog']['properties']['type']['enum'][2125] PROCORE root['schemas']['RawLog']['properties']['type']['enum'][2126] HP_INC_MFP root['schemas']['RawLog']['properties']['type']['enum'][2127] MERU_CONTENTKEEPER_PROXY root['schemas']['RawLog']['properties']['type']['enum'][2128] KPMG_JAPAN_HR root['schemas']['RawLog']['properties']['type']['enum'][2129] FORD_ADFS_IDP root['schemas']['RawLog']['properties']['type']['enum'][2130] FORD_BLUE_DNS root['schemas']['RawLog']['properties']['type']['enum'][2131] TSA_VMS root['schemas']['RawLog']['properties']['type']['enum'][2132] ALLIANZ_CPAM root['schemas']['RawLog']['properties']['type']['enum'][2133] HKBK_ASE1_DIGITALGUARDIAN_NDLP root['schemas']['RawLog']['properties']['type']['enum'][2134] PANORAYS root['schemas']['RawLog']['properties']['type']['enum'][2135] BBVA_BAEMPRE root['schemas']['RawLogEventInformation']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['RawLogEventInformation']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['SIEventData']['properties']['rawLogType']['enum'][1412] BLOCKDAEMON_METOMIC root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2124] JIT root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2125] PROCORE root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2126] HP_INC_MFP root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2127] MERU_CONTENTKEEPER_PROXY root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2128] KPMG_JAPAN_HR root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2129] FORD_ADFS_IDP root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2130] FORD_BLUE_DNS root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2131] TSA_VMS root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2132] ALLIANZ_CPAM root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2133] HKBK_ASE1_DIGITALGUARDIAN_NDLP root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2134] PANORAYS root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2135] BBVA_BAEMPRE iterable_item_removed root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][14] OMNIFLOW_GOOGLE_CLOUD_STORAGE root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][15] OMNIFLOW_AMAZON_S3 root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][16] OMNIFLOW_AMAZON_SQS root['schemas']['FeedDetails']['properties']['feedSourceType']['enumDescriptions'][14] root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][14] OMNIFLOW_GOOGLE_CLOUD_STORAGE root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][15] OMNIFLOW_AMAZON_S3 root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][16] OMNIFLOW_AMAZON_SQS root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enumDescriptions'][14] root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][14] OMNIFLOW_GOOGLE_CLOUD_STORAGE root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][15] OMNIFLOW_AMAZON_S3 root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][16] OMNIFLOW_AMAZON_SQS root['schemas']['PackLogType']['properties']['recommendedSourceType']['enumDescriptions'][14]
prod/asia-southeast1-chronicle-v1beta	values_changed root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['get']['parameters']['name']['description'] new_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{region}/instances/{instance} root['revision'] new_value 20250310 old_value 20250227 root['schemas'] new_value AIOverview description AI generated overview for the search results. id AIOverview properties aiSummary description AI summary for the search results. Markdown formatted. type string complete description Whether AI overview generation is complete. type boolean suggestions description Suggested actions to continue the investigation in chat. items $ref Action type array type object Action description Action represents an action that can be performed in the host UI. id Action properties actionType description Output only. Type of action. enum ACTION_TYPE_UNSPECIFIED FOLLOW_UP NAVIGATION EXECUTION enumDescriptions The action type is unspecified. The action is a follow up action. The action is a navigation action. The action is an execution action. readOnly True type string displayText description Output only. The text that'll be displayed to the user if this is rendered in the UI as a suggested action. readOnly True type string execution $ref Execution description Metadata for execution action. followUp $ref FollowUp description Metadata for follow up action. navigation $ref Navigation description Metadata for navigation action. useCaseId description Output only. The use case ID of the action. It's used internally to identify in which context the action is used. readOnly True type string type object AlertFieldAggregation id AlertFieldAggregation properties alertCount format int32 type integer allValues items $ref AlertFieldValueCount type array baselineAlertCount format int32 type integer bottomValues items $ref AlertFieldValueCount type array fieldName type string tooManyValues type boolean topValues items $ref AlertFieldValueCount type array valueCount format int32 type integer type object AlertFieldAggregations id AlertFieldAggregations properties fields items $ref AlertFieldAggregation type array type object AlertFieldValue id AlertFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string stringValue type string uint32Value format uint32 type integer uint64Value format uint64 type string type object AlertFieldValueCount id AlertFieldValueCount properties alertCount format int32 type integer baselineAlertCount format int32 type integer value $ref AlertFieldValue type object AnalystVerdict description Verdict provided by the human analyst. These fields are used to model Mandiant sources. id AnalystVerdict properties confidenceScore description Confidence score of the verdict. format int32 type integer verdictResponse description Details of the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp at which the verdict was generated. format google-datetime type string type object AnalyticsMetadata description Stores information about an analytics metric used in a rule. id AnalyticsMetadata properties analytic description Name of the analytic. type string type object Annotation description Extra parameters that don't fit anywhere else, captured as key/value. For example "VendorID/42" in BlackBerry user agents. The following keys are modified with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference): * "Chrome" (see `browser_version`) * "ChromiumBrowser" (unavailable) * "ChromeWebview" (unavailable) * "OS_VERSION" (see `os`) * "Rest" (unavailable) * "misc" (see `device`) id Annotation properties key type string value type string type object Artifact description Information about an artifact. The artifact can only be an IP. id Artifact properties anonymous description Whether the VPN tunnels are configured for anonymous browsing or not. type boolean artifactClient $ref ArtifactClient description Entity or software accessing or utilizing network resources. asOwner description Owner of the Autonomous System to which the IP address belongs. type string asn description Autonomous System Number to which the IP address belongs. format int64 type string firstSeenTime description First seen timestamp of the IP in the customer's environment. format google-datetime type string ip description IP address of the artifact. This field can be used as an entity indicator for an external destination IP entity. type string jarm description The JARM hash for the IP address. (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a). type string lastHttpsCertificate $ref SSLCertificate description SSL certificate information about the IP address. lastHttpsCertificateDate description Most recent date for the certificate in VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the IP address in the customer's environment. format google-datetime type string location $ref Location description Location of the Artifact's IP address. network $ref Network description Network information related to the Artifact's IP address. prevalence $ref Prevalence description The prevalence of the artifact within the customer's environment. regionalInternetRegistry description RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC). type string risks description This field lists potential risks associated with the network activity. items type string type array tags description Identification attributes items type string type array tunnels description VPN tunnels. items $ref Tunnels type array whois description WHOIS information as returned from the pertinent WHOIS server. type string whoisDate description Date of the last update of the WHOIS record in VirusTotal. format google-datetime type string type object ArtifactClient description Entity or software accessing or utilizing network resources. id ArtifactClient properties behaviors description The behaviors of the client accessing the network. items type string type array proxies description The type of proxies used by the client. items type string type array type object Asset description Information about a compute asset such as a workstation, laptop, phone, virtual desktop, or VM. id Asset properties assetId description The asset ID. Value must contain the ':' character. For example, cs:abcdd23434. This field can be used as an entity indicator for asset entities. type string attribute $ref Attribute description Generic entity metadata attributes of the asset. category description The category of the asset (e.g. "End User Asset", "Workstation", "Server"). type string creationTime deprecated True description Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. format google-datetime type string deploymentStatus description The deployment status of the asset for device lifecycle purposes. enum DEPLOYMENT_STATUS_UNSPECIFIED ACTIVE PENDING_DECOMISSION DECOMISSIONED enumDescriptions Unspecified deployment status. Asset is active, functional and deployed. Asset is pending decommission and no longer deployed. Asset is decommissioned. type string firstDiscoverTime description Time the asset was first discovered (by asset management/discoverability software). format google-datetime type string firstSeenTime description The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string hardware description The asset hardware specifications. items $ref Hardware type array hostname description Asset hostname or domain name field. This field can be used as an entity indicator for asset entities. type string ip description A list of IP addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array labels deprecated True description Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata. items $ref Label type array lastBootTime description Time the asset was last boot started. format google-datetime type string lastDiscoverTime description Time the asset was last discovered (by asset management/discoverability software). format google-datetime type string location $ref Location description Location of the asset. mac description List of MAC addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array natIp description List of NAT IP addresses associated with an asset. items type string type array networkDomain description The network domain of the asset (e.g. "corp.acme.com") type string platformSoftware $ref PlatformSoftware description The asset operating system platform software. productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID or similar). This field can be used as an entity indicator for asset entities. type string software description The asset software details. items $ref Software type array systemLastUpdateTime description Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a VM), use Attribute.last_update_time. format google-datetime type string type description The type of the asset (e.g. workstation or laptop or server). enum ROLE_UNSPECIFIED WORKSTATION LAPTOP IOT NETWORK_ATTACHED_STORAGE PRINTER SCANNER SERVER TAPE_LIBRARY MOBILE enumDescriptions Unspecified asset role. A workstation or desktop. A laptop computer. An IOT asset. A network attached storage device. A printer. A scanner. A server. A tape library device. A mobile device such as a mobile phone or PDA. type string vulnerabilities description Vulnerabilities discovered on asset. items $ref Vulnerability type array type object Association description Associations represents different metadata about malware and threat actors involved with an IoC. id Association properties alias description Different aliases of the threat actor given by different sources. items $ref AssociationAlias type array associatedActors description List of associated threat actors for a malware. Not applicable for threat actors. items $ref Association type array countryCode description Country from which the threat actor/ malware is originated. items type string type array description description Human readable description about the association. type string firstReferenceTime description First time the threat actor was referenced or seen. format google-datetime type string id description Unique association id generated by mandiant. type string industriesAffected description List of industries the threat actor affects. items type string type array lastReferenceTime description Last time the threat actor was referenced or seen. format google-datetime type string name description Name of the threat actor/malware. type string regionCode $ref Location description Name of the country, the threat is originating from. role description Role of the malware. Not applicable for threat actor. type string sourceCountry deprecated True description Name of the country the threat originated from. type string sponsorRegion $ref Location description Sponsor region of the threat actor. tags description Tags. items type string type array targetedRegions description Targeted regions. items $ref Location type array type description Signifies the type of association. enum ASSOCIATION_TYPE_UNSPECIFIED THREAT_ACTOR MALWARE enumDescriptions The default Association Type. Association type Threat actor. Association type Malware. type string type object AssociationAlias description Association Alias used to represent Mandiant Threat Intelligence. id AssociationAlias properties company description Name of the provider who gave the association's name. type string name description Name of the alias. type string type object AttackDetails description MITRE ATT&CK details. id AttackDetails properties tactics description Tactics employed. items $ref Tactic type array techniques description Techniques employed. items $ref Technique type array version description ATT&CK version (e.g. 12.1). type string type object Attribute description Attribute is a container for generic entity attributes including common attributes across core entities (such as, user or asset). For example, Cloud is a generic entity attribute since it can apply to an asset (for example, a VM) or a user (for example, an identity service account). id Attribute properties cloud $ref Cloud description Cloud metadata attributes such as project ID, account ID, or organizational hierarchy. creationTime description Time the resource or entity was created or provisioned. format google-datetime type string labels description Set of labels for the entity. Should only be used for product labels (for example, Google Cloud resource labels or Azure AD sensitivity labels. Should not be used for arbitrary key-value mappings. items $ref Label type array lastUpdateTime description Time the resource or entity was last updated. format google-datetime type string permissions description System permissions for IAM entity (human principal, service account, group). items $ref Permission type array roles description System IAM roles to be assumed by resources to use the role's permissions for access control. items $ref Role type array type object Authentication description The Authentication extension captures details specific to authentication events. General guidelines for authentication events: * Details about the source of the authentication event (for example, client IP or hostname), should be captured in principal. The principal may be empty if we have no details about the source of the login. * Details about the target of the authentication event (for example, details about the machine that is being logged into or logged out of) should be captured in target. * Some authentication events may involve a third-party. For example, a user logs into a cloud service (for example, Chronicle) via their company's SSO (the event is logged by their SSO solution). In this case, the principal captures information about the user's device, the target captures details about the cloud service they logged into, and the intermediary captures details about the SSO solution. id Authentication properties authDetails description The vendor defined details of the authentication. type string mechanism description The authentication mechanism. items enum MECHANISM_UNSPECIFIED USERNAME_PASSWORD OTP HARDWARE_KEY LOCAL REMOTE REMOTE_INTERACTIVE MECHANISM_OTHER BADGE_READER NETWORK BATCH SERVICE UNLOCK NETWORK_CLEAR_TEXT NEW_CREDENTIALS INTERACTIVE CACHED_INTERACTIVE CACHED_REMOTE_INTERACTIVE CACHED_UNLOCK BIOMETRIC WEARABLE enumDescriptions The default mechanism. Username + password authentication. OTP authentication. Hardware key authentication. Local authentication. Remote authentication. RDP, Terminal Services, or VNC. Some other mechanism that is not defined here. Badge reader authentication Network authentication. Batch authentication. Service authentication Direct human-interactive unlock authentication. Network clear text authentication. Authentication with new credentials. Interactive authentication. Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Biometric device such as a fingerprint reader. Wearable such as an Apple Watch. type string type array type description The type of authentication. enum AUTHTYPE_UNSPECIFIED MACHINE SSO VPN PHYSICAL TACACS enumDescriptions The default type. A machine authentication. An SSO authentication. A VPN authentication. A Physical authentication (e.g. "Badge reader"). A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+). type string type object AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. id AuthorityKeyId properties keyid description Key hexdump. type string serialNumber description Serial number hexdump. type string type object BackstoryEntity description An Entity provides additional context about an item in a UDM event. For example, a PROCESS_LAUNCH event describes that user 'abc@example.corp' launched process 'shady.exe'. The event does not include information that user 'abc@example.com' is a recently terminated employee who administers a server storing finance data. Information stored in one or more Entities can add this additional context. id BackstoryEntity properties additional additionalProperties description Properties of the object. type any description Important entity data that cannot be adequately represented within the formal sections of the Entity. type object entity $ref Noun description Noun in the UDM event that this entity represents. metadata $ref EntityMetadata description Entity metadata such as timestamp, product, etc. metric $ref Metric description Stores statistical metrics about the entity. Used if metadata.entity_type is METRIC. relations description One or more relationships between the entity (a) and other entities, including the relationship type and related entity. items $ref Relation type array riskScore $ref EntityRisk description Stores information related to the entity's risk score. type object BackstoryFile description Information about a file. id BackstoryFile properties ahash deprecated True description Deprecated. Use authentihash instead. type string authentihash description Authentihash of the file. type string capabilitiesTags description Capabilities tags. items type string type array createTime description Timestamp when the file was created. format google-datetime type string embeddedDomains description Embedded domains found in the file. items type string type array embeddedIps description Embedded IP addresses found in the file. items type string type array embeddedUrls description Embedded urls found in the file. items type string type array exifInfo $ref ExifInfo description Exif metadata from different file formats extracted by exiftool. fileMetadata $ref FileMetadata deprecated True description Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File. fileType description FileType field. enum FILE_TYPE_UNSPECIFIED FILE_TYPE_PE_EXE FILE_TYPE_PE_DLL FILE_TYPE_MSI FILE_TYPE_NE_EXE FILE_TYPE_NE_DLL FILE_TYPE_DOS_EXE FILE_TYPE_DOS_COM FILE_TYPE_COFF FILE_TYPE_ELF FILE_TYPE_LINUX_KERNEL FILE_TYPE_RPM FILE_TYPE_LINUX FILE_TYPE_MACH_O FILE_TYPE_JAVA_BYTECODE FILE_TYPE_DMG FILE_TYPE_DEB FILE_TYPE_PKG FILE_TYPE_PYC FILE_TYPE_LNK FILE_TYPE_DESKTOP_ENTRY FILE_TYPE_JPEG FILE_TYPE_TIFF FILE_TYPE_GIF FILE_TYPE_PNG FILE_TYPE_BMP FILE_TYPE_GIMP FILE_TYPE_IN_DESIGN FILE_TYPE_PSD FILE_TYPE_TARGA FILE_TYPE_XWD FILE_TYPE_DIB FILE_TYPE_JNG FILE_TYPE_ICO FILE_TYPE_FPX FILE_TYPE_EPS FILE_TYPE_SVG FILE_TYPE_EMF FILE_TYPE_WEBP FILE_TYPE_DWG FILE_TYPE_DXF FILE_TYPE_THREEDS FILE_TYPE_OGG FILE_TYPE_FLC FILE_TYPE_FLI FILE_TYPE_MP3 FILE_TYPE_FLAC FILE_TYPE_WAV FILE_TYPE_MIDI FILE_TYPE_AVI FILE_TYPE_MPEG FILE_TYPE_QUICKTIME FILE_TYPE_ASF FILE_TYPE_DIVX FILE_TYPE_FLV FILE_TYPE_WMA FILE_TYPE_WMV FILE_TYPE_RM FILE_TYPE_MOV FILE_TYPE_MP4 FILE_TYPE_T3GP FILE_TYPE_WEBM FILE_TYPE_MKV FILE_TYPE_PDF FILE_TYPE_PS FILE_TYPE_DOC FILE_TYPE_DOCX FILE_TYPE_PPT FILE_TYPE_PPTX FILE_TYPE_XLS FILE_TYPE_XLSX FILE_TYPE_RTF FILE_TYPE_PPSX FILE_TYPE_ODP FILE_TYPE_ODS FILE_TYPE_ODT FILE_TYPE_HWP FILE_TYPE_GUL FILE_TYPE_ODF FILE_TYPE_ODG FILE_TYPE_ONE_NOTE FILE_TYPE_OOXML FILE_TYPE_SLK FILE_TYPE_EBOOK FILE_TYPE_LATEX FILE_TYPE_TTF FILE_TYPE_EOT FILE_TYPE_WOFF FILE_TYPE_CHM FILE_TYPE_ZIP FILE_TYPE_GZIP FILE_TYPE_BZIP FILE_TYPE_RZIP FILE_TYPE_DZIP FILE_TYPE_SEVENZIP FILE_TYPE_CAB FILE_TYPE_JAR FILE_TYPE_RAR FILE_TYPE_MSCOMPRESS FILE_TYPE_ACE FILE_TYPE_ARC FILE_TYPE_ARJ FILE_TYPE_ASD FILE_TYPE_BLACKHOLE FILE_TYPE_KGB FILE_TYPE_ZLIB FILE_TYPE_TAR FILE_TYPE_ZST FILE_TYPE_LZFSE FILE_TYPE_PYTHON_WHL FILE_TYPE_PYTHON_PKG FILE_TYPE_MSIX FILE_TYPE_TEXT FILE_TYPE_SCRIPT FILE_TYPE_PHP FILE_TYPE_PYTHON FILE_TYPE_PERL FILE_TYPE_RUBY FILE_TYPE_C FILE_TYPE_CPP FILE_TYPE_JAVA FILE_TYPE_SHELLSCRIPT FILE_TYPE_PASCAL FILE_TYPE_AWK FILE_TYPE_DYALOG FILE_TYPE_FORTRAN FILE_TYPE_JAVASCRIPT FILE_TYPE_POWERSHELL FILE_TYPE_VBA FILE_TYPE_M4 FILE_TYPE_OBJETIVEC FILE_TYPE_JMOD FILE_TYPE_MAKEFILE FILE_TYPE_INI FILE_TYPE_CLJ FILE_TYPE_PDB FILE_TYPE_SQL FILE_TYPE_NEKO FILE_TYPE_WER FILE_TYPE_GOLANG FILE_TYPE_M3U FILE_TYPE_BAT FILE_TYPE_MSC FILE_TYPE_RDP FILE_TYPE_SYMBIAN FILE_TYPE_PALMOS FILE_TYPE_WINCE FILE_TYPE_ANDROID FILE_TYPE_IPHONE FILE_TYPE_HTML FILE_TYPE_XML FILE_TYPE_SWF FILE_TYPE_FLA FILE_TYPE_COOKIE FILE_TYPE_TORRENT FILE_TYPE_EMAIL_TYPE FILE_TYPE_OUTLOOK FILE_TYPE_SGML FILE_TYPE_JSON FILE_TYPE_CSV FILE_TYPE_HTA FILE_TYPE_INTERNET_SHORTCUT FILE_TYPE_CAP FILE_TYPE_ISOIMAGE FILE_TYPE_SQUASHFS FILE_TYPE_VHD FILE_TYPE_APPLE FILE_TYPE_MACINTOSH FILE_TYPE_APPLESINGLE FILE_TYPE_APPLEDOUBLE FILE_TYPE_MACINTOSH_HFS FILE_TYPE_APPLE_PLIST FILE_TYPE_MACINTOSH_LIB FILE_TYPE_APPLESCRIPT FILE_TYPE_APPLESCRIPT_COMPILED FILE_TYPE_CRX FILE_TYPE_XPI FILE_TYPE_ROM FILE_TYPE_IPS FILE_TYPE_PEM FILE_TYPE_PGP FILE_TYPE_CRT enumDescriptions File type is UNSPECIFIED. File type is PE_EXE. Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL. File type is MSI. File type is NE_EXE. File type is NE_DLL. File type is DOS_EXE. File type is DOS_COM. File type is COFF. File type is ELF. File type is LINUX_KERNEL. File type is RPM. File type is LINUX. File type is MACH_O. File type is JAVA_BYTECODE. File type is DMG. File type is DEB. File type is PKG. File type is PYC. File type is LNK. File type is DESKTOP_ENTRY. File type is JPEG. File type is TIFF. File type is GIF. File type is PNG. File type is BMP. File type is GIMP. File type is Adobe InDesign. File type is PSD. Adobe Photoshop. File type is TARGA. File type is XWD. File type is DIB. File type is JNG. File type is ICO. File type is FPX. File type is EPS. File type is SVG. File type is EMF. File type is WEBP. File type is DWG. File type is DXF. File type is 3DS. File type is OGG. File type is FLC. File type is FLI. File type is MP3. File type is FLAC. File type is WAV. File type is MIDI. File type is AVI. File type is MPEG. File type is QUICKTIME. File type is ASF. File type is DIVX. File type is FLV. File type is WMA. File type is WMV. File type is RM. RealMedia type. File type is MOV. File type is MP4. File type is T3GP. File type is WEBM. File type is MKV. File type is PDF. File type is PS. File type is DOC. File type is DOCX. File type is PPT. File type is PPTX. File type is XLS. File type is XLSX. File type is RTF. File type is PPSX. File type is ODP. File type is ODS. File type is ODT. File type is HWP. File type is GUL. File type is ODF. File type is ODG. File type is ONE_NOTE. File type is OOXML. File type is SLK. File type is EBOOK. File type is LATEX. File type is TTF. File type is EOT. File type is WOFF. File type is CHM. File type is ZIP. File type is GZIP. File type is BZIP. File type is RZIP. File type is DZIP. File type is SEVENZIP. File type is CAB. File type is JAR. File type is RAR. File type is MSCOMPRESS. File type is ACE. File type is ARC. File type is ARJ. File type is ASD. File type is BLACKHOLE. File type is KGB. File type is ZLIB. File type is TAR. File type is ZST. File type is LZFSE. File type is PYTHON_WHL. File type is PYTHON_PKG. File type is MSIX, new Windows app package format. File type is TEXT. File type is SCRIPT. File type is PHP. File type is PYTHON. File type is PERL. File type is RUBY. File type is C. File type is CPP. File type is JAVA. File type is SHELLSCRIPT. File type is PASCAL. File type is AWK. File type is DYALOG. File type is FORTRAN. File type is JAVASCRIPT. File type is POWERSHELL. File type is VBA. File type is M4. File type is OBJETIVEC. File type is JMOD. File type is MAKEFILE. File type is INI. File type is CLJ. File type is PDB. File type is SQL. File type is NEKO. File type is WER. File type is GOLANG. File type is M3U. File type is BAT, Windows .bat/.cmd (old files are tagged as SHELLSCRIPT). File type is MSC, Microsoft Management Console (MMC). File type is RDP, Microsoft Remote Desktop Protocol (RDP) file. File type is SYMBIAN. File type is PALMOS. File type is WINCE. File type is ANDROID. File type is IPHONE. File type is HTML. File type is XML. File type is SWF. File type is FLA. File type is COOKIE. File type is TORRENT. File type is EMAIL_TYPE. File type is OUTLOOK. File type is SGML. File type is JSON. File type is CSV. File type is HTA (HTML Application). File type is MSHTML .url. File type is CAP. File type is ISOIMAGE. File type is SQUASHFS. File type is VHD. File type is APPLE. File type is MACINTOSH. File type is APPLESINGLE. File type is APPLEDOUBLE. File type is MACINTOSH_HFS. File type is APPLE_PLIST. File type is MACINTOSH_LIB. File type is APPLESCRIPT. File type is APPLESCRIPT_COMPILED . File type is CRX. File type is XPI. File type is ROM. File type is IPS. File type is PEM. File type is PGP. File type is CRT. type string firstSeenTime description Timestamp the file was first seen in the customer's environment. format google-datetime type string firstSubmissionTime description First submission time of the file. format google-datetime type string fullPath description The full path identifying the location of the file on the system. This field can be used as an entity indicator for file entities. type string lastAccessTime description Timestamp when the file was accessed. format google-datetime type string lastAnalysisTime description Timestamp the file was last analysed. format google-datetime type string lastModificationTime description Timestamp when the file was last updated. format google-datetime type string lastSeenTime description Timestamp the file was last seen in the customer's environment. format google-datetime type string lastSubmissionTime description Last submission time of the file. format google-datetime type string mainIcon $ref Favicon description Icon's relevant hashes. md5 description The MD5 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string mimeType description The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script". type string names description Names fields. items type string type array ntfs $ref NtfsFileMetadata description NTFS metadata. pdfInfo $ref PDFInfo description Information about the PDF file structure. peFile $ref FileMetadataPE description Metadata about the Portable Executable (PE) file. prevalence $ref Prevalence description Prevalence of the file hash in the customer's environment. securityResult $ref SecurityResult description Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata. sha1 description The SHA1 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string sha256 description The SHA256 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string signatureInfo $ref SignatureInfo description File signature information extracted from different tools. size description The size of the file in bytes. format uint64 type string ssdeep description Ssdeep of the file type string statDev description The file system identifier to which the object belongs. format uint64 type string statFlags description User defined flags for file. format uint32 type integer statInode description The file identifier. Unique identifier of object within a file system. format uint64 type string statMode description The mode of the file. A bit string indicating the permissions and privileges of the file. format uint64 type string statNlink description Number of links to file. format uint64 type string symhash description SymHash of the file. Used for Mach-O (e.g. MacOS) binaries, to identify similar files based on their symbol table. type string tags description Tags for the file. items type string type array vhash description Vhash of the file. type string type object BoolSequence description BoolSequence represents a sequence of bools. id BoolSequence properties boolVals description bool sequence. items type boolean type array type object BytesSequence description BytesSequence represents a sequence of bytes. id BytesSequence properties bytesVals description bytes sequence. items format byte type string type array type object CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CertSignature description Certificate's signature and algorithm. id CertSignature properties signature description Signature. type string signatureAlgorithm description Algorithm. type string type object Certificate description Certificate information id Certificate properties issuer description Issuer of the certificate. type string md5 description The MD5 hash of the certificate, as a hex-encoded string. type string notAfter description Indicates when the certificate is no longer valid. format google-datetime type string notBefore description Indicates when the certificate is first valid. format google-datetime type string serial description Certificate serial number. type string sha1 description The SHA1 hash of the certificate, as a hex-encoded string. type string sha256 description The SHA256 hash of the certificate, as a hex-encoded string. type string subject description Subject of the certificate. type string version description Certificate version. type string type object Chip id Chip properties text type string type enum UNSPECIFIED ALERT NETWORK_CONNECTION EDR UNPARSED_RAW_LOG LOGIN_EVENT EMAIL_EVENT GENERIC TELEMETRY enumDescriptions type string type object Client description Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash). id Client properties certificate $ref Certificate description Client certificate. ja3 description JA3 hash from the TLS ClientHello, as a hex-encoded string. type string serverName description Host name of the server, that the client is connecting to. type string supportedCiphers description Ciphers supported by the client during client hello. items type string type array type object Cloud description Metadata related to the cloud environment. id Cloud properties availabilityZone description The cloud environment availability zone (different from region which is location.name). type string environment description The Cloud environment. enum UNSPECIFIED_CLOUD_ENVIRONMENT GOOGLE_CLOUD_PLATFORM AMAZON_WEB_SERVICES MICROSOFT_AZURE enumDescriptions Default. Google Cloud Platform. Amazon Web Services. Microsoft Azure. type string project $ref Resource deprecated True description The cloud environment project information. Deprecated: Use Resource.resource_ancestors vpc $ref Resource deprecated True description The cloud environment VPC. Deprecated. type object Collection description Collection represents a container of objects (such as events, entity context metadata, detection finding metadata) and state (such as investigation details). BEGIN GOOGLE-INTERNAL See go/udm:collections for additional details. END GOOGLE-INTERNAL An example use case for Collection is to model a detection and investigation from detection finding metadata to investigative state collected in the course of the investigation. For more complex investigation and response workflows a Collection could represent an incident consisting of multiple child findings or incidents. This can be expanded on to model remediation elements of a full detection and response workflow. NEXT TAG: 20 id Collection properties caseName description The resource name of the Case that this collection belongs to. Example: projects/{project id}/locations/{region}/chronicle/cases/{internal_case_id} type string collectionElements description Constituent elements of the collection. Each element shares an association that groups it together and is a component of the overall collection. For example, a detection collection may have several constituent elements that each share a correlation association that together represent a particular pattern or behavior. items $ref Element type array createdTime description Time the collection was created. format google-datetime type string dataAccessScope description The resource name of the DataAccessScope of this collection. BEGIN GOOGLE-INTERNAL We may change this name based on the final resource design of the scope. END GOOGLE-INTERNAL type string detection description Detection metadata for findings that represent detections, can include rule details, machine learning model metadata, and indicators implicated in the detection (using the .about field). items $ref SecurityResult type array detectionTime description Timestamp within the time_window related to the time of the collection_elements. For Rule Detections, this timestamp is the end of the the time_window for multi-event rules or the time of the event for single event rules. For late-arriving events that trigger new alerts, the detection_time will be the event time of the event. format google-datetime type string feedbackHistory description The history of feedback submitted by analysts for this finding, in descending order by timestamp. This field is limited to the most recent 1000 feedback events. The primary feedback will also be included in this list. items $ref Feedback type array feedbackSummary $ref Feedback description The current primary analyst feedback. This does not include the history of feedback given, which may be supplied in `feedback`. id description Unique ID for the collection. The ID is specific to the type of collection. For example, with rule detections this is the detection ID. type string idNamespace description The ID namespace used for the Collection. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string investigation $ref Investigation description Consolidated investigation details (categorization, status, etc) typically for collections that begin as detection findings and then evolve with analyst action and feedback into investigations around the detection output. lastUpdatedTime description Time the collection was last updated. format google-datetime type string responsePlatformInfo $ref ResponsePlatformInfo description Alert related info of this same alert in customer's SOAR platform. soarAlert description A boolean field indicating that the alert is present in SOAR. type boolean soarAlertMetadata $ref SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems via SOAR. tags description Tags set by UC/DSML/RE for the Finding during creation. items type string type array timeWindow $ref Interval description Time interval that the collection represents. type description What the collection represents. enum COLLECTION_TYPE_UNSPECIFIED TELEMETRY_ALERT GCTI_FINDING UPPERCASE_ALERT RULE_DETECTION MACHINE_INTELLIGENCE_ALERT SOAR_ALERT enumDescriptions An unspecified collection type. An alert reported in customer telemetry. A finding from the Uppercase team. A detection found by applying a rule. An alert generated by Chronicle machine learning models. An alert coming from other SIEMs via Chronicle SOAR. type string type object ColumnNames id ColumnNames properties names items type string type array type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DNSRecord description DNS record. id DNSRecord properties expire description Expire. format google-duration type string minimum description Minimum. format google-duration type string priority description Priority. format int64 type string refresh description Refresh. format google-duration type string retry description Retry. format int64 type string rname description Rname. type string serial description Serial. format int64 type string ttl description Time to live. format google-duration type string type description Type. type string value description Value. type string type object DataAccessIngestionLabel id DataAccessIngestionLabel properties key description The key. type string value description The value. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessLabels id DataAccessLabels properties allowScopedAccess description Are the labels ready for scoped access type boolean customLabels description All the complex labels (UDM search syntax based). items type string type array ingestionKvLabels description All the ingestion labels (key/value pairs). items $ref DataAccessIngestionLabel type array ingestionLabels deprecated True description All the ingestion labels. items type string type array logTypes description All the LogType labels. items type string type array namespaces description All the namespaces. items type string type array type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Date description Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values. * A month and day, with a zero year (for example, an anniversary). * A year on its own, with a zero month and a zero day. * A year and month, with a zero day (for example, a credit card expiration date). Related types: * google.type.TimeOfDay * google.type.DateTime * google.protobuf.Timestamp id Date properties day description Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. format int32 type integer month description Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. format int32 type integer year description Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. format int32 type integer type object Detections id Detections properties baselineAlertsCount format int32 type integer complete type boolean detectionFieldAggregations $ref AlertFieldAggregations detections items $ref Collection type array filteredAlertsCount format int32 type integer tooManyDetections type boolean validSnapshotQuery type boolean type object Dhcp description DHCP information. id Dhcp properties chaddr description Client hardware address (chaddr). type string ciaddr description Client IP address (ciaddr). type string clientHostname description Client hostname. See RFC2132, section 3.14. type string clientIdentifier description Client identifier. See RFC2132, section 9.14. Note: Make sure to update the client_identifier_string field as well if you update this field. format byte type string clientIdentifierString description Client identifier as string. See RFC2132, section 9.14. This field holds the string value of the client_identifier. type string file description Boot image filename. type string flags description Flags. format uint32 type integer giaddr description Relay agent IP address (giaddr). type string hlen description Hardware address length. format uint32 type integer hops description Hardware ops. format uint32 type integer htype description Hardware address type. format uint32 type integer leaseTimeSeconds description Lease time in seconds. See RFC2132, section 9.2. format uint32 type integer opcode description The BOOTP op code. enum UNKNOWN_OPCODE BOOTREQUEST BOOTREPLY enumDescriptions Default opcode. Request. Reply. type string options description List of DHCP options. items $ref Option type array requestedAddress description Requested IP address. See RFC2132, section 9.1. type string seconds description Seconds elapsed since client began address acquisition/renewal process. format uint32 type integer siaddr description IP address of the next bootstrap server. type string sname description Server name that the client wishes to boot from. type string transactionId description Transaction ID. format uint32 type integer type description DHCP message type. enum UNKNOWN_MESSAGE_TYPE DISCOVER OFFER REQUEST DECLINE ACK NAK RELEASE INFORM WIN_DELETED WIN_EXPIRED enumDescriptions Default message type. DHCPDISCOVER. DHCPOFFER. DHCPREQUEST. DHCPDECLINE. DHCPACK. DHCPNAK. DHCPRELEASE. DHCPINFORM. Microsoft Windows DHCP "lease deleted". Microsoft Windows DHCP "lease expired". type string yiaddr description Your IP address (yiaddr). type string type object Dns description DNS information. id Dns properties additional description A list of additional domain name servers that can be used to verify the answer to the domain. items $ref ResourceRecord type array answers description A list of answers to the domain name query. items $ref ResourceRecord type array authoritative description Other DNS header flags. See RFC1035, section 4.1.1. type boolean authority description A list of domain name servers which verified the answers to the domain name queries. items $ref ResourceRecord type array id description DNS query id. format uint32 type integer opcode description The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS). format uint32 type integer questions description A list of domain protocol message questions. items $ref Question type array recursionAvailable description Whether a recursive DNS lookup is available. type boolean recursionDesired description Whether a recursive DNS lookup is desired. type boolean response description Set to true if the event is a DNS response. See QR field from RFC1035. type boolean responseCode description Response code. See RCODE from RFC1035. format uint32 type integer truncated description Whether the DNS response was truncated. type boolean type object Domain description Information about a domain. id Domain properties admin $ref User description Parsed contact information for the administrative contact for the domain. auditUpdateTime description Audit updated time. format google-datetime type string billing $ref User description Parsed contact information for the billing contact of the domain. categories description Categories assign to the domain as retrieved from VirusTotal. items type string type array contactEmail description Contact email address. type string creationTime description Domain creation time. format google-datetime type string expirationTime description Expiration time. format google-datetime type string favicon $ref Favicon description Includes difference hash and MD5 hash of the domain's favicon. firstSeenTime description First seen timestamp of the domain in the customer's environment. format google-datetime type string ianaRegistrarId description IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml format int32 type integer jarm description Domain's JARM hash. type string lastDnsRecords description Domain's DNS records from the last scan. items $ref DNSRecord type array lastDnsRecordsTime description Date when the DNS records list was retrieved by VirusTotal. format google-datetime type string lastHttpsCertificate $ref SSLCertificate description SSL certificate object retrieved last time the domain was analyzed. lastHttpsCertificateTime description When the certificate was retrieved by VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the domain in the customer's environment. format google-datetime type string name description The domain name. This field can be used as an entity indicator for Domain entities. type string nameServer description Repeated list of name servers. items type string type array popularityRanks description Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc items $ref PopularityRank type array prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. privateRegistration description Indicates whether the domain appears to be using a private registration service to mask the owner's contact information. type boolean registrant $ref User description Parsed contact information for the registrant of the domain. registrar description Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM". type string registryDataRawText description Registry Data raw text. format byte type string status description Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values type string tags description List of representative attributes. items type string type array tech $ref User description Parsed contact information for the technical contact for the domain updateTime description Last updated time. format google-datetime type string whoisRecordRawText description WHOIS raw text. format byte type string whoisServer description Whois server name. type string whoisTime description Date of the last update of the WHOIS record. format google-datetime type string zone $ref User description Parsed contact information for the zone. type object DoubleSequence description DoubleSequence represents a sequence of doubles. id DoubleSequence properties doubleVals description double sequence. items format double type number type array type object EC description EC public key information. id EC properties oid description Curve name. type string pub description Public key hexdump. type string type object Element description NEXT TAG: 5 id Element properties association $ref SecurityResult description Metadata that provides the relevant association for the references in the element. For a detection, this can be the correlated aspect of the references that contributed to the overall detection. For example, may include sub-rule condition, machine learning model metadata, and/or indicators implicated in this component of the detection (using the .about field). label description A name that labels the entire references group. type string references description References to model primatives including events and entities that share a common association. Even though a reference can have both UDM and entity, a collection of references (of a single element) will only have one type of message in it (either UDM / Entity). items $ref Reference type array referencesSampled description Copied from the detection event_sample.too_many_event_samples field. If true, the number of references will be capped at the sample limit (set at rule service). This is applicable to both UDM references and Entity references. type boolean type object Email description Email info. id Email properties bcc description A list of 'bcc' addresses. items type string type array bounceAddress description The envelope from address. https://en.wikipedia.org/wiki/Bounce_address type string cc description A list of 'cc' addresses. items type string type array from description The 'from' address. type string mailId description The mail (or message) ID. type string replyTo description The 'reply to' address. type string subject description The subject line(s) of the email. items type string type array to description A list of 'to' addresses. items type string type array type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityChangedCountTimelineBucket id EntityChangedCountTimelineBucket properties entityChangedInfo items $ref EntityChangedInfo type array totalChangedEntitiesCount format int32 type integer type object EntityChangedInfo id EntityChangedInfo properties artifacts $ref FieldAndValue entityCount format int32 type integer type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityMetadata description Information about the Entity and the product where the entity was created. Next Tag: 17 id EntityMetadata properties collectedTimestamp description GMT timestamp when the entity information was collected by the vendor's local collection infrastructure. format google-datetime type string creationTimestamp description GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected. format google-datetime type string description description Human-readable description of the entity. type string entityType description Entity type. If an entity has multiple possible types, this specifies the most specific type. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string eventMetadata $ref Metadata description Metadata field from the event. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object feed description Vendor feed name for a threat indicator feed. type string interval $ref Interval description Valid existence time range for the version of the entity represented by this entity data. productEntityId description A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar). type string productName description Product name that produced the entity information. type string productVersion description Version of the product that produced the entity information. type string sourceLabels description Entity source metadata labels. items $ref Label type array sourceType description The source of the entity. enum SOURCE_TYPE_UNSPECIFIED ENTITY_CONTEXT DERIVED_CONTEXT GLOBAL_CONTEXT enumDescriptions Default source type Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT) Entities derived from customer data such as prevalence, artifact first/last seen, or asset/user first seen stats. Global contextual entities such as WHOIS or Safe Browsing. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Structured fields extracted from the log. type object threat description Metadata provided by a threat intelligence feed that identified the entity as malicious. items $ref SecurityResult type array vendorName description Vendor name of the product that produced the entity information. type string type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object EntityRisk description Stores information related to the risk score of an entity. Next ID: 15 id EntityRisk properties DEPRECATEDRiskScore deprecated True description Deprecated risk score. format int32 type integer detailUri description Link to the Google Security Operations UI with information about the entity risk score. If the SecOps instance has multiple frontend paths configured, this will be a relative path that can be used to construct the full URL. type string detectionsCount description Number of detections that make up the risk score within the time window. format int32 type integer firstDetectionTime description Timestamp of the first detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastDetectionTime description Timestamp of the last detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastResetTime description Timestamp for UEBA risk score reset based deduplication. Used specifically for risk based meta rules. format google-datetime type string normalizedRiskScore description Normalized risk score for the entity. This value is between 0-1000. format int32 type integer rawRiskDelta $ref RiskDelta description Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window. riskDelta $ref RiskDelta description Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window. riskScore description Raw risk score for the entity. format float type number riskVersion description Version of the risk score calculation algorithm. type string riskWindow $ref Interval description Time window used when computing the risk score for an entity, for example 24 hours or 7 days. riskWindowHasNewDetections description Whether there are new detections for the risk window. type boolean riskWindowSize description Risk window duration for the entity. format google-duration type string type object ErrorMessage id ErrorMessage properties errorText type string type enum UNDEFINED_ERROR_TYPE INVALID_QUERY_TYPE INVALID_FIELD_PATH_TYPE UNCLOSED_BRACKET_TYPE BACKEND_ERROR_TYPE UNCLOSED_QUOTES_TYPE QUERY_TOO_LARGE_TYPE enumDescriptions type string type object EventCountTimeline id EventCountTimeline properties buckets items $ref EventCountTimelineBucket type array sizeOfBucketMs format int64 type string type object EventCountTimelineBucket id EventCountTimelineBucket properties alertCount format int32 type integer baselineAlertCount format int32 type integer baselineEventCount format int32 type integer baselineTimedEntityCount format int32 type integer entityChangedCount $ref EntityChangedCountTimelineBucket eventCount format int32 type integer filteredTimedEntityCount format int32 type integer type object Execution description Execution can be used to store metadata required for what action the UI should execute. id Execution properties metadata additionalProperties type string description Output only. The payload to use when executing the action. readOnly True type object type object ExifInfo description Exif information. id ExifInfo properties company description company name. type string compilationTime description Compilation time. format google-datetime type string entryPoint description entry point. format int64 type string fileDescription description description of a file. type string originalFile description original file name. type string product description product name. type string type object Extension description Certificate's extensions. id Extension properties authorityKeyId $ref AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. ca description Whether the subject acts as a certificate authority (CA) or not. type boolean caInfoAccess description Authority information access locations are URLs that are added to a certificate in its authority information access extension. type string certTemplateNameDc description BMP data value "DomainController". See MS Q291010. type string certificatePolicies description Different certificate policies will relate to different applications which may use the certified key. type string crlDistributionPoints description CRL distribution points to which a certificate user should refer to ascertain if the certificate has been revoked. type string extendedKeyUsage description One or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field. type string keyUsage description The purpose for which the certified public key is used. type string netscapeCertComment description Used to include free-form text comments inside certificates. type string netscapeCertificate description Identify whether the certificate subject is an SSL client, an SSL server, or a CA. type boolean oldAuthorityKeyId description Whether the certificate has an old authority key identifier extension. type boolean peLogotype description Whether the certificate includes a logotype. type boolean subjectAlternativeName description Contains one or more alternative names, using any of a variety of name forms, for the entity that is bound by the CA to the certified public key. type string subjectKeyId description Identifies the public key being certified. type string type object Extensions description Extensions to a UDM event. id Extensions properties auth $ref Authentication description An authentication extension. entityRisk $ref EntityRisk description An entity risk change extension. vulns $ref Vulnerabilities description A vulnerability extension. type object Favicon description Difference hash and MD5 hash of the domain's favicon. id Favicon properties dhash description Difference hash. type string rawMd5 description Favicon's MD5 hash. type string type object Feedback id Feedback properties comment description Optional. type string confidenceScore format int32 type integer createdTime format google-datetime type string disregarded type boolean idpUserId type string priority description Optional. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string priorityDisplay description Optional. type string reason description Optional. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore format int32 type integer rootCause description Optional. type string severity format int32 type integer severityDisplay description Optional. type string status description Optional. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object FieldAndValue id FieldAndValue properties entityNamespace type string fieldPath type string kvalueType enum UNKNOWN COLLECTOR_ID EVENT_SHARD ASSET_IP_ADDRESS MAC HOSTNAME PRODUCT_SPECIFIC_ID NAMESPACE DOMAIN_NAME RESOLVED_IP_ADDRESS STEMMED_DOMAIN_NAME PROCESS_ID FULL_COMMAND_LINE FILE_NAME FILE_PATH HASH_MD5 HASH_SHA256 HASH_SHA1 RAW_PID PARENT_PROCESS_ID EMAIL USERNAME WINDOWS_SID EMPLOYEE_ID PRODUCT_OBJECT_ID USER_DISPLAY_NAME CLOUD_RESOURCE_NAME REGISTRY_KEY REGISTRY_VALUE_DATA REGISTRY_VALUE_NAME enumDescriptions type string value type string type object FileMetadata description Metadata about a file. Place metadata about different file types here, for example data from the Microsoft Windows VersionInfo block or digital signer details. Use a different sub-message per file type. id FileMetadata properties pe $ref PeFileMetadata deprecated True description Metadata for Microsoft Windows PE files. Deprecate PeFileMetadata in favor of single File proto. type object FileMetadataCodesign description File metadata from the codesign utility. id FileMetadataCodesign properties compilationTime description Code sign timestamp format google-datetime type string format description Code sign format. type string id description Code sign identifier. type string teamId description The assigned team identifier of the developer who signed the application. type string type object FileMetadataImports description File metadata imports. id FileMetadataImports properties functions description Function field. items type string type array library description Library field. type string type object FileMetadataPE description Metadata about the Portable Executable (PE) file. id FileMetadataPE properties compilationExiftoolTime description info.exiftool.TimeStamp. format google-datetime type string compilationTime description info.pe-timestamp. format google-datetime type string entryPoint description info.pe-entry-point. format int64 type string entryPointExiftool description info.exiftool.EntryPoint. format int64 type string imphash description Imphash of the file. type string imports description FilemetadataImports fields. items $ref FileMetadataImports type array resource description FilemetadataPeResourceInfo fields. items $ref FileMetadataPeResourceInfo type array resourcesLanguageCount deprecated True description Deprecated: use resources_language_count_str. items $ref StringToInt64MapEntry type array resourcesLanguageCountStr description Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10 items $ref Label type array resourcesTypeCount deprecated True description Deprecated: use resources_type_count_str. items $ref StringToInt64MapEntry type array resourcesTypeCountStr description Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5 items $ref Label type array section description FilemetadataSection fields. items $ref FileMetadataSection type array signatureInfo $ref FileMetadataSignatureInfo deprecated True description FilemetadataSignatureInfo field. deprecated, user File.signature_info instead. type object FileMetadataPeResourceInfo description File metadata for PE resource. id FileMetadataPeResourceInfo properties entropy description Entropy of the resource. format double type number fileType description File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum. type string filetypeMagic description Type of resource content, as identified by the magic Python module. type string languageCode description Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US | type string sha256Hex description SHA256_hex field.. type string type object FileMetadataSection description File metadata section. id FileMetadataSection properties entropy description Entropy of the section. format double type number md5Hex description MD5 hex of the file. type string name description Name of the section. type string rawSizeBytes description Raw file size in bytes. format int64 type string virtualSizeBytes description Virtual file size in bytes. format int64 type string type object FileMetadataSignatureInfo description Signature information. id FileMetadataSignatureInfo properties signer deprecated True description Deprecated: use signers field. items type string type array signers description File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority. items $ref SignerInfo type array verificationMessage description Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found. type string verified description True if verification_message == "Signed" type boolean x509 description List of certificates. items $ref X509 type array type object FilterProperties id FilterProperties properties hidden type boolean stringProperties additionalProperties $ref StringValues type object type object FindingVariable description A structure that holds the value and associated metadata for values extracted while producing a Finding. id FindingVariable properties boolSeq $ref BoolSequence description The value in boolsequence format. boolVal description The value in boolean format. type boolean bytesSeq $ref BytesSequence description The value in bytessequence format. bytesVal description The value in bytes format. format byte type string doubleSeq $ref DoubleSequence description The value in doublesequence format. doubleVal description The value in double format. format double type number int64Seq $ref Int64Sequence description The value in int64sequence format. int64Val description The value in int64 format. format int64 type string nullVal description Whether the value is null. type boolean sourcePath description The UDM field path for the field which this value was derived from. Example: `principal.user.username` type string stringSeq $ref StringSequence description The value in stringsequence format. stringVal description The value in string format. Enum values are returned as strings. type string type description The type of the variable. enum TYPE_UNSPECIFIED MATCH OUTCOME enumDescriptions An unspecified variable type. A variable coming from the match conditions. A variable representing significant data that was found in the detection logic. type string uint64Seq $ref Uint64Sequence description The value in uint64sequence format. uint64Val description The value in uint64 format. format uint64 type string value description The value in string form. type string type object FollowUp description FollowUp can be used to store metadata required to send a follow up message by the UI. id FollowUp properties followUp description Output only. The text to use as input when generating the follow up message. readOnly True type string type object Ftp description FTP info. id Ftp properties command description The FTP command. type string type object FunctionResponse id FunctionResponse properties rows items $ref FunctionResponseRow type array tooManyRows type boolean type object FunctionResponseRow id FunctionResponseRow properties values items $ref UdmFieldValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description LINT.IfChange(stats_data) Stats results when the query is for statistics NEXT TAG = 6; id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats properties dataQueryExpression description Expression that represent the subset of the requested query used to filter data. The expression will be used to enable features such as drill-down from stats results to UDM events. In that case, the new query will be composed by this expression and the expression related to a stats result. type string results description Result rows that are queried. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData type array sortOrder description Indicates the columns used for sorting and the order in which they are sorted. If no ORDER section is specified in the query, this will be empty. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort type array tooManyResults description If true, there are too many results to return and some have been omitted. type boolean totalResults description The total number of results returned. format int32 type integer type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData description Represents a single column in the set of columns returned as the stats query result. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData properties column description Used to store column names. type string filterExpression description Expression used to compose a query for filtering/drill-downs related to the data in this column. type string filterable description To identify if the column can be used for filtering/drill-downs. type boolean values description To store store column data. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort description Contains the column name and which direction the column is sorted (ascending or descenging). id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort properties descending description Whether the column is sorted in descending order (ascending by default); type boolean name description Name of the column. type string type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType description Singular vs list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType properties list $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description List of values in a column e.g. IPs value $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Single value in a column. type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description Store list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList properties values description List of values in one cell of the column. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Value of the column based on data type id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue properties boolVal description Boolean value. type boolean bytesVal description Bytes value. format byte type string dateVal $ref Date description Date values. doubleVal description Double value. format double type number int64Val description Integer value (signed). format int64 type string nullVal description True if the value is NULL. type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any description For any proto values that are not any of the above. type object stringVal description String value. Enum values are returned as strings. type string timestampVal description Timestamp values. format google-datetime type string uint64Val description Un-signed integer value. format uint64 type string type object Group description Information about an organizational group. id Group properties attribute $ref Attribute description Generic entity metadata attributes of the group. creationTime deprecated True description Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata. format google-datetime type string emailAddresses description Email addresses of the group. items type string type array groupDisplayName description Group display name. e.g. "Finance". type string productObjectId description Product globally unique user object identifier, such as an LDAP Object Identifier. type string windowsSid description Microsoft Windows SID of the group. type string type object GroupAggregationByField id GroupAggregationByField properties baselineEventCount format int32 type integer eventCount format int32 type integer fieldName type string fieldValue $ref UdmFieldValue fields items $ref UdmFieldAggregation type array valueCount format int32 type integer type object Hardware description Hardware specification details for a resource, including both physical and virtual hardware. id Hardware properties cpuClockSpeed description Clock speed of the hardware CPU in MHz. format uint64 type string cpuMaxClockSpeed description Maximum possible clock speed of the hardware CPU in MHz. format uint64 type string cpuModel description Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5"). type string cpuNumberCores description Number of CPU cores. format uint64 type string cpuPlatform description Platform of the hardware CPU (e.g. "Intel Broadwell"). type string manufacturer description Hardware manufacturer. type string model description Hardware model. type string ram description Amount of the hardware ramdom access memory (RAM) in Mb. format uint64 type string serialNumber description Hardware serial number. type string type object Http description Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target". id Http properties method description The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE"). type string parsedUserAgent $ref UserAgentProto description The parsed user_agent string. referralUrl description The URL for the HTTP referer. type string responseCode description The response status code, for example 200, 302, 404, or 500. format int32 type integer userAgent description The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent. type string type object Id description Identifier to identify a UDM object like a UDM event, Entity, Collection. The full identifier for persistence is created by setting the 32 most significant bits as the Id.Namespace enum and the rest according to go/udm:ids. This is a convenience wrapper to define the id space enum values and provide an easy interface for RPCs, most persistence use cases should use a denormalized form. See go/udm:ids for background and details. id Id properties id description Full raw ID. format byte type string namespace description Namespace the id belongs to. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string stringId description Some ids are stored as strings that are not able to be translated to bytes, so store these separately. Ex. detection id of the form de_aaaaaaaa-aaaa... type string type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{location}/instances/{instance} readOnly True type string type object InstanceUdmSearchResponse id InstanceUdmSearchResponse properties baselineEventsCount format int32 type integer complete type boolean detections $ref Detections filteredEventsCount format int32 type integer instanceId type string prevalence $ref UdmPrevalenceResponse progress format double type number runtimeErrors $ref RuntimeError timeline $ref EventCountTimeline tooManyEvents type boolean type object Int64Sequence description Int64Sequence represents a sequence of int64s. id Int64Sequence properties int64Vals description int64 sequence. items format int64 type string type array type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object Investigation description Represents the aggregated state of an investigation such as categorization, severity, and status. Can be expanded to include analyst assignment details and more. id Investigation properties comments description Comment added by the Analyst. items type string type array priority description Priority of the Alert or Finding set by analyst. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string reason description Reason for closing the Case or Alert. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation description Describes whether a finding was useful or not-useful. enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore description Risk score for a finding set by an analyst. format uint32 type integer rootCause description Root cause of the Alert or Finding set by analyst. type string severityScore description Severity score for a finding set by an analyst. format uint32 type integer status description Describes the workflow status of a finding. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict description Describes reason a finding investigation was resolved. enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object IoCStats description Information about the threat intelligence source. These fields are used to model Mandiant sources. id IoCStats properties benignCount description Count of responses where the IoC was identified as benign. format int32 type integer firstLevelSource description Name of first level IoC source, for example Mandiant or a third-party. type string iocStatsType description Describes the source of the IoCStat. enum UNSPECIFIED_IOC_STATS_TYPE MANDIANT_SOURCES THIRD_PARTY_SOURCES THREAT_INTELLIGENCE_IOC_STATS enumDescriptions IoCStat source is unidentified. IoCStat is from a Mandiant Source. IoCStat is from a third-party source. IoCStat is from a threat intelligence feed. type string maliciousCount description Count of responses where the IoC was identified as malicious. format int32 type integer quality description Level of confidence in the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total number of response from the source. format int32 type integer secondLevelSource description Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph. type string sourceCount description Number of sources from which information was extracted. format int32 type integer type object Label description Key value labels. id Label properties key description The key. type string rbacEnabled description Indicates whether this label can be used for Data RBAC type boolean source description Where the label is derived from. type string value description The value. type string type object LatLng description An object that represents a latitude/longitude pair. This is expressed as a pair of doubles to represent degrees latitude and degrees longitude. Unless specified otherwise, this object must conform to the WGS84 standard. Values must be within normalized ranges. id LatLng properties latitude description The latitude in degrees. It must be in the range [-90.0, +90.0]. format double type number longitude description The longitude in degrees. It must be in the range [-180.0, +180.0]. format double type number type object LegacyFederatedUdmSearchViewResponse description Response to a Federated UDM Search query. This will be used by StreamSearchOperation RPC to return the results of a federated search operation. id LegacyFederatedUdmSearchViewResponse properties activityTimeline $ref EventCountTimeline description Timeline of event counts broken into hourly/daily buckets to identify activity. aiOverview $ref AIOverview description LINT.ThenChange( //depot/google3/google/cloud/chronicle/v1main/dashboard_query.proto:data_sources, //depot/google3/googlex/security/malachite/proto/udm_search.proto:data_sources ) AI generated overview for the search results. Only populated if the AI features are enabled for the customer and generate_ai_overview is set to true in the request. baselineEventsCount description The number of events in the baseline query. format int32 type integer complete description Streaming for this response is done. There will be no additional updates. type boolean dataSources description Datasource of the query and results in case of a statistics query items enum SEARCH_DATA_SOURCE_UNSPECIFIED SEARCH_UDM SEARCH_ENTITY SEARCH_RULE_DETECTIONS SEARCH_RULESETS enumDescriptions Unspecified data source. Events Entities To be used for detections data source. To be used for ruleset with detections datasource. type string type array detectionFieldAggregations $ref AlertFieldAggregations description List of detection fields with aggregated values. This enabled filtering in the Alerts panel for federated search. events $ref UdmEventList description List of UDM events. NOTE: After complete is set to true, the `UdmEventList` message will be omitted from the response. The latest message should be used as reference. If the `UdmEventList` message is returned again, then it should replace the previous value. fieldAggregations $ref UdmFieldAggregations description List of UDM fields with aggregated values. filteredEventsCount description The number of events in the snapshot that match the snapshot_query. This is <= `baseline_events_count`. If the snapshot query is empty this will be equivalent to `baseline_events_count`. format int32 type integer groupedFieldAggregations $ref UdmFieldAggregations description List of grouped fields with aggregated values. instanceAggregations $ref UdmFieldAggregations description Instance aggregations for the search results. Provides information on the number of events per instance for the aggregations panel in the UI. This allows users to easily drill-down into the individual instances. instanceUdmSearchResponses description All the instance specific UDM search responses. items $ref InstanceUdmSearchResponse type array operation description The name of the operation resource representing the UDM Search operation. This can be passed to `StreamSearchOperation` to fetch stored results or stream the results of an in-progress operation. The metadata type of the operation is `UdmSearchMetadata`. The response type is `LegacyFetchUdmSearchViewResponse`. Format: projects/{project}/locations/{location}/instances/{instance}/operations/{operation} type string progress description Progress of the query represented as a double between 0 and 1. format double type number queryValidationErrors description Parse error for the baseline_query and/or the snapshot_query. items $ref ErrorMessage type array runtimeErrors description Runtime errors. items $ref RuntimeError type array stats $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description Stats results when the query is for statistics statsFunctionParameterValidationErrorMessage description If the request's stats_function_parameter` is invalid, this field will contain the detailed error message. type string statsFunctionResponse $ref FunctionResponse description Result for statistical function. timeline $ref EventCountTimeline description Timeline of event counts broken into buckets. This populates the trend-over-time chart in the UI. tooLargeResponse description If true, the response to be returned to the UI is too large and some events have been omitted. type boolean tooManyEvents description If true, there are too many events to return and some have been omitted. type boolean validBaselineQuery description Indicates whether the request baseline_query is a valid structured query or not. If not, `query_validation_errors` will include the parse error. type boolean validSnapshotQuery description Indicates whether the request baseline and snapshot queries are valid. If not, `query_validation_errors` will include the parse error. type boolean type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Location description Information about a location. id Location properties city description The city. type string countryOrRegion description The country or region. type string deskName description Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D"). type string floorName description Floor name, number or a combination of the two for a building. (e.g. "1-A"). type string name description Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2"). type string regionCoordinates $ref LatLng description Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. regionLatitude deprecated True description Deprecated: use region_coordinates. format float type number regionLongitude deprecated True description Deprecated: use region_coordinates. format float type number state description The state. type string type object Manual description Entities are added manually. id Manual properties type object Measure description Describes the precomputed measure. id Measure properties aggregateFunction description Function used to calculate the aggregated measure. enum AGGREGATE_FUNCTION_UNSPECIFIED MIN MAX COUNT SUM AVG STDDEV enumDescriptions Default value. Minimum. Maximum. Count. Sum. Average. Standard Deviation. type string value description Value of the aggregated measure. format double type number type object Metadata description General information associated with a UDM event. id Metadata properties baseLabels $ref DataAccessLabels description Data access labels on the base event. collectedTimestamp description The GMT timestamp when the event was collected by the vendor's local collection infrastructure. format google-datetime type string description description A human-readable unparsable description of the event. type string enrichmentLabels $ref DataAccessLabels description Data access labels from all the contextual events used to enrich the base event. enrichmentState description The enrichment state. enum ENRICHMENT_STATE_UNSPECIFIED ENRICHED UNENRICHED enumDescriptions Unspecified. The event has been enriched by Chronicle. The event has not been enriched by Chronicle. type string eventTimestamp description The GMT timestamp when the event was generated. format google-datetime type string eventType description The event type. If an event has multiple possible types, this specifies the most specific type. enum EVENTTYPE_UNSPECIFIED PROCESS_UNCATEGORIZED PROCESS_LAUNCH PROCESS_INJECTION PROCESS_PRIVILEGE_ESCALATION PROCESS_TERMINATION PROCESS_OPEN PROCESS_MODULE_LOAD REGISTRY_UNCATEGORIZED REGISTRY_CREATION REGISTRY_MODIFICATION REGISTRY_DELETION SETTING_UNCATEGORIZED SETTING_CREATION SETTING_MODIFICATION SETTING_DELETION MUTEX_UNCATEGORIZED MUTEX_CREATION FILE_UNCATEGORIZED FILE_CREATION FILE_DELETION FILE_MODIFICATION FILE_READ FILE_COPY FILE_OPEN FILE_MOVE FILE_SYNC USER_UNCATEGORIZED USER_LOGIN USER_LOGOUT USER_CREATION USER_CHANGE_PASSWORD USER_CHANGE_PERMISSIONS USER_STATS USER_BADGE_IN USER_DELETION USER_RESOURCE_CREATION USER_RESOURCE_UPDATE_CONTENT USER_RESOURCE_UPDATE_PERMISSIONS USER_COMMUNICATION USER_RESOURCE_ACCESS USER_RESOURCE_DELETION GROUP_UNCATEGORIZED GROUP_CREATION GROUP_DELETION GROUP_MODIFICATION EMAIL_UNCATEGORIZED EMAIL_TRANSACTION EMAIL_URL_CLICK NETWORK_UNCATEGORIZED NETWORK_FLOW NETWORK_CONNECTION NETWORK_FTP NETWORK_DHCP NETWORK_DNS NETWORK_HTTP NETWORK_SMTP STATUS_UNCATEGORIZED STATUS_HEARTBEAT STATUS_STARTUP STATUS_SHUTDOWN STATUS_UPDATE SCAN_UNCATEGORIZED SCAN_FILE SCAN_PROCESS_BEHAVIORS SCAN_PROCESS SCAN_HOST SCAN_VULN_HOST SCAN_VULN_NETWORK SCAN_NETWORK SCHEDULED_TASK_UNCATEGORIZED SCHEDULED_TASK_CREATION SCHEDULED_TASK_DELETION SCHEDULED_TASK_ENABLE SCHEDULED_TASK_DISABLE SCHEDULED_TASK_MODIFICATION SYSTEM_AUDIT_LOG_UNCATEGORIZED SYSTEM_AUDIT_LOG_WIPE SERVICE_UNSPECIFIED SERVICE_CREATION SERVICE_DELETION SERVICE_START SERVICE_STOP SERVICE_MODIFICATION GENERIC_EVENT RESOURCE_CREATION RESOURCE_DELETION RESOURCE_PERMISSIONS_CHANGE RESOURCE_READ RESOURCE_WRITTEN DEVICE_FIRMWARE_UPDATE DEVICE_CONFIG_UPDATE DEVICE_PROGRAM_UPLOAD DEVICE_PROGRAM_DOWNLOAD ANALYST_UPDATE_VERDICT ANALYST_UPDATE_REPUTATION ANALYST_UPDATE_SEVERITY_SCORE ANALYST_UPDATE_STATUS ANALYST_ADD_COMMENT ANALYST_UPDATE_PRIORITY ANALYST_UPDATE_ROOT_CAUSE ANALYST_UPDATE_REASON ANALYST_UPDATE_RISK_SCORE ENTITY_RISK_CHANGE enumDeprecated False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False enumDescriptions Default event type Activity related to a process which does not match any other event types. Process launch. Process injecting into another process. Process privilege escalation. Process termination. Process being opened. Process loading a module. Registry event which does not match any of the other event types. Registry creation. Registry modification. Registry deletion. Settings-related event which does not match any of the other event types. Setting creation. Setting modification. Setting deletion. Any mutex event other than creation. Mutex creation. File event which does not match any of the other event types. File created. File deleted. File modified. File read. File copied. Used for file copies, for example, to a thumb drive. File opened. File moved or renamed. File synced (for example, Google Drive, Dropbox, backup). User activity which does not match any of the other event types. User login. User logout. User creation. User password change event. Change in user permissions. Deprecated. Used to update user info for an LDAP dump. User physically badging into a location. User deletion. User creating a virtual resource. This is equivalent to RESOURCE_CREATION. User updating content of a virtual resource. This is equivalent to RESOURCE_WRITTEN. User updating permissions of a virtual resource. This is equivalent to RESOURCE_PERMISSIONS_CHANGE. User initiating communication through a medium (for example, video). User accessing a virtual resource. This is equivalent to RESOURCE_READ. User deleting a virtual resource. This is equivalent to RESOURCE_DELETION. A group activity that does not fall into one of the other event types. A group creation. A group deletion. A group modification. Email messages An email transaction. Deprecated: use NETWORK_HTTP instead. An email URL click event. A network event that does not fit into one of the other event types. Aggregated flow stats like netflow. Network connection details like from a FW. FTP telemetry. DHCP payload. DNS payload. HTTP telemetry. SMTP telemetry. A status message that does not fit into one of the other event types. Heartbeat indicating product is alive. An agent startup. An agent shutdown. A software or fingerprint update. Scan item that does not fit into one of the other event types. A file scan. Scan process behaviors. Please use SCAN_PROCESS instead. Scan process. Scan results from scanning an entire host device for threats/sensitive documents. Vulnerability scan logs about host vulnerabilities (e.g., out of date software) and network vulnerabilities (e.g., unprotected service detected via a network scan). Vulnerability scan logs about network vulnerabilities. Scan network for suspicious activity Scheduled task event that does not fall into one of the other event types. Scheduled task creation. Scheduled task deletion. Scheduled task being enabled. Scheduled task being disabled. Scheduled task being modified. A system audit log event that is not a wipe. A system audit log wipe. Service event that does not fit into one of the other event types. A service creation. A service deletion. A service start. A service stop. A service modification. Operating system events that are not described by any of the other event types. Might include uncategorized Microsoft Windows event logs. The resource was created/provisioned. This is equivalent to USER_RESOURCE_CREATION. The resource was deleted/deprovisioned. This is equivalent to USER_RESOURCE_DELETION. The resource had it's permissions or ACLs updated. This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS. The resource was read. This is equivalent to USER_RESOURCE_ACCESS. The resource was written to. This is equivalent to USER_RESOURCE_UPDATE_CONTENT. Firmware update. Configuration update. A program or application uploaded to a device. A program or application downloaded to a device. Analyst update about the Verdict (such as true positive, false positive, or disregard) of a finding. Analyst update about the Reputation (such as useful or not useful) of a finding. Analyst update about the Severity score (0-100) of a finding. Analyst update about the finding status. Analyst addition of a comment for a finding. Analyst update about the priority (such as low, medium, or high) for a finding. Analyst update about the root cause for a finding. Analyst update about the reason (such as malicious or not malicious) for a finding. Analyst update about the risk score (0-100) of a finding. An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. type string id description ID of the UDM event. Can be used for raw and normalized event retrieval. format byte type string ingestedTimestamp description The GMT timestamp when the event was ingested (received) by Chronicle. format google-datetime type string ingestionLabels description User-configured ingestion metadata labels. items $ref Label type array logType description The string value of log type. type string productDeploymentId description The deployment identifier assigned by the vendor for a product deployment. type string productEventType description A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start"). type string productLogId description A vendor-specific event identifier to uniquely identify the event (e.g. a GUID). type string productName description The name of the product. type string productVersion description The version of the product. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Flattened fields extracted from the log. type object tags $ref Tags description Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser. urlBackToProduct description A URL that takes the user to the source product console for this event. type string vendorName description The name of the product vendor. type string type object Metric description Stores precomputed aggregated analytic data for an entity. id Metric properties dimensions description All group by clauses used to calculate the metric. items enum DIMENSION_UNSPECIFIED PRINCIPAL_DEVICE TARGET_USER TARGET_DEVICE PRINCIPAL_USER TARGET_IP PRINCIPAL_FILE_HASH PRINCIPAL_COUNTRY SECURITY_CATEGORY NETWORK_ASN CLIENT_CERTIFICATE_HASH DNS_QUERY_TYPE DNS_DOMAIN HTTP_USER_AGENT EVENT_TYPE PRODUCT_NAME PRODUCT_EVENT_TYPE PARENT_FOLDER_PATH TARGET_RESOURCE_NAME PRINCIPAL_APPLICATION TARGET_APPLICATION EMAIL_TO_ADDRESS EMAIL_FROM_ADDRESS MAIL_ID PRINCIPAL_IP SECURITY_ACTION SECURITY_RULE_ID TARGET_NETWORK_ORGANIZATION_NAME PRINCIPAL_NETWORK_ORGANIZATION_NAME PRINCIPAL_PROCESS_FILE_PATH PRINCIPAL_PROCESS_FILE_HASH SECURITY_RESULT_RULE_NAME TARGET_RESOURCE_LABEL_KEY VENDOR_NAME TARGET_RESOURCE_TYPE TARGET_LOCATION_NAME enumDescriptions Default Principal Device Target User Target Device Principal User Target IP Principal File Hash Principal Country Security Category Network ASN Client Certificate Hash DNS Query Type DNS Domain HTTP User Agent Event Type Product Name Product Event Type Parent Folder Path Target resource Name Principal Application. Target Application. Email To Address. Email From Address. Mail Id. Principal IP. Security Action. Security Rule Id. Target Network Organization name. Principal Network Organization name. Principal Process File Path. Principal Process File SHA256 Hash. Security Result rule name. Target Resource label key. Vendor name. Target Resource type. Target Location name. type string type array exportWindow description Export window for which the metric was exported. format int64 type string firstSeen description Timestamp of the first time the entity was seen in the environment. format google-datetime type string lastSeen description Time stamp of the last time last time the entity was seen in the environment. format google-datetime type string metricName description Name of the analytic. enum METRIC_NAME_UNSPECIFIED NETWORK_BYTES_INBOUND NETWORK_BYTES_OUTBOUND NETWORK_BYTES_TOTAL AUTH_ATTEMPTS_SUCCESS AUTH_ATTEMPTS_FAIL AUTH_ATTEMPTS_TOTAL DNS_BYTES_OUTBOUND NETWORK_FLOWS_INBOUND NETWORK_FLOWS_OUTBOUND NETWORK_FLOWS_TOTAL DNS_QUERIES_SUCCESS DNS_QUERIES_FAIL DNS_QUERIES_TOTAL FILE_EXECUTIONS_SUCCESS FILE_EXECUTIONS_FAIL FILE_EXECUTIONS_TOTAL HTTP_QUERIES_SUCCESS HTTP_QUERIES_FAIL HTTP_QUERIES_TOTAL WORKSPACE_EMAILS_SENT_TOTAL WORKSPACE_TOTAL_DOWNLOAD_ACTIONS WORKSPACE_TOTAL_CHANGE_ACTIONS WORKSPACE_AUTH_ATTEMPTS_TOTAL WORKSPACE_NETWORK_BYTES_OUTBOUND WORKSPACE_NETWORK_BYTES_TOTAL ALERT_EVENT_NAME_COUNT RESOURCE_CREATION_TOTAL RESOURCE_CREATION_SUCCESS RESOURCE_READ_SUCCESS RESOURCE_READ_FAIL RESOURCE_DELETION_SUCCESS enumDescriptions Default Total received network bytes. Total network sent bytes. Total network sent bytes and received bytes. Successful authentication attempts. Failed authentication attempts. Total authentication attempts. Total number of sent bytes for DNS events. Total number of events having non-null received bytes. Total number of events having non-null sent bytes. Total events having non-null sent or received bytes. DNS query success count - Number of events with response_code = 0. Number of events with response_code != 0. Total number of DNS queries made. Number of successfule file executions. Number of failed file executions. Total number file executions. Number of successful HTTP queries. Number of failed HTTP queries. Total number of HTTP queries. Total number of emails sent in Google Workspace. Total number of download actions in Google Workspace. Total number of change actions in Google Workspace. Total number of authentication attempts in Google Workspace. Number of outbound network bytes (total sent) in Google Workspace. Total number of network bytes (both sent and received) in Google Workspace. Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH. First-time analytic tracking successful resource creations. Volume-based analytic tracking successful resource creations. Volume-based analytic tracking successful resource reads. Volume-based analytic tracking failed resource reads. Volume-based analytic tracking successful resource deletions. type string sumMeasure $ref Measure description Sum of all precomputed measures for the given metric. totalEvents description Total number of events used to calculate the given precomputed metric. format int64 type string type object Navigation description Navigation can be used to store the metadata required to navigate the user to a new URL. id Navigation properties targetUri description Output only. The URI to redirect the user to. readOnly True type string type object Network description A network event. id Network properties applicationProtocol description The application protocol. enum UNKNOWN_APPLICATION_PROTOCOL AFP APPC AMQP ATOM BEEP BITCOIN BIT_TORRENT CFDP CIP COAP COTP DCERPC DDS DEVICE_NET DHCP DICOM DNP3 DNS E_DONKEY ENRP FAST_TRACK FINGER FREENET FTAM GOOSE GOPHER GRPC HL7 H323 HTTP HTTPS IEC104 IRCP KADEMLIA KRB5 LDAP LPD MIME MMS MODBUS MQTT NETCONF NFS NIS NNTP NTCIP NTP OSCAR PNRP PTP QUIC RDP RELP RIP RLOGIN RPC RTMP RTP RTPS RTSP SAP SDP SIP SLP SMB SMTP SNMP SNTP SSH SSMS STYX SV TCAP TDS TOR TSP VTP WHOIS WEB_DAV X400 X500 XMPP enumDescriptions The default application protocol. Apple Filing Protocol. Advanced Program-to-Program Communication. Advanced Message Queuing Protocol. Publishing Protocol. Block Extensible Exchange Protocol. Crypto currency protocol. Peer-to-peer file sharing. Coherent File Distribution Protocol. Common Industrial Protocol. Constrained Application Protocol. Connection Oriented Transport Protocol. DCE/RPC. Data Distribution Service. Automation industry protocol. DHCP. Digital Imaging and Communications in Medicine Protocol. Distributed Network Protocol 3 (DNP3) DNS. Classic file sharing protocol. Endpoint Handlespace Redundancy Protocol. Filesharing peer-to-peer protocol. User Information Protocol. Censorship resistant peer-to-peer network. File Transfer Access and Management. GOOSE Protocol. Gopher protocol. gRPC Remote Procedure Call. Health Level Seven. Packet-based multimedia communications system. HTTP. HTTPS. IEC 60870-5-104 (IEC 104) Protocol. Internet Relay Chat Protocol. Peer-to-peer hashtables. Kerberos 5. Lightweight Directory Access Protocol. Line Printer Daemon Protocol. Multipurpose Internet Mail Extensions and Secure MIME. Multimedia Messaging Service. Serial communications protocol. Message Queuing Telemetry Transport. Network Configuration. Network File System. Network Information Service. Network News Transfer Protocol. National Transportation Communications for Intelligent Transportation System. Network Time Protocol. AOL Instant Messenger Protocol. Peer Name Resolution Protocol. Precision Time Protocol. QUIC. Remote Desktop Protocol. Reliable Event Logging Protocol. Routing Information Protocol. Remote Login in UNIX Systems. Remote Procedure Call. Real Time Messaging Protocol. Real-time Transport Protocol. Real Time Publish Subscribe. Real Time Streaming Protocol. Session Announcement Protocol. Session Description Protocol. Session Initiation Protocol. Service Location Protocol. Server Message Block. Simple Mail Transfer Protocol. Simple Network Management Protocol. Simple Network Time Protocol. Secure Shell. Secure SMS Messaging Protocol. Styx/9P - Plan 9 from Bell Labs distributed file system protocol. Sampled Values Protocol. Transaction Capabilities Application Part. Tabular Data Stream. Anonymity network. Time Stamp Protocol. Virtual Terminal Protocol. Remote Directory Access Protocol. Web Distributed Authoring and Versioning. Message Handling Service Protocol. Directory Access Protocol (DAP). Extensible Messaging and Presence Protocol. type string applicationProtocolVersion description The version of the application protocol. e.g. "1.1, 2.0" type string asn description Autonomous system number. type string carrierName description Carrier identification. type string communityId description Community ID network flow value. type string dhcp $ref Dhcp description DHCP info. direction description The direction of network traffic. enum UNKNOWN_DIRECTION INBOUND OUTBOUND BROADCAST enumDescriptions The default direction. An inbound request. An outbound request. A broadcast. type string dns $ref Dns description DNS info. dnsDomain description DNS domain name. type string email $ref Email description Email info for the sender/recipient. ftp $ref Ftp description FTP info. http $ref Http description HTTP info. ipProtocol description The IP protocol. enum UNKNOWN_IP_PROTOCOL ICMP IGMP TCP UDP IP6IN4 GRE ESP ICMP6 EIGRP ETHERIP PIM VRRP SCTP enumDescriptions The default protocol. ICMP. IGMP TCP. UDP. IPv6 Encapsulation Generic Routing Encapsulation Encapsulating Security Payload ICMPv6 Enhanced Interior Gateway Routing Ethernet-within-IP Encapsulation Protocol Independent Multicast Virtual Router Redundancy Protocol Stream Control Transmission Protocol type string ipSubnetRange description Associated human-readable IP subnet range (e.g. 10.1.2.0/24). type string organizationName description Organization name (e.g Google). type string parentSessionId description The ID of the parent network session. type string receivedBytes description The number of bytes received. format uint64 type string receivedPackets description The number of packets received. format int64 type string sentBytes description The number of bytes sent. format uint64 type string sentPackets description The number of packets sent. format int64 type string sessionDuration description The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer. format google-duration type string sessionId description The ID of the network session. type string smtp $ref Smtp description SMTP info. Store fields specific to SMTP not covered by Email. tls $ref Tls description TLS info. type object Noun description The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event. id Noun properties administrativeDomain description Domain which the device belongs to (for example, the Microsoft Windows domain). type string application description The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle". type string artifact $ref Artifact description Information about an artifact. asset $ref Asset description Information about the asset. assetId description The asset ID. This field can be used as an entity indicator for asset entities. type string cloud $ref Cloud deprecated True description Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud). domain $ref Domain description Information about the domain. email description Email address. Only filled in for security_result.about type string file $ref BackstoryFile description Information about the file. group $ref Group description Information about the group. hostname description Client hostname or domain name field. Hostname also doubles as the domain for remote entities. This field can be used as an entity indicator for asset entities. type string investigation $ref Investigation description Analyst feedback/investigation for alerts. ip description A list of IP addresses associated with a network connection. This field can be used as an entity indicator for asset entities. items type string type array ipGeoArtifact description Enriched geographic information corresponding to an IP address. Specifically, location and network data. items $ref Artifact type array ipLocation deprecated True description Deprecated: use ip_geo_artifact.location instead. items $ref Location type array labels deprecated True description Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels). items $ref Label type array location $ref Location description Physical location. For cloud environments, set the region in location.name. mac description List of MAC addresses associated with a device. This field can be used as an entity indicator for asset entities. items type string type array namespace description Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition. This field can be used along with an asset indicator to identify an asset. type string natIp description A list of NAT translated IP addresses associated with a network connection. items type string type array natPort description NAT external network port number when a specific network connection is described within an event. format int32 type integer network $ref Network description Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). objectReference $ref Id description Finding to which the Analyst updated the feedback. platform description Platform. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description Platform patch level. For example, "Build 17134.48" type string platformVersion description Platform version. For example, "Microsoft Windows 1803". type string port description Source or destination network port number when a specific network connection is described within an event. format int32 type integer process $ref Process description Information about the process. processAncestors description Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery. items $ref Process type array registry $ref Registry description Registry information. resource $ref Resource description Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun. resourceAncestors description Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource). items $ref Resource type array securityResult description A list of security results. items $ref SecurityResult type array url description The URL. type string urlMetadata $ref Url description Information about the URL. user $ref User description Information about the user. userManagementChain description Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery. items $ref User type array type object NtfsFileMetadata description NTFS-specific file metadata. id NtfsFileMetadata properties changeTime description NTFS MFT entry changed timestamp. format google-datetime type string filenameAccessTime description NTFS $FILE_NAME attribute accessed timestamp. format google-datetime type string filenameChangeTime description NTFS $FILE_NAME attribute changed timestamp. format google-datetime type string filenameCreateTime description NTFS $FILE_NAME attribute created timestamp. format google-datetime type string filenameModifyTime description NTFS $FILE_NAME attribute modified timestamp. format google-datetime type string type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object Option description DHCP options. id Option properties code description Code. See RFC1533. format uint32 type integer data description Data. format byte type string type object PDFInfo description Information about the PDF file structure. See https://developers.virustotal.com/reference/pdf_info id PDFInfo properties acroform description Number of /AcroForm tags found in the PDF. format int64 type string autoaction description Number of /AA tags found in the PDF. format int64 type string embeddedFile description Number of /EmbeddedFile tags found in the PDF. format int64 type string encrypted description Whether the document is encrypted or not. This is defined by the /Encrypt tag. format int64 type string endobjCount description Number of object definitions (endobj keyword). format int64 type string endstreamCount description Number of defined stream objects (stream keyword). format int64 type string flash description Number of /RichMedia tags found in the PDF. format int64 type string header description PDF version. type string javascript description Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios. format int64 type string jbig2Compression description Number of /JBIG2Decode tags found in the PDF. format int64 type string js description Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios. format int64 type string launchActionCount description Number of /Launch tags found in the PDF file. format int64 type string objCount description Number of objects definitions (obj keyword). format int64 type string objectStreamCount description Number of object streams. format int64 type string openaction description Number of /OpenAction tags found in the PDF. format int64 type string pageCount description Number of pages in the PDF. format int64 type string startxref description Number of startxref keywords in the PDF. format int64 type string streamCount description Number of defined stream objects (stream keyword). format int64 type string suspiciousColors description Number of colors expressed with more than 3 bytes (CVE-2009-3459). format int64 type string trailer description Number of trailer keywords in the PDF. format int64 type string xfa description Number of \XFA tags found in the PDF. format int64 type string xref description Number of xref keywords in the PDF. format int64 type string type object PeFileMetadata description Metadata about a Microsoft Windows Portable Executable. id PeFileMetadata properties importHash description Hash of PE imports. type string type object Permission description System permission for resource access and modification. id Permission properties description description Description of the permission (e.g. 'Ability to update detect rules'). type string name description Name of the permission (e.g. chronicle.analyst.updateRule). type string type description Type of the permission. enum UNKNOWN_PERMISSION_TYPE ADMIN_WRITE ADMIN_READ DATA_WRITE DATA_READ enumDescriptions Default permission type. Administrator write permission. Administrator read permission. Data resource access write permission. Data resource access read permission. type string type object PlatformSoftware description Platform software information about an operating system. id PlatformSoftware properties platform description The platform operating system. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description The platform software patch level ( e.g. "Build 17134.48", "SP1"). type string platformVersion description The platform software version ( e.g. "Microsoft Windows 1803"). type string type object PopularityRank description Domain's position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo. id PopularityRank properties giver description Name of the rank serial number hexdump. type string ingestionTime description Timestamp when the rank was ingested. format google-datetime type string rank description Rank position. format int64 type string type object Prevalence description The prevalence of a resource within the customer's environment. This measures how common it is for assets to access the resource. id Prevalence properties dayCount description The number of days over which rolling_max is calculated. format int32 type integer dayMax description The max prevalence score in a day interval window. format int32 type integer dayMaxSubDomains description The max prevalence score in a day interval window across sub-domains. This field is only valid for domains. format int32 type integer rollingMax description The maximum number of assets per day accessing the resource over the trailing day_count days. format int32 type integer rollingMaxSubDomains description The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains. format int32 type integer type object Process description Information about a process. id Process properties accessMask description A bit mask representing the level of access. format uint64 type string commandLine description The command line command that created the process. This field can be used as an entity indicator for process entities. type string commandLineHistory description The command line history of the process. items type string type array egid description The effective group ID of the process. type string euid description The effective user ID of the process. type string file $ref BackstoryFile description Information about the file in use by the process. integrityLevelRid description The Microsoft Windows integrity level relative ID (RID) of the process. format uint64 type string parentPid deprecated True description The ID of the parent process. Deprecated: use parent_process.pid instead. type string parentProcess $ref Process description Information about the parent process. pgid description The identifier that points to the process group ID leader. type string pid description The process ID. This field can be used as an entity indicator for process entities. type string productSpecificParentProcessId deprecated True description A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. type string productSpecificProcessId description A product specific process id. type string rgid description The real group ID of the process. type string ruid description The real user ID of the process. type string sessionLeaderPid description The process ID of the session leader process. type string tokenElevationType description The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled. enum UNKNOWN TYPE_1 TYPE_2 TYPE_3 enumDescriptions An undetermined token type. A full token with no privileges removed or groups disabled. An elevated token with no privileges removed or groups disabled. Used when running as administrator. A limited token with administrative privileges removed and administrative groups disabled. type string tty description The teletype terminal which the command was executed within. type string type object ProviderMLVerdict description Deprecated. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. id ProviderMLVerdict properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer confidenceScore description Confidence score of the verdict. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer mandiantSources description List of mandiant sources from which the verdict was generated. items $ref Source type array sourceProvider description Source provider giving the ML verdict. type string thirdPartySources description List of third-party sources from which the verdict was generated. items $ref Source type array type object PublicKey description Subject public key info. id PublicKey properties algorithm description Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the certificate. type string rsa $ref RSA description RSA public key information. type object Question description DNS Questions. See RFC1035, section 4.1.2. id Question properties class description The code specifying the class of the query. format uint32 type integer name description The domain name. type string prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. type description The code specifying the type of the query. format uint32 type integer type object RSA description RSA public key information. id RSA properties exponent description Key exponent hexdump. type string keySize description Key size. format int64 type string modulus description Key modulus hexdump. type string type object Reference description Reference to model primatives including event and entity. As support is added for fast retrieval of objects by identifiers, this will be expanded to include ID references rather than full object copies. BEGIN GOOGLE-INTERNAL See go/udm:ids for additional details. END GOOGLE-INTERNAL id Reference properties entity $ref BackstoryEntity description Entity being referenced. End one-of event $ref UDM description Only one of event or entity will be populated for a single reference. Start one-of Event being referenced. id $ref Id description Id being referenced. This field will also be populated for both event and entity with the event id. For detections, only this field will be populated. type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Registry description Information about a registry key or value. id Registry properties registryKey description Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...). type string registryValueData description Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp). type string registryValueName description Name of the registry value associated with an application or system component (e.g. TEMP). type string registryValueType description Type of the registry value. enum TYPE_UNSPECIFIED NONE SZ EXPAND_SZ BINARY DWORD DWORD_LITTLE_ENDIAN DWORD_BIG_ENDIAN LINK MULTI_SZ RESOURCE_LIST QWORD QWORD_LITTLE_ENDIAN enumDescriptions Default registry value type used when the type is unknown. The registry value is not set and only the key exists. A null-terminated string. A null-terminated string that contains unexpanded references to environment variables Binary data in any form. A 32-bit number. A 32-bit number in little-endian format. A 32-bit number in big-endian format. A null-terminated Unicode string that contains the target path of a symbolic link. A sequence of null-terminated strings, terminated by an empty string A device driver resource list. A 64-bit number. A 64-bit number in little-endian format. type string type object Relation description Defines the relationship between the entity (a) and another entity (b). id Relation properties direction description Directionality of relationship between primary entity (a) and the related entity (b). enum DIRECTIONALITY_UNSPECIFIED BIDIRECTIONAL UNIDIRECTIONAL enumDescriptions Default value. Modeled in both directions. Primary entity (a) to related entity (b) and related entity (b) to primary entity (a). Modeled in a single direction. Primary entity (a) to related entity (b). type string entity $ref Noun description Entity (b) that the primary entity (a) is related to. entityLabel description Label to identify the Noun of the relation. enum ENTITY_LABEL_UNSPECIFIED PRINCIPAL TARGET OBSERVER SRC NETWORK SECURITY_RESULT INTERMEDIARY enumDescriptions Default value. The Noun represents a principal type object. The Noun represents a target type object. The Noun represents an observer type object. The Noun represents src type object. The Noun represents a network type object. The Noun represents a SecurityResult object. The Noun represents an intermediary type object. type string entityType description Type of the related entity (b) in this relationship. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string relationship description Type of relationship. enum RELATIONSHIP_UNSPECIFIED OWNS ADMINISTERS MEMBER EXECUTES DOWNLOADED_FROM CONTACTS enumDescriptions Default value Related entity is owned by the primary entity (e.g. user owns device asset). Related entity is administered by the primary entity (e.g. user administers a group). Primary entity is a member of the related entity (e.g. user is a member of a group). Primary entity may have executed the related entity. Primary entity may have been downloaded from the related entity. Primary entity contacts the related entity. type string uid description UID of the relationship. format byte type string type object Resource description Information about a resource such as a task, Cloud Storage bucket, database, disk, logical policy, or something similar. id Resource properties attribute $ref Attribute description Generic entity metadata attributes of the resource. id deprecated True description Deprecated: Use resource.name or resource.product_object_id. type string name description The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. type string parent deprecated True description The parent of the resource. For a database table, the parent is the database. For a storage object, the bucket name. Deprecated: use resource_ancestors.name. type string productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) This field can be used as an entity indicator for a Resource entity. type string resourceSubtype description Resource sub-type (e.g. "BigQuery", "Bigtable"). type string resourceType description Resource type. enum UNSPECIFIED MUTEX TASK PIPE DEVICE FIREWALL_RULE MAILBOX_FOLDER VPC_NETWORK VIRTUAL_MACHINE STORAGE_BUCKET STORAGE_OBJECT DATABASE TABLE CLOUD_PROJECT CLOUD_ORGANIZATION SERVICE_ACCOUNT ACCESS_POLICY CLUSTER SETTING DATASET BACKEND_SERVICE POD CONTAINER FUNCTION RUNTIME IP_ADDRESS DISK VOLUME IMAGE SNAPSHOT REPOSITORY CREDENTIAL LOAD_BALANCER GATEWAY SUBNET USER enumDescriptions Default type. Mutex. Task. Named pipe. Device. Firewall rule. Mailbox folder. VPC Network. Virtual machine. Storage bucket. Storage object. Database. Data table. Cloud project. Cloud organization. Service account. Access policy. Cluster. Settings. Dataset. Endpoint that receive traffic from a load balancer or proxy. Pod, which is a collection of containers. Often used in Kubernetes. Container. Cloud function. Runtime. IP address. Disk. Volume. Machine image. Snapshot. Repository. Credential, e.g. access keys, ssh keys, tokens, certificates. Load balancer. Gateway. Subnet. User. type string type deprecated True description Deprecated: use resource_type instead. type string type object ResourceRecord description DNS Resource Records. See RFC1035, section 4.1.3. id ResourceRecord properties binaryData description The raw bytes of any non-UTF8 strings that might be included as part of a DNS response. format byte type string class description The code specifying the class of the resource record. format uint32 type integer data description The payload or response to the DNS question for all responses encoded in UTF-8 format type string name description The name of the owner of the resource record. type string ttl description The time interval for which the resource record can be cached before the source of the information should again be queried. format uint32 type integer type description The code specifying the type of the resource record. format uint32 type integer type object ResponsePlatformInfo description Related info of an Alert in customer's SOAR platform. id ResponsePlatformInfo properties alertId description Id of the alert in SOAR product. type string responsePlatformType description Type of SOAR product. enum RESPONSE_PLATFORM_TYPE_UNSPECIFIED RESPONSE_PLATFORM_TYPE_SIEMPLIFY enumDescriptions Response platform not specified. Siemplify type string type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object RiskDelta description Describes the difference in risk score between two points in time. id RiskDelta properties previousRangeEndTime description End time of the previous time window. format google-datetime type string previousRiskScore description Risk score from previous risk window format int32 type integer riskScoreDelta description Difference in the normalized risk score from the previous recorded value. format int32 type integer riskScoreNumericDelta description Numeric change between current and previous risk score format int32 type integer type object Role description System role for resource access and modification. id Role properties description description System role description for user. type string name description System role name for user. type string type description System role type for well known roles. enum TYPE_UNSPECIFIED ADMINISTRATOR SERVICE_ACCOUNT enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object RuntimeError id RuntimeError properties errorText type string timeRange $ref Interval type object SSLCertificate description SSL certificate. id SSLCertificate properties certExtensions additionalProperties description Properties of the object. type any description Certificate's extensions. type object certSignature $ref CertSignature description Certificate's signature and algorithm. ec $ref EC description EC public key information. extension $ref Extension deprecated True description (DEPRECATED) certificate's extension. firstSeenTime description Date the certificate was first retrieved by VirusTotal. format google-datetime type string issuer $ref Subject description Certificate's issuer data. publicKey $ref PublicKey description Public key information. serialNumber description Certificate's serial number hexdump. type string signatureAlgorithm description Algorithm used for the signature (for example, "sha1RSA"). type string size description Certificate content length. format int64 type string subject $ref Subject description Certificate's subject data. thumbprint description Certificate's content SHA1 hash. type string thumbprintSha256 description Certificate's content SHA256 hash. type string validity $ref Validity description Certificate's validity period. version description Certificate version (typically "V1", "V2" or "V3"). type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object SearchDataTableColumnInfo id SearchDataTableColumnInfo properties isDefault type boolean originalColumn type string type object SearchDataTableInfo id SearchDataTableInfo properties columnInfo items $ref SearchDataTableColumnInfo type array dataTable type string type object SearchDataTableRow id SearchDataTableRow properties column type string value type string type object SearchDataTableRowInfo id SearchDataTableRowInfo properties dataTable type string rows items $ref SearchDataTableRow type array type object SecurityResult description Security related metadata for the event. A security result might be something like "virus detected and quarantined," "malicious connection blocked," or "sensitive data included in document foo.doc." Each security result, of which there may be more than one, may either pertain to the whole event, or to a specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (such as process, user, IP, domain, URL, IP, or email address) in the about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty. id SecurityResult properties about $ref Noun description If the security result is about a specific entity (Noun), add it here. This field is not populated when the SecurityResult appears in a finding (a detection or alert). action description Actions taken for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_ACTION ALLOW BLOCK ALLOW_WITH_MODIFICATION QUARANTINE FAIL CHALLENGE enumDescriptions The default action. Allowed. Blocked. Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded). Put somewhere for later analysis (does NOT imply block). Failed (e.g. the event was allowed but failed). Challenged (e.g. the user was challenged by a Captcha, 2FA). type string type array actionDetails description The detail of the action taken as provided by the vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string alertState description The alerting types of this security result. This is primarily set for rule-generated detections and alerts. enum UNSPECIFIED NOT_ALERTING ALERTING enumDescriptions The security result type is not known. The security result is not an alert. The security result is an alert. type string analyticsMetadata description Stores metadata about each risk analytic metric the rule uses. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref AnalyticsMetadata type array associations description Associations related to the threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref Association type array attackDetails $ref AttackDetails description MITRE ATT&CK details. This field is not populated when the SecurityResult appears in a finding (a detection or alert). campaigns description Campaigns using this IOC threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array category description The security category. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_CATEGORY SOFTWARE_MALICIOUS SOFTWARE_SUSPICIOUS SOFTWARE_PUA NETWORK_MALICIOUS NETWORK_SUSPICIOUS NETWORK_CATEGORIZED_CONTENT NETWORK_DENIAL_OF_SERVICE NETWORK_RECON NETWORK_COMMAND_AND_CONTROL ACL_VIOLATION AUTH_VIOLATION EXPLOIT DATA_EXFILTRATION DATA_AT_REST DATA_DESTRUCTION TOR_EXIT_NODE MAIL_SPAM MAIL_PHISHING MAIL_SPOOFING POLICY_VIOLATION SOCIAL_ENGINEERING PHISHING enumDescriptions The default category. Malware, spyware, rootkit. Below the conviction threshold; probably bad. Potentially Unwanted App (such as adware). Includes C&C or network exploit. Suspicious activity, such as potential reverse tunnel. Non-security related: URL has category like gambling or porn. DoS, DDoS. Port scan detected by an IDS, probing of web app. If we know this is a C&C channel. Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc. Authentication failed (e.g. bad password or bad 2-factor authentication). Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits. DLP: Sensitive data transmission, copy to thumb drive. DLP: Sensitive data found at rest in a scan. Attempt to destroy/delete data. TOR Exit Nodes. Spam email, message, etc. Phishing email, chat messages, etc. Spoofed source email address, etc. Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action). Threats which manipulate to break normal security procedures. Phishing pages, pops, https phishing etc. type string type array categoryDetails description For vendor-specific categories. For web categorization, put type in here such as "gambling" or "porn". This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array confidence description The confidence level of the result as estimated by the product. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string confidenceDetails description Additional detail with regards to the confidence of a security event as estimated by the product vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string confidenceScore description The confidence score of the security result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format float type number description description A human-readable description (e.g. "user password was wrong"). This can be more detailed than the summary. type string detectionDepth description The depth of the detection chain. Applies only to composite detections. format int64 type string detectionFields description An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (the security result matched variables). This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array firstDiscoveredTime description First time the IoC threat was discovered in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastDiscoveredTime description Last time the IoC was seen in the provider data. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastUpdatedTime description Last time the IoC threat was updated in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string outcomes description A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to a stringified version of their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array priority description The priority of the result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_PRIORITY LOW_PRIORITY MEDIUM_PRIORITY HIGH_PRIORITY enumDescriptions Default priority level. Low priority. Medium priority. High priority. type string priorityDetails description Vendor-specific information about the security result priority. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string reports description Reports that reference this IOC threat. These are the report IDs. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array riskScore description The risk score of the security result. format float type number ruleAuthor description Author of the security rule. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string ruleId description A vendor-specific ID for a rule, varying by observer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe"). type string ruleLabels description A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John"). This is primarily set in rule-generated detections and alerts. items $ref Label type array ruleName description Name of the security rule (e.g. "BlockInboundToOracle"). type string ruleSet description The curated detection's rule set identifier. (for example, "windows-threats") This is primarily set in rule-generated detections and alerts. type string ruleSetDisplayName description The curated detections rule set display name. This is primarily set in rule-generated detections and alerts. type string ruleType description The type of security rule. type string ruleVersion description Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed. type string rulesetCategoryDisplayName description The curated detection rule set category display name. (for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration", the rule_set_category is "Cloud Threats"). This is primarily set in rule-generated detections and alerts. type string severity description The severity of the result. enum UNKNOWN_SEVERITY INFORMATIONAL ERROR NONE LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Info severity. An error. No malicious result. Low-severity malicious result. Medium-severity malicious result. High-severity malicious result. Critical-severity malicious result. type string severityDetails description Vendor-specific severity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string summary description A short human-readable summary (e.g. "failed login occurred") type string threatFeedName description Vendor feed name for a threat indicator feed. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatId description Vendor-specific ID for a threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatIdNamespace description The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string threatName description A vendor-assigned classification common across multiple customers (for example, "W32/File-A", "Slammer"). This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatStatus description Current status of the threat This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_STATUS_UNSPECIFIED ACTIVE CLEARED FALSE_POSITIVE enumDescriptions Default threat status Active threat. Cleared threat. False positive. type string threatVerdict description GCTI threat verdict on the security result entity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_VERDICT_UNSPECIFIED UNDETECTED SUSPICIOUS MALICIOUS enumDescriptions Unspecified threat verdict level. Undetected threat verdict level. Suspicious threat verdict level. Malicious threat verdict level. type string urlBackToProduct description URL that takes the user to the source product console for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string variables additionalProperties $ref FindingVariable description A list of outcomes and match variables that represent the results of this security finding. This list represents a mapping of names of the requested outcomes or match variables, to their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). type object verdict $ref Verdict deprecated True description Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead. verdictInfo description Verdict information about the IoC from the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref VerdictInfo type array type object Server description Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash). id Server properties certificate $ref Certificate description Server certificate. ja3s description JA3 hash from the TLS ServerHello, as a hex-encoded string. type string type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object SignatureInfo description File signature information extracted from different tools. id SignatureInfo properties codesign $ref FileMetadataCodesign description Signature information extracted from the codesign utility. sigcheck $ref FileMetadataSignatureInfo description Signature information extracted from the sigcheck tool. type object SignerInfo description File metadata related to the signer information. id SignerInfo properties certIssuer description Company that issued the certificate. type string name description Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority. type string status description It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid."). type string validUsage description Indicates which situations the certificate is valid for (e.g. "Code Signing"). type string type object Smtp description SMTP info. See RFC 2821. id Smtp properties helo description The client's 'HELO'/'EHLO' string. type string isTls description If the connection switched to TLS. type boolean isWebmail description If the message was sent via a webmail client. type boolean mailFrom description The client's 'MAIL FROM' string. type string messagePath description The message's path (extracted from the headers). type string rcptTo description The client's 'RCPT TO' string(s). items type string type array serverResponse description The server's response(s) to the client. items type string type array type object SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems. id SoarAlertMetadata properties alertId description Alert ID in the source SIEM system. type string product description Name of the product the alert is coming from. type string sourceRule description Name of the rule triggering the alert in the source SIEM. type string sourceSystem description Name of the Source SIEM system. type string sourceSystemTicketId description Ticket id for the alert in the source system. type string sourceSystemUri description Url to the source SIEM system. type string vendor description Name of the vendor. type string type object Software description Information about a software package or application. id Software properties description description The description of the software. type string name description The name of the software. type string permissions description System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE" items $ref Permission type array vendorName description The name of the software vendor. type string version description The version of the software. type string type object Source description Deprecated. Information about the threat intelligence source. These fields are used to model Mandiant sources. id Source properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer name description Name of the IoC source. type string quality description Quality of the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total response count from this source. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer threatIntelligenceSources description Different threat intelligence sources from which IoC info was extracted. items $ref Source type array type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object StringSequence description StringSequence represents a sequence of string. id StringSequence properties stringVals description string sequence. items type string type array type object StringToInt64MapEntry id StringToInt64MapEntry properties key description Key field. type string value description Value field. format int64 type string type object StringValue id StringValue properties displayValue type string rawValue type string type object StringValues id StringValues properties values items $ref StringValue type array type object Subject description Subject data. id Subject properties commonName description CN: CommonName. type string countryName description C: Country name. type string locality description L: Locality. type string organization description O: Organization. type string organizationalUnit description OU: OrganizationalUnit. type string stateOrProvinceName description ST: StateOrProvinceName. type string type object Tactic description Tactic information related to an attack or threat. id Tactic properties id description Tactic ID (e.g. "TA0043"). type string name description Tactic Name (e.g. "Reconnaissance") type string type object Tags description Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenant_id based on certain customer-defined parameters. id Tags properties dataTapConfigName description A list of sink name values defined in DataTap configurations. items type string type array tenantId description A list of subtenant ids that this event belongs to. items format byte type string type array type object Technique description Technique information related to an attack or threat. id Technique properties id description Technique ID (e.g. "T1595"). type string name description Technique Name (e.g. "Active Scanning"). type string subtechniqueId description Subtechnique ID (e.g. "T1595.001"). type string subtechniqueName description Subtechnique Name (e.g. "Scanning IP Blocks"). type string type object TimeOff description System record for leave/time-off from a Human Capital Management (HCM) system. id TimeOff properties description description Description of the leave if available (e.g. 'Vacation'). type string interval $ref Interval description Interval duration of the leave. type object Tls description Transport Layer Security (TLS) information. id Tls properties cipher description Cipher used during the connection. type string client $ref Client description Certificate information for the client certificate. curve description Elliptical curve used for a given cipher. type string established description Indicates whether the TLS negotiation was successful. type boolean nextProtocol description Protocol to be used for tunnel. type string resumed description Indicates whether the TLS connection was resumed from a previous TLS negotiation. type boolean server $ref Server description Certificate information for the server certificate. version description TLS version. type string versionProtocol description Protocol. type string type object Tracker description URL Tracker. id Tracker properties id description Tracker ID, if available. type string timestamp description Tracker ingestion date. format google-datetime type string tracker description Tracker name. type string url description Tracker script URL. type string type object Tunnels description VPN tunnels. id Tunnels properties provider description The provider of the VPN tunnels being used. type string type description The type of the VPN tunnels. type string type object UDM description A Unified Data Model event. id UDM properties about description Represents entities referenced by the event that are not otherwise described in principal, src, target, intermediary or observer. For example, it could be used to track email file attachments, domains/URLs/IPs embedded within an email body, and DLLs that are loaded during a PROCESS_LAUNCH event. items $ref Noun type array additional additionalProperties description Properties of the object. type any description Any important vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model. type object extensions $ref Extensions description All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object intermediary description Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a proxy server or SMTP relay server. If an active event (that has a principal and possibly target) passes through any intermediaries, they're added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that 'principal', 'target', and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C). items $ref Noun type array metadata $ref Metadata description Event metadata such as timestamp, source product, etc. network $ref Network description All network details go here, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). observer $ref Noun description Represents an observer entity (for example, a packet sniffer or network-based vulnerability scanner), which is not a direct intermediary, but which observes and reports on the event in question. principal $ref Noun description Represents the acting entity that originates the activity described in the event. The principal must include at least one machine detail (hostname, MACs, IPs, port, product-specific identifiers like an EDR asset ID) or user detail (for example, username), and optionally include process details. It must NOT include any of the following fields: email, files, registry keys or values. securityResult description A list of security results. items $ref SecurityResult type array src $ref Noun description Represents a source entity being acted upon by the participant along with the device or process context for the source object (the machine where the source object resides). For example, if user U copies file A on machine X to file B on machine Y, both file A and machine X would be specified in the src portion of the UDM event. target $ref Noun description Represents a target entity being referenced by the event or an object on the target entity. For example, in a firewall connection from device A to device B, A is described as the principal and B is described as the target. For a process injection by process C into target process D, process C is described as the principal and process D is described as the target. type object UdmColumnList id UdmColumnList properties values items $ref UdmColumnValue type array type object UdmColumnType id UdmColumnType properties list $ref UdmColumnList value $ref UdmColumnValue type object UdmColumnValue id UdmColumnValue properties boolVal type boolean bytesVal format byte type string dateVal $ref Date doubleVal format double type number int64Val format int64 type string nullVal type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any type object stringVal type string timestampVal format google-datetime type string uint64Val format uint64 type string type object UdmEventInfo id UdmEventInfo properties alertNumber format int32 type integer annotations items enum ANNOTATION_UNSPECIFIED ANNOTATION_ALERT enumDescriptions type string type array chip $ref Chip deprecated True connectedComponentLabel description Optional. format byte type string datatableRowInfo items $ref SearchDataTableRowInfo type array detections items $ref Collection type array displayName deprecated True type string entity $ref BackstoryEntity event $ref UDM eventLogToken type string filterProperties $ref FilterProperties deprecated True outcomes items $ref UdmColumnType type array tenantId description Optional. type string uid format byte type string type object UdmEventList id UdmEventList properties columnNames $ref ColumnNames complete type boolean datatableInfo items $ref SearchDataTableInfo type array events items $ref UdmEventInfo type array progress format double type number tooManyEvents type boolean type object UdmFieldAggregation id UdmFieldAggregation properties aggregationType enum UNSPECIFIED_FIELD_AGGREGATION_TYPE UDM_FIELD_AGGREGATION_TYPE ENTITY_FIELD_AGGREGATION_TYPE enumDescriptions type string allValues items $ref UdmValueCount type array baselineEventCount format int32 type integer bottomValues items $ref UdmValueCount type array eventCount format int32 type integer fieldName type string tooManyValues type boolean topValues items $ref UdmValueCount type array valueCount format int32 type integer type object UdmFieldAggregations id UdmFieldAggregations properties complete type boolean fields items $ref UdmFieldAggregation type array groupByFields items $ref GroupAggregationByField type array type object UdmFieldValue id UdmFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string isNull type boolean stringValue type string timestampValue format google-datetime type string uint32Value format uint32 type integer uint64Value format uint64 type string type object UdmPrevalence id UdmPrevalence properties artifacts items $ref FieldAndValue type array prevalence format int32 type integer type object UdmPrevalenceBucket id UdmPrevalenceBucket properties prevalence items $ref UdmPrevalence type array type object UdmPrevalenceResponse id UdmPrevalenceResponse properties buckets items $ref UdmPrevalenceBucket type array partialPrevalence type boolean type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UdmValueCount id UdmValueCount properties baselineEventCount format int32 type integer eventCount format int32 type integer value $ref UdmFieldValue type object Uint64Sequence description Uint64Sequence represents a sequence of uint64s. id Uint64Sequence properties uint64Vals description uint64 sequence. items format uint64 type string type array type object Url description Url. id Url properties categories description Categorisation done by VirusTotal partners. items type string type array favicon $ref Favicon description Difference hash and MD5 hash of the URL's. htmlMeta additionalProperties description Properties of the object. type any description Meta tags (only for URLs downloading HTML). type object lastFinalUrl description If the original URL redirects, where does it end. type string lastHttpResponseCode description HTTP response code of the last response. format int32 type integer lastHttpResponseContentLength description Length in bytes of the content received. format int64 type string lastHttpResponseContentSha256 description URL response body's SHA256 hash. type string lastHttpResponseCookies additionalProperties description Properties of the object. type any description Website's cookies. type object lastHttpResponseHeaders additionalProperties description Properties of the object. type any description Headers and values of the last HTTP response. type object tags description Tags. items type string type array title description Webpage title. type string trackers description Trackers found in the URL in a historical manner. items $ref Tracker type array url description URL. type string type object User description Information about a user. id User properties accountExpirationTime description User account expiration timestamp. format google-datetime type string accountLockoutTime description User account lockout timestamp. format google-datetime type string accountType description Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/ enum ACCOUNT_TYPE_UNSPECIFIED DOMAIN_ACCOUNT_TYPE LOCAL_ACCOUNT_TYPE CLOUD_ACCOUNT_TYPE SERVICE_ACCOUNT_TYPE DEFAULT_ACCOUNT_TYPE enumDescriptions Default user account type. A human account part of some domain in directory services. A local machine account. A SaaS service account type (such as Slack or GitHub). A non-human account for data access. A system built in default account. type string attribute $ref Attribute description Generic entity metadata attributes of the user. companyName description User job company name. type string department description User job department items type string type array emailAddresses description Email addresses of the user. This field can be used as an entity indicator for user entities. items type string type array employeeId description Human capital management identifier. This field can be used as an entity indicator for user entities. type string firstName description First name of the user (e.g. "John"). type string firstSeenTime description The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string groupIdentifiers description Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar). items type string type array groupid deprecated True description The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. type string hireDate description User job employment hire date. format google-datetime type string lastBadPasswordAttemptTime description User last bad password attempt timestamp. format google-datetime type string lastLoginTime description User last login timestamp. format google-datetime type string lastName description Last name of the user (e.g. "Locke"). type string lastPasswordChangeTime description User last password change timestamp. format google-datetime type string managers description User job manager(s). items $ref User type array middleName description Middle name of the user. type string officeAddress $ref Location description User job office location. passwordExpirationTime description User password expiration timestamp. format google-datetime type string personalAddress $ref Location description Personal address of the user. phoneNumbers description Phone numbers for the user. items type string type array productObjectId description A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar). This field can be used as an entity indicator for user entities. type string roleDescription deprecated True description System role description for user. Deprecated: use attribute.roles. type string roleName deprecated True description System role name for user. Deprecated: use attribute.roles. type string terminationDate description User job employment termination date. format google-datetime type string timeOff description User time off leaves from active work. items $ref TimeOff type array title description User job title. type string userAuthenticationStatus description System authentication status for user. enum UNKNOWN_AUTHENTICATION_STATUS ACTIVE SUSPENDED NO_ACTIVE_CREDENTIALS DELETED enumDescriptions The default authentication status. The authentication method is in active state. The authentication method is in suspended/disabled state. The authentication method has no active credentials. The authentication method has been deleted. type string userDisplayName description The display name of the user (e.g. "John Locke"). type string userRole deprecated True description System role for user. Deprecated: use attribute.roles. enum UNKNOWN_ROLE ADMINISTRATOR SERVICE_ACCOUNT enumDeprecated False False True enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. Deprecated: not a role, instead set User.account_type. type string userid description The ID of the user. This field can be used as an entity indicator for user entities. type string windowsSid description The Microsoft Windows SID of the user. This field can be used as an entity indicator for user entities. type string type object UserAgentProto id UserAgentProto properties annotation items $ref Annotation type array browser description Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents. type string browserEngineVersion description Version of the rendering engine e.g. "8.01" for "Opera/8.01" type string browserVersion description Minor and lower versions unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string carrier description Mobile specific: name of mobile carrier type string device description (Usually) Mobile specific: name of hardware device, may or may not contain the full model name. e.g. iPhone, Palm750, SPH-M800. Reduced to "K" for Android devices with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string deviceVersion description (Usually) Mobile specific: version of hardware device Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string family description User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.. enum USER_DEFINED MSIE GECKO APPLEWEBKIT OPERA KHTML OTHER APPLE BLACKBERRY DOCOMO GOOGLE OPENWAVE POLARIS OBIGO TELECA MICROSOFT NOKIA NETFRONT SEMC SMIT KOREAN CLIENT_HINTS enumDescriptions Used to represent new families supported by user-defined parsers Desktop user agent families WebKit based browsers e.g. Safari e.g. Konqueror Mobile and non-browser user agent families UA's w/o enough data to fit into a family Apple apps e.g. YouTube on iPhone Google Earth, Sketchup, UpdateChecker etc... UP.Browser Windows Media Player, RSS platform etc... Sony Ericsson Mobile Communications SKT, LGT Constructed from UA-CH instead of UserAgent string. type string googleToolbarVersion description Version number of GoogleToolbar, if installed. Applies only to MSIE and Firefox at this time. type string javaConfiguration description Mobile specific: e.g. Configuration/CLDC-1.1 type string javaConfigurationVersion type string javaProfile description Mobile specific: e.g. Profile/MIDP-2.0 type string javaProfileVersion type string locale description Locale in which the browser is running as country code and optionally language pair. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string messaging description Mobile specific: e.g. MMP/2.0 type string messagingVersion type string os description Full name of the operating system e.g. "Darwin/9.7.0", "Android 1.5", "Windows 98" Version is reduced, and other data might also be missing, for reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string osVariant description Extra qualifier for the OS e.g. "(i386)", "Build/CUPCAKE", "PalmSource/Palm-D061" Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string platform description The platform describes the environment in which the browser or app runs. For desktop user agents, Platform is a string describing the OS family e.g. Windows, Macintosh, Linux. For mobile user agents, Platform either describes the OS family (if available) or the hardware maker. e.g. Linux, or HTC, LG, Palm. type string security description Security level reported by user agent, either U, I or N. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string subFamily description Sub-family identifies individual regexps when a family has more than 1. This is used to generate the right UA string from a protobuf. Examples in the AppleWebKit family: Chrome and Safari. Can also be an arbitrary identifier. type string type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Validity description Defines certificate's validity period. id Validity properties expiryTime description Expiry date. format google-datetime type string issueTime description Issue date. format google-datetime type string type object Verdict description Deprecated. Encapsulates the threat verdict provided by human analysts and ML models. These fields are used to model Mandiant sources. id Verdict properties analystVerdict $ref AnalystVerdict description Human analyst verdict provided by sources like Mandiant. neighbourInfluence description Describes the neighbour influence of the verdict. type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer verdict $ref ProviderMLVerdict description ML Verdict provided by sources like Mandiant. type object VerdictInfo description Describes the threat verdict provided by human analysts and machine learning models. These fields are used to model Mandiant sources. id VerdictInfo properties benignCount description Count of responses where this IoC was marked as benign. format int32 type integer categoryDetails description Tags related to the verdict. type string confidenceScore description Confidence score of the verdict. format int32 type integer globalCustomerCount description Global customer count over the last 30 days format int32 type integer globalHitsCount description Global hit count over the last 30 days. format int32 type integer iocStats description List of IoCStats from which the verdict was generated. items $ref IoCStats type array maliciousCount description Count of responses where this IoC was marked as malicious. format int32 type integer neighbourInfluence description Describes the near neighbor influence of the verdict. type string pwn description Whether one or more Mandiant incident response customers had this indicator in their environment. type boolean pwnFirstTaggedTime description The timestamp of the first time a pwn was associated to this entity. format google-datetime type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer sourceProvider description Source provider giving the machine learning verdict. type string verdictResponse description Details about the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp when the verdict was generated. format google-datetime type string verdictType description Type of verdict. enum VERDICT_TYPE_UNSPECIFIED PROVIDER_ML_VERDICT ANALYST_VERDICT enumDescriptions Verdict category not specified. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. Verdict provided by the human analyst. These fields are used to model Mandiant sources. type string type object Vulnerabilities description The Vulnerabilities extension captures details on observed/detected vulnerabilities. id Vulnerabilities properties vulnerabilities description A list of vulnerabilities. items $ref Vulnerability type array type object Vulnerability description A vulnerability. id Vulnerability properties about $ref Noun description If the vulnerability is about a specific noun (e.g. executable), then add it here. cveDescription description Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record type string cveId description Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id type string cvssBaseScore description CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting. format float type number cvssVector description Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator type string cvssVersion description Version of CVSS Vector/Score. type string description description Description of the vulnerability. type string firstFound description Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset. format google-datetime type string lastFound description Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset. format google-datetime type string name description Name of the vulnerability (e.g. "Unsupported OS Version detected"). type string scanEndTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable. format google-datetime type string scanStartTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable. format google-datetime type string severity description The severity of the vulnerability. enum UNKNOWN_SEVERITY LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Low severity. Medium severity. High severity. Critical severity. type string severityDetails description Vendor-specific severity type string vendor description Vendor of scan that discovered vulnerability. type string vendorKnowledgeBaseArticleId description Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase type string vendorVulnerabilityId description Vendor specific vulnerability id (e.g. Microsoft security bulletin id). type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object X509 description File certificate. id X509 properties algorithm description Certificate algorithm. type string certIssuer description Issuer of the certificate. type string name description Certificate name. type string serialNumber description Certificate serial number. type string thumbprint description Certificate thumbprint. type string type object old_value CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{region}/instances/{instance} readOnly True type string type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Manual description Entities are added manually. id Manual properties type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object
prod/asia-southeast1-connectgateway-	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/asia-southeast1-connectgateway-v1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/asia-southeast1-connectgateway-v1beta1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/asia-southeast1-containerfilesystem-	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/asia-southeast1-containerfilesystem-v1	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/auditrecording-pa-	values_changed root['revision'] new_value 20250309 old_value 20250302 root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enumDescriptions'][243] new_value User disconnects medical records from a certain healthcare provider from syncing with Fitbit. (http://screen/8ePocZyJ9BgVSGC) old_value User disconnects their medical record from Fitbit (http://screen/8ePocZyJ9BgVSGC) iterable_item_added root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodEvent']['properties']['name']['enum'][172] FITBIT_CONSENT_PHR_DEMOGRAPHIC_CONFIRMATION root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodEvent']['properties']['name']['enum'][277] GOOGLE_HOME_LABS_CONSENT root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodEvent']['properties']['name']['enum'][524] TRAVEL_REENGAGEMENT_HOTEL_PROPERTY_TRACKING_CHANGED root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodEvent']['properties']['name']['enumDescriptions'][172] An event for the Fitbit+Gaia consent CONSENT_ID_PHR_DEMOGRAPHIC_CONFIRMATION reported via UCS/FCS. root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodEvent']['properties']['name']['enumDescriptions'][277] The user has agreed to Google Home Labs go/labs-tos-ari root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodEvent']['properties']['name']['enumDescriptions'][524] User has changed their hotel property tracking (enabled/disabled). root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enum'][242] FITBIT_ANDROID_PHR_DEMOGRAPHIC_CONFIRMATION root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enum'][243] FITBIT_ANDROID_PHR_DEMOGRAPHIC_CONFIRMATION_DISCONNECTING root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enum'][713] PAISA_MERCHANT_FLUTTER_BUSINESS_CLASSIFICATION_HOMEPAGE_BOTTOM_SHEET_SCREEN root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enum'][922] TRAVEL_REENGAGEMENT_WEB_MAYFLOWER_PROPERTY_TRACKING_TOGGLE root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enum'][1066] YOUTUBE_MUSIC_ANDROID_STATS_RENEWAL_PROMOTION root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enum'][1079] YOUTUBE_MUSIC_IOS_STATS_RENEWAL_PROMOTION root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enumDescriptions'][242] User confirms that their demographic information matches healthcare provider records for the incoming medical record being synced to Fitbit. (http://screen/QbJ6NAzAYCFxGWx) root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enumDescriptions'][245] User disconnects all their medical record from syncing with Fitbit (http://screen/8BNCYZP6LgYfeaH) root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enumDescriptions'][713] User going through the Paisa Merchant Business Classification Home Page bottom sheet screen in Flutter app. root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enumDescriptions'][921] Hotel market tracking toggle in Mayflower listview. root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enumDescriptions'][922] Hotel property tracking toggle in Mayflower placesheet. root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enumDescriptions'][1066] User is presented with consent text for renewing their public stats consent via Nitrate promotion on the Android YTM client. root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enumDescriptions'][1079] User is presented with consent text for renewing their public stats consent via Nitrate promotion on the iOS YTM client.
prod/auditrecording-pa-v1	values_changed root['revision'] new_value 20250309 old_value 20250302 root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enumDescriptions'][243] new_value User disconnects medical records from a certain healthcare provider from syncing with Fitbit. (http://screen/8ePocZyJ9BgVSGC) old_value User disconnects their medical record from Fitbit (http://screen/8ePocZyJ9BgVSGC) iterable_item_added root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodEvent']['properties']['name']['enum'][172] FITBIT_CONSENT_PHR_DEMOGRAPHIC_CONFIRMATION root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodEvent']['properties']['name']['enum'][277] GOOGLE_HOME_LABS_CONSENT root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodEvent']['properties']['name']['enum'][524] TRAVEL_REENGAGEMENT_HOTEL_PROPERTY_TRACKING_CHANGED root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodEvent']['properties']['name']['enumDescriptions'][172] An event for the Fitbit+Gaia consent CONSENT_ID_PHR_DEMOGRAPHIC_CONFIRMATION reported via UCS/FCS. root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodEvent']['properties']['name']['enumDescriptions'][277] The user has agreed to Google Home Labs go/labs-tos-ari root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodEvent']['properties']['name']['enumDescriptions'][524] User has changed their hotel property tracking (enabled/disabled). root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enum'][242] FITBIT_ANDROID_PHR_DEMOGRAPHIC_CONFIRMATION root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enum'][243] FITBIT_ANDROID_PHR_DEMOGRAPHIC_CONFIRMATION_DISCONNECTING root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enum'][713] PAISA_MERCHANT_FLUTTER_BUSINESS_CLASSIFICATION_HOMEPAGE_BOTTOM_SHEET_SCREEN root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enum'][922] TRAVEL_REENGAGEMENT_WEB_MAYFLOWER_PROPERTY_TRACKING_TOGGLE root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enum'][1066] YOUTUBE_MUSIC_ANDROID_STATS_RENEWAL_PROMOTION root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enum'][1079] YOUTUBE_MUSIC_IOS_STATS_RENEWAL_PROMOTION root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enumDescriptions'][242] User confirms that their demographic information matches healthcare provider records for the incoming medical record being synced to Fitbit. (http://screen/QbJ6NAzAYCFxGWx) root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enumDescriptions'][245] User disconnects all their medical record from syncing with Fitbit (http://screen/8BNCYZP6LgYfeaH) root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enumDescriptions'][713] User going through the Paisa Merchant Business Classification Home Page bottom sheet screen in Flutter app. root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enumDescriptions'][921] Hotel market tracking toggle in Mayflower listview. root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enumDescriptions'][922] Hotel property tracking toggle in Mayflower placesheet. root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enumDescriptions'][1066] User is presented with consent text for renewing their public stats consent via Nitrate promotion on the Android YTM client. root['schemas']['GoogleInternalApiAuditrecordingV1NongoogleprodUiContext']['properties']['contextId']['enumDescriptions'][1079] User is presented with consent text for renewing their public stats consent via Nitrate promotion on the iOS YTM client.
prod/autofill-	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/autofill-v1	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/automotivemaps-	dictionary_item_added root['schemas']['GoogleMapsAutomotivemapsV1Wgs84Coordinate']['properties']['altitudeMeters'] root['schemas']['GoogleMapsAutomotivemapsV1Wgs84Coordinate']['properties']['ellipsoidAltitudeMeters']['deprecated'] values_changed root['revision'] new_value 20250310 old_value 20250303 root['schemas']['GoogleMapsAutomotivemapsV1Wgs84Coordinate']['properties']['ellipsoidAltitudeMeters']['description'] new_value Optional. Altitude in meters relative to the WGS84 ellipsoid. The ellipsoid is used instead of the geoid because there is only one WGS84 ellipsoid but several potential geoids to be used. The geoid is left to the partner. Note that this may mean that geoid heights could be measured in km in some places. (Mt. Everest is ~9km above sea level.) Positive numbers indicate higher altitude, negative numbers indicate lower altitude. Deprecated: Use altitude_meters instead. old_value Optional. Altitude in meters relative to the WGS84 ellipsoid. The ellipsoid is used instead of the geoid because there is only one WGS84 ellipsoid but several potential geoids to be used. The geoid is left to the partner. Note that this may mean that geoid heights could be measured in km in some places. (Mt. Everest is ~9km above sea level.) Positive numbers indicate higher altitude, negative numbers indicate lower altitude.
prod/automotivemaps-v1	dictionary_item_added root['schemas']['GoogleMapsAutomotivemapsV1Wgs84Coordinate']['properties']['altitudeMeters'] root['schemas']['GoogleMapsAutomotivemapsV1Wgs84Coordinate']['properties']['ellipsoidAltitudeMeters']['deprecated'] values_changed root['revision'] new_value 20250310 old_value 20250303 root['schemas']['GoogleMapsAutomotivemapsV1Wgs84Coordinate']['properties']['ellipsoidAltitudeMeters']['description'] new_value Optional. Altitude in meters relative to the WGS84 ellipsoid. The ellipsoid is used instead of the geoid because there is only one WGS84 ellipsoid but several potential geoids to be used. The geoid is left to the partner. Note that this may mean that geoid heights could be measured in km in some places. (Mt. Everest is ~9km above sea level.) Positive numbers indicate higher altitude, negative numbers indicate lower altitude. Deprecated: Use altitude_meters instead. old_value Optional. Altitude in meters relative to the WGS84 ellipsoid. The ellipsoid is used instead of the geoid because there is only one WGS84 ellipsoid but several potential geoids to be used. The geoid is left to the partner. Note that this may mean that geoid heights could be measured in km in some places. (Mt. Everest is ~9km above sea level.) Positive numbers indicate higher altitude, negative numbers indicate lower altitude.
prod/autopush-keep-pa-	dictionary_item_added root['schemas']['GetNoteInfoResponse']['properties']['type']['enumDeprecated'] root['schemas']['Note']['properties']['quillNote']['deprecated'] values_changed root['revision'] new_value 20250313 old_value 20250216 root['schemas']['Note']['properties']['quillNote']['description'] new_value A quillNote is a note with an empty message. old_value A quillNote is a note with an empty message.
prod/autopush-keep-pa-v1	dictionary_item_added root['schemas']['GetNoteInfoResponse']['properties']['type']['enumDeprecated'] root['schemas']['Note']['properties']['quillNote']['deprecated'] values_changed root['revision'] new_value 20250313 old_value 20250216 root['schemas']['Note']['properties']['quillNote']['description'] new_value A quillNote is a note with an empty message. old_value A quillNote is a note with an empty message.
prod/autopush-notes-pa.sandbox-	dictionary_item_added root['schemas']['DownSync']['properties']['derivedNoteAttributes']['deprecated'] root['schemas']['DownSync']['properties']['derivedNoteAttributes']['description'] root['schemas']['DownSyncWriteResult']['properties']['missingEmbeddedImages']['deprecated'] root['schemas']['DownSyncWriteResult']['properties']['status']['enumDeprecated'] root['schemas']['Node']['properties']['clientChanges']['properties']['commandMetadata']['properties']['imageIdMap']['deprecated'] root['schemas']['Node']['properties']['serverChanges']['properties']['images']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['note']['properties']['commandEncoding']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['quill']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['quill']['properties']['commandEncoding']['deprecated'] root['schemas']['UserInfo']['properties']['remindersMigrationData']['properties']['deletedRemindersOverLimitsCount'] root['schemas']['UserInfo']['properties']['remindersMigrationData']['properties']['deletedRemindersTasksDisabledCount'] root['schemas']['UserInfo']['properties']['remindersMigrationData']['properties']['locationRemindersOnEnteringPhase1Count'] root['schemas']['UserInfo']['properties']['remindersMigrationData']['properties']['migratedLocationRemindersCount'] root['schemas']['UserInfo']['properties']['remindersMigrationData']['properties']['deletedRemindersCount']['deprecated'] dictionary_item_removed root['schemas']['Node']['properties']['sharerEmail'] values_changed root['revision'] new_value 20250313 old_value 20250216 root['schemas']['DownSyncWriteResult']['properties']['missingEmbeddedImages']['description'] new_value The embedded images referenced by the uploaded commands for which the corresponding data was not found by the server. Clients are expected to re-upload these images before issuing a new sync request. old_value The embedded images referenced by the uploaded commands for which the corresponding data was not found by the server. Clients are expected to re-upload these images before issuing a new sync request. This field is only populated when the status is set to MISSING_EMBEDDED_IMAGE. root['schemas']['Node']['properties']['clientChanges']['properties']['commandMetadata']['properties']['imageIdMap']['description'] new_value For images referenced by the model, maps images' client IDs to server IDs. old_value For images referenced by the model, maps images' client IDs to server IDs. root['schemas']['Node']['properties']['serverChanges']['properties']['images']['description'] new_value Metadata on images referenced by the model. old_value Metadata on images referenced by the model. This will include all images upon initial sync (no changes) and only images referenced by changes when changes exist. root['schemas']['UserInfo']['properties']['remindersMigrationData']['properties']['deletedRemindersCount']['description'] new_value Deprecated: The cumulative count of reminders deleted. old_value The cumulative count of reminders deleted. root['schemas']['DownSyncWriteResult']['properties']['status']['enumDescriptions'][2] new_value The uploaded commands refer to embedded images that have not yet been uploaded. Clients are expected to recover from this error by re-uploading the image before issuing a new sync request. old_value The uploaded commands refer to embedded images that have not yet been uploaded. Clients are expected to recover from this error by re-uploading the image before issuing a new sync request.
prod/autopush-notes-pa.sandbox-v1	dictionary_item_added root['schemas']['DownSync']['properties']['derivedNoteAttributes']['deprecated'] root['schemas']['DownSync']['properties']['derivedNoteAttributes']['description'] root['schemas']['DownSyncWriteResult']['properties']['missingEmbeddedImages']['deprecated'] root['schemas']['DownSyncWriteResult']['properties']['status']['enumDeprecated'] root['schemas']['Node']['properties']['clientChanges']['properties']['commandMetadata']['properties']['imageIdMap']['deprecated'] root['schemas']['Node']['properties']['serverChanges']['properties']['images']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['note']['properties']['commandEncoding']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['quill']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['quill']['properties']['commandEncoding']['deprecated'] root['schemas']['UserInfo']['properties']['remindersMigrationData']['properties']['deletedRemindersOverLimitsCount'] root['schemas']['UserInfo']['properties']['remindersMigrationData']['properties']['deletedRemindersTasksDisabledCount'] root['schemas']['UserInfo']['properties']['remindersMigrationData']['properties']['locationRemindersOnEnteringPhase1Count'] root['schemas']['UserInfo']['properties']['remindersMigrationData']['properties']['migratedLocationRemindersCount'] root['schemas']['UserInfo']['properties']['remindersMigrationData']['properties']['deletedRemindersCount']['deprecated'] dictionary_item_removed root['schemas']['Node']['properties']['sharerEmail'] values_changed root['revision'] new_value 20250313 old_value 20250216 root['schemas']['DownSyncWriteResult']['properties']['missingEmbeddedImages']['description'] new_value The embedded images referenced by the uploaded commands for which the corresponding data was not found by the server. Clients are expected to re-upload these images before issuing a new sync request. old_value The embedded images referenced by the uploaded commands for which the corresponding data was not found by the server. Clients are expected to re-upload these images before issuing a new sync request. This field is only populated when the status is set to MISSING_EMBEDDED_IMAGE. root['schemas']['Node']['properties']['clientChanges']['properties']['commandMetadata']['properties']['imageIdMap']['description'] new_value For images referenced by the model, maps images' client IDs to server IDs. old_value For images referenced by the model, maps images' client IDs to server IDs. root['schemas']['Node']['properties']['serverChanges']['properties']['images']['description'] new_value Metadata on images referenced by the model. old_value Metadata on images referenced by the model. This will include all images upon initial sync (no changes) and only images referenced by changes when changes exist. root['schemas']['UserInfo']['properties']['remindersMigrationData']['properties']['deletedRemindersCount']['description'] new_value Deprecated: The cumulative count of reminders deleted. old_value The cumulative count of reminders deleted. root['schemas']['DownSyncWriteResult']['properties']['status']['enumDescriptions'][2] new_value The uploaded commands refer to embedded images that have not yet been uploaded. Clients are expected to recover from this error by re-uploading the image before issuing a new sync request. old_value The uploaded commands refer to embedded images that have not yet been uploaded. Clients are expected to recover from this error by re-uploading the image before issuing a new sync request.
prod/autopush-notifications-pa.sandbox-	dictionary_item_added root['schemas']['GmmNotifications__GmmClientGunsExtension']['properties']['inboxCapabilities'] root['schemas']['NotificationsBackendCommonMessage_AndroidMessageHint_NotificationBehavior']['properties']['silentOnReplacement'] root['schemas']['NotificationsBackendCommonMessage__IosMessageHint']['properties']['silentOnReplacement'] root['schemas']['NotificationsFrontendData_RenderContext_DeviceInfo']['properties']['iosSdkGeneration'] root['schemas']['PhotosEffects__HdrGainmapEffectParams']['properties']['gainMapEditStrategy'] root['schemas']['PhotosEffects__HdrGainmapEffectParams']['properties']['gainmapState']['description'] values_changed root['revision'] new_value 20250314 old_value 20250311 root['schemas']['NotificationsBackendCommonMessage__IosMessageHint']['description'] new_value IosMessageHint can be included with the GenericMessage proto to achieve customizations of the generic message specifically for iOS devices. Any fields in IosMessageHint that overlap with fields in GenericMessage will be resolved in favor of the IosMessageHint. Next ID: 36 old_value IosMessageHint can be included with the GenericMessage proto to achieve customizations of the generic message specifically for iOS devices. Any fields in IosMessageHint that overlap with fields in GenericMessage will be resolved in favor of the IosMessageHint. Next ID: 35 root['schemas']['Proto2Bridge__MessageSet']['description'] new_value LINT.ThenChange( //depot/google3/third_party/protobuf/github/src/google/protobuf/bridge/message_set.proto ) This is proto2's version of MessageSet. old_value This is proto2's version of MessageSet. root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][274] new_value go/follow related Pickers. String-only pickers. old_value go/follow related Pickers. iterable_item_added root['schemas']['GaiaData__AccountNotificationEvent']['properties']['eventType']['enum'][304] OAUTH_TOKEN_EXPIRATION_NOTIFICATION_UNICORN_EMAIL root['schemas']['GaiaData__AccountNotificationEvent']['properties']['eventType']['enumDescriptions'][304] Send email notifications to Unicorn users to notify them about their expiring app access. root['schemas']['GoogleLogsTapandpayAndroid__DynamicAidRegistrationEvent']['properties']['registrationReason']['enum'][13] ACCOUNT_CHANGED root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][277] UPSELL_CREATOR_PICKER root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][609] WEBKICK_UGC_CONTENT root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][276] Creator Picker root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][278] Sports team picker root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][609] Need bundle type for UGC content in Discover. go/discover-ugc-content-retrieval root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][903] CONTENT_EXPLORATION_WEB root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1071] HOME_STACK_UTILITY_FOLLOW_MANAGEMENT root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1072] COMMUNITY_DISCUSSIONS root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1474] WEBKICK_INTEREST_UGC root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1539] DEPRECATED_UCP_DELAYED_NOTES_CREATION_PROMPT_CARD root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enumDescriptions'][1474] Next available Cardmaker tag: 60078 iterable_item_removed root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][543] UCP_DELAYED_NOTES_CREATION_PROMPT_CARD root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][543] Need bundle type for Modern Creators & Formats (go/mcf-pulse) delayed notes creation prompt card. go/link-notes-delayed-creation-in-discover-dd. root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][549] Need bundle type for upselling a query picker to users more likely to follow queries. root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1000] UCP_DELAYED_NOTES_CREATION_PROMPT_CARD
prod/autopush-notifications-pa.sandbox-v1	dictionary_item_added root['schemas']['GmmNotifications__GmmClientGunsExtension']['properties']['inboxCapabilities'] root['schemas']['NotificationsBackendCommonMessage_AndroidMessageHint_NotificationBehavior']['properties']['silentOnReplacement'] root['schemas']['NotificationsBackendCommonMessage__IosMessageHint']['properties']['silentOnReplacement'] root['schemas']['NotificationsFrontendData_RenderContext_DeviceInfo']['properties']['iosSdkGeneration'] root['schemas']['PhotosEffects__HdrGainmapEffectParams']['properties']['gainMapEditStrategy'] root['schemas']['PhotosEffects__HdrGainmapEffectParams']['properties']['gainmapState']['description'] values_changed root['revision'] new_value 20250314 old_value 20250311 root['schemas']['NotificationsBackendCommonMessage__IosMessageHint']['description'] new_value IosMessageHint can be included with the GenericMessage proto to achieve customizations of the generic message specifically for iOS devices. Any fields in IosMessageHint that overlap with fields in GenericMessage will be resolved in favor of the IosMessageHint. Next ID: 36 old_value IosMessageHint can be included with the GenericMessage proto to achieve customizations of the generic message specifically for iOS devices. Any fields in IosMessageHint that overlap with fields in GenericMessage will be resolved in favor of the IosMessageHint. Next ID: 35 root['schemas']['Proto2Bridge__MessageSet']['description'] new_value LINT.ThenChange( //depot/google3/third_party/protobuf/github/src/google/protobuf/bridge/message_set.proto ) This is proto2's version of MessageSet. old_value This is proto2's version of MessageSet. root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][274] new_value go/follow related Pickers. String-only pickers. old_value go/follow related Pickers. iterable_item_added root['schemas']['GaiaData__AccountNotificationEvent']['properties']['eventType']['enum'][304] OAUTH_TOKEN_EXPIRATION_NOTIFICATION_UNICORN_EMAIL root['schemas']['GaiaData__AccountNotificationEvent']['properties']['eventType']['enumDescriptions'][304] Send email notifications to Unicorn users to notify them about their expiring app access. root['schemas']['GoogleLogsTapandpayAndroid__DynamicAidRegistrationEvent']['properties']['registrationReason']['enum'][13] ACCOUNT_CHANGED root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][277] UPSELL_CREATOR_PICKER root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][609] WEBKICK_UGC_CONTENT root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][276] Creator Picker root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][278] Sports team picker root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][609] Need bundle type for UGC content in Discover. go/discover-ugc-content-retrieval root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][903] CONTENT_EXPLORATION_WEB root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1071] HOME_STACK_UTILITY_FOLLOW_MANAGEMENT root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1072] COMMUNITY_DISCUSSIONS root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1474] WEBKICK_INTEREST_UGC root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1539] DEPRECATED_UCP_DELAYED_NOTES_CREATION_PROMPT_CARD root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enumDescriptions'][1474] Next available Cardmaker tag: 60078 iterable_item_removed root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][543] UCP_DELAYED_NOTES_CREATION_PROMPT_CARD root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][543] Need bundle type for Modern Creators & Formats (go/mcf-pulse) delayed notes creation prompt card. go/link-notes-delayed-creation-in-discover-dd. root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][549] Need bundle type for upselling a query picker to users more likely to follow queries. root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1000] UCP_DELAYED_NOTES_CREATION_PROMPT_CARD
prod/autopush-proddata-notifications-pa.sandbox-	dictionary_item_added root['schemas']['GmmNotifications__GmmClientGunsExtension']['properties']['inboxCapabilities'] root['schemas']['NotificationsBackendCommonMessage_AndroidMessageHint_NotificationBehavior']['properties']['silentOnReplacement'] root['schemas']['NotificationsBackendCommonMessage__IosMessageHint']['properties']['silentOnReplacement'] root['schemas']['NotificationsFrontendData_RenderContext_DeviceInfo']['properties']['iosSdkGeneration'] root['schemas']['PhotosEffects__HdrGainmapEffectParams']['properties']['gainMapEditStrategy'] root['schemas']['PhotosEffects__HdrGainmapEffectParams']['properties']['gainmapState']['description'] values_changed root['revision'] new_value 20250314 old_value 20250311 root['schemas']['NotificationsBackendCommonMessage__IosMessageHint']['description'] new_value IosMessageHint can be included with the GenericMessage proto to achieve customizations of the generic message specifically for iOS devices. Any fields in IosMessageHint that overlap with fields in GenericMessage will be resolved in favor of the IosMessageHint. Next ID: 36 old_value IosMessageHint can be included with the GenericMessage proto to achieve customizations of the generic message specifically for iOS devices. Any fields in IosMessageHint that overlap with fields in GenericMessage will be resolved in favor of the IosMessageHint. Next ID: 35 root['schemas']['Proto2Bridge__MessageSet']['description'] new_value LINT.ThenChange( //depot/google3/third_party/protobuf/github/src/google/protobuf/bridge/message_set.proto ) This is proto2's version of MessageSet. old_value This is proto2's version of MessageSet. root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][274] new_value go/follow related Pickers. String-only pickers. old_value go/follow related Pickers. iterable_item_added root['schemas']['GaiaData__AccountNotificationEvent']['properties']['eventType']['enum'][304] OAUTH_TOKEN_EXPIRATION_NOTIFICATION_UNICORN_EMAIL root['schemas']['GaiaData__AccountNotificationEvent']['properties']['eventType']['enumDescriptions'][304] Send email notifications to Unicorn users to notify them about their expiring app access. root['schemas']['GoogleLogsTapandpayAndroid__DynamicAidRegistrationEvent']['properties']['registrationReason']['enum'][13] ACCOUNT_CHANGED root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][277] UPSELL_CREATOR_PICKER root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][609] WEBKICK_UGC_CONTENT root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][276] Creator Picker root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][278] Sports team picker root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][609] Need bundle type for UGC content in Discover. go/discover-ugc-content-retrieval root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][903] CONTENT_EXPLORATION_WEB root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1071] HOME_STACK_UTILITY_FOLLOW_MANAGEMENT root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1072] COMMUNITY_DISCUSSIONS root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1474] WEBKICK_INTEREST_UGC root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1539] DEPRECATED_UCP_DELAYED_NOTES_CREATION_PROMPT_CARD root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enumDescriptions'][1474] Next available Cardmaker tag: 60078 iterable_item_removed root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][543] UCP_DELAYED_NOTES_CREATION_PROMPT_CARD root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][543] Need bundle type for Modern Creators & Formats (go/mcf-pulse) delayed notes creation prompt card. go/link-notes-delayed-creation-in-discover-dd. root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][549] Need bundle type for upselling a query picker to users more likely to follow queries. root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1000] UCP_DELAYED_NOTES_CREATION_PROMPT_CARD
prod/autopush-proddata-notifications-pa.sandbox-v1	dictionary_item_added root['schemas']['GmmNotifications__GmmClientGunsExtension']['properties']['inboxCapabilities'] root['schemas']['NotificationsBackendCommonMessage_AndroidMessageHint_NotificationBehavior']['properties']['silentOnReplacement'] root['schemas']['NotificationsBackendCommonMessage__IosMessageHint']['properties']['silentOnReplacement'] root['schemas']['NotificationsFrontendData_RenderContext_DeviceInfo']['properties']['iosSdkGeneration'] root['schemas']['PhotosEffects__HdrGainmapEffectParams']['properties']['gainMapEditStrategy'] root['schemas']['PhotosEffects__HdrGainmapEffectParams']['properties']['gainmapState']['description'] values_changed root['revision'] new_value 20250314 old_value 20250311 root['schemas']['NotificationsBackendCommonMessage__IosMessageHint']['description'] new_value IosMessageHint can be included with the GenericMessage proto to achieve customizations of the generic message specifically for iOS devices. Any fields in IosMessageHint that overlap with fields in GenericMessage will be resolved in favor of the IosMessageHint. Next ID: 36 old_value IosMessageHint can be included with the GenericMessage proto to achieve customizations of the generic message specifically for iOS devices. Any fields in IosMessageHint that overlap with fields in GenericMessage will be resolved in favor of the IosMessageHint. Next ID: 35 root['schemas']['Proto2Bridge__MessageSet']['description'] new_value LINT.ThenChange( //depot/google3/third_party/protobuf/github/src/google/protobuf/bridge/message_set.proto ) This is proto2's version of MessageSet. old_value This is proto2's version of MessageSet. root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][274] new_value go/follow related Pickers. String-only pickers. old_value go/follow related Pickers. iterable_item_added root['schemas']['GaiaData__AccountNotificationEvent']['properties']['eventType']['enum'][304] OAUTH_TOKEN_EXPIRATION_NOTIFICATION_UNICORN_EMAIL root['schemas']['GaiaData__AccountNotificationEvent']['properties']['eventType']['enumDescriptions'][304] Send email notifications to Unicorn users to notify them about their expiring app access. root['schemas']['GoogleLogsTapandpayAndroid__DynamicAidRegistrationEvent']['properties']['registrationReason']['enum'][13] ACCOUNT_CHANGED root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][277] UPSELL_CREATOR_PICKER root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][609] WEBKICK_UGC_CONTENT root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][276] Creator Picker root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][278] Sports team picker root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][609] Need bundle type for UGC content in Discover. go/discover-ugc-content-retrieval root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][903] CONTENT_EXPLORATION_WEB root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1071] HOME_STACK_UTILITY_FOLLOW_MANAGEMENT root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1072] COMMUNITY_DISCUSSIONS root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1474] WEBKICK_INTEREST_UGC root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1539] DEPRECATED_UCP_DELAYED_NOTES_CREATION_PROMPT_CARD root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enumDescriptions'][1474] Next available Cardmaker tag: 60078 iterable_item_removed root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][543] UCP_DELAYED_NOTES_CREATION_PROMPT_CARD root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][543] Need bundle type for Modern Creators & Formats (go/mcf-pulse) delayed notes creation prompt card. go/link-notes-delayed-creation-in-discover-dd. root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][549] Need bundle type for upselling a query picker to users more likely to follow queries. root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1000] UCP_DELAYED_NOTES_CREATION_PROMPT_CARD
prod/autopush-qual-playground-notifications-pa.sandbox-	dictionary_item_added root['schemas']['GmmNotifications__GmmClientGunsExtension']['properties']['inboxCapabilities'] root['schemas']['NotificationsBackendCommonMessage_AndroidMessageHint_NotificationBehavior']['properties']['silentOnReplacement'] root['schemas']['NotificationsBackendCommonMessage__IosMessageHint']['properties']['silentOnReplacement'] root['schemas']['NotificationsFrontendData_RenderContext_DeviceInfo']['properties']['iosSdkGeneration'] root['schemas']['PhotosEffects__HdrGainmapEffectParams']['properties']['gainMapEditStrategy'] root['schemas']['PhotosEffects__HdrGainmapEffectParams']['properties']['gainmapState']['description'] values_changed root['revision'] new_value 20250313 old_value 20250311 root['schemas']['NotificationsBackendCommonMessage__IosMessageHint']['description'] new_value IosMessageHint can be included with the GenericMessage proto to achieve customizations of the generic message specifically for iOS devices. Any fields in IosMessageHint that overlap with fields in GenericMessage will be resolved in favor of the IosMessageHint. Next ID: 36 old_value IosMessageHint can be included with the GenericMessage proto to achieve customizations of the generic message specifically for iOS devices. Any fields in IosMessageHint that overlap with fields in GenericMessage will be resolved in favor of the IosMessageHint. Next ID: 35 root['schemas']['Proto2Bridge__MessageSet']['description'] new_value LINT.ThenChange( //depot/google3/third_party/protobuf/github/src/google/protobuf/bridge/message_set.proto ) This is proto2's version of MessageSet. old_value This is proto2's version of MessageSet. root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][274] new_value go/follow related Pickers. String-only pickers. old_value go/follow related Pickers. iterable_item_added root['schemas']['GaiaData__AccountNotificationEvent']['properties']['eventType']['enum'][304] OAUTH_TOKEN_EXPIRATION_NOTIFICATION_UNICORN_EMAIL root['schemas']['GaiaData__AccountNotificationEvent']['properties']['eventType']['enumDescriptions'][304] Send email notifications to Unicorn users to notify them about their expiring app access. root['schemas']['GoogleLogsTapandpayAndroid__DynamicAidRegistrationEvent']['properties']['registrationReason']['enum'][13] ACCOUNT_CHANGED root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][277] UPSELL_CREATOR_PICKER root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][609] WEBKICK_UGC_CONTENT root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][276] Creator Picker root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][278] Sports team picker root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][609] Need bundle type for UGC content in Discover. go/discover-ugc-content-retrieval root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][903] CONTENT_EXPLORATION_WEB root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1071] HOME_STACK_UTILITY_FOLLOW_MANAGEMENT root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1072] COMMUNITY_DISCUSSIONS root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1474] WEBKICK_INTEREST_UGC root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1539] DEPRECATED_UCP_DELAYED_NOTES_CREATION_PROMPT_CARD root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enumDescriptions'][1474] Next available Cardmaker tag: 60078 iterable_item_removed root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][543] UCP_DELAYED_NOTES_CREATION_PROMPT_CARD root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][543] Need bundle type for Modern Creators & Formats (go/mcf-pulse) delayed notes creation prompt card. go/link-notes-delayed-creation-in-discover-dd. root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][549] Need bundle type for upselling a query picker to users more likely to follow queries. root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1000] UCP_DELAYED_NOTES_CREATION_PROMPT_CARD
prod/autopush-qual-playground-notifications-pa.sandbox-v1	dictionary_item_added root['schemas']['GmmNotifications__GmmClientGunsExtension']['properties']['inboxCapabilities'] root['schemas']['NotificationsBackendCommonMessage_AndroidMessageHint_NotificationBehavior']['properties']['silentOnReplacement'] root['schemas']['NotificationsBackendCommonMessage__IosMessageHint']['properties']['silentOnReplacement'] root['schemas']['NotificationsFrontendData_RenderContext_DeviceInfo']['properties']['iosSdkGeneration'] root['schemas']['PhotosEffects__HdrGainmapEffectParams']['properties']['gainMapEditStrategy'] root['schemas']['PhotosEffects__HdrGainmapEffectParams']['properties']['gainmapState']['description'] values_changed root['revision'] new_value 20250313 old_value 20250311 root['schemas']['NotificationsBackendCommonMessage__IosMessageHint']['description'] new_value IosMessageHint can be included with the GenericMessage proto to achieve customizations of the generic message specifically for iOS devices. Any fields in IosMessageHint that overlap with fields in GenericMessage will be resolved in favor of the IosMessageHint. Next ID: 36 old_value IosMessageHint can be included with the GenericMessage proto to achieve customizations of the generic message specifically for iOS devices. Any fields in IosMessageHint that overlap with fields in GenericMessage will be resolved in favor of the IosMessageHint. Next ID: 35 root['schemas']['Proto2Bridge__MessageSet']['description'] new_value LINT.ThenChange( //depot/google3/third_party/protobuf/github/src/google/protobuf/bridge/message_set.proto ) This is proto2's version of MessageSet. old_value This is proto2's version of MessageSet. root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][274] new_value go/follow related Pickers. String-only pickers. old_value go/follow related Pickers. iterable_item_added root['schemas']['GaiaData__AccountNotificationEvent']['properties']['eventType']['enum'][304] OAUTH_TOKEN_EXPIRATION_NOTIFICATION_UNICORN_EMAIL root['schemas']['GaiaData__AccountNotificationEvent']['properties']['eventType']['enumDescriptions'][304] Send email notifications to Unicorn users to notify them about their expiring app access. root['schemas']['GoogleLogsTapandpayAndroid__DynamicAidRegistrationEvent']['properties']['registrationReason']['enum'][13] ACCOUNT_CHANGED root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][277] UPSELL_CREATOR_PICKER root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][609] WEBKICK_UGC_CONTENT root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][276] Creator Picker root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][278] Sports team picker root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][609] Need bundle type for UGC content in Discover. go/discover-ugc-content-retrieval root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][903] CONTENT_EXPLORATION_WEB root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1071] HOME_STACK_UTILITY_FOLLOW_MANAGEMENT root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1072] COMMUNITY_DISCUSSIONS root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1474] WEBKICK_INTEREST_UGC root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1539] DEPRECATED_UCP_DELAYED_NOTES_CREATION_PROMPT_CARD root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enumDescriptions'][1474] Next available Cardmaker tag: 60078 iterable_item_removed root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][543] UCP_DELAYED_NOTES_CREATION_PROMPT_CARD root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][543] Need bundle type for Modern Creators & Formats (go/mcf-pulse) delayed notes creation prompt card. go/link-notes-delayed-creation-in-discover-dd. root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][549] Need bundle type for upselling a query picker to users more likely to follow queries. root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1000] UCP_DELAYED_NOTES_CREATION_PROMPT_CARD
prod/blobcomments-pa-	values_changed root['revision'] new_value 20250310 old_value 20250227
prod/blobcomments-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250227
prod/buildeventservice-	values_changed root['revision'] new_value 20250311 old_value 20250307
prod/buildeventservice-v1	values_changed root['revision'] new_value 20250311 old_value 20250307
prod/carddav-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/carddav-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/chromedevicetoken-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/chromedevicetoken-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/clientauthconfig-	values_changed root['revision'] new_value 20250309 old_value 20250302 iterable_item_added root['schemas']['Client']['properties']['accountRestrictionService']['enum'][692] P11_VALLEY_APP root['schemas']['Client']['properties']['accountRestrictionService']['enum'][1152] RETIRED_NOMNI_APP root['schemas']['Client']['properties']['accountRestrictionService']['enum'][1602] OMNILAB_PARTNER_LAB_API root['schemas']['Client']['properties']['accountRestrictionService']['enum'][1603] UX_ACCELERATION_API root['schemas']['Client']['properties']['accountRestrictionService']['enumDescriptions'][1602] OmniLab Partner Lab Private API First Party Auth scope for google3/googledata/gaia/mint/apiscopes/omnilab/partner_lab.cfg Design: go/oem-pantheon-backend-impl Contact: omnilab-test-infra-team@google.com, omnilab-cx-team@google.com root['schemas']['Client']['properties']['accountRestrictionService']['enumDescriptions'][1603] UX Acceleration API Backend for go/ux-acceleration First Party Auth scope for google3/googledata/gaia/mint/apiscopes/uxacceleration/uxacceleration.cfg Contact: gdt-uxa-team@google.com iterable_item_removed root['schemas']['Client']['properties']['accountRestrictionService']['enum'][1151] NOMNI_APP
prod/clientauthconfig-v1	values_changed root['revision'] new_value 20250309 old_value 20250302 iterable_item_added root['schemas']['Client']['properties']['accountRestrictionService']['enum'][692] P11_VALLEY_APP root['schemas']['Client']['properties']['accountRestrictionService']['enum'][1152] RETIRED_NOMNI_APP root['schemas']['Client']['properties']['accountRestrictionService']['enum'][1602] OMNILAB_PARTNER_LAB_API root['schemas']['Client']['properties']['accountRestrictionService']['enum'][1603] UX_ACCELERATION_API root['schemas']['Client']['properties']['accountRestrictionService']['enumDescriptions'][1602] OmniLab Partner Lab Private API First Party Auth scope for google3/googledata/gaia/mint/apiscopes/omnilab/partner_lab.cfg Design: go/oem-pantheon-backend-impl Contact: omnilab-test-infra-team@google.com, omnilab-cx-team@google.com root['schemas']['Client']['properties']['accountRestrictionService']['enumDescriptions'][1603] UX Acceleration API Backend for go/ux-acceleration First Party Auth scope for google3/googledata/gaia/mint/apiscopes/uxacceleration/uxacceleration.cfg Contact: gdt-uxa-team@google.com iterable_item_removed root['schemas']['Client']['properties']['accountRestrictionService']['enum'][1151] NOMNI_APP
prod/cloudaicompanion-	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/cloudaicompanion-v1	dictionary_item_added root['resources']['projects']['resources']['locations']['resources']['dataSharingWithGoogleSettings']['resources']['settingBindings']['methods']['patch'] values_changed root['revision'] new_value 20250309 old_value 20250302
prod/cloudaicompanion-v1alpha	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/cloudaicompanion-v1beta	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/cloudchannel-pa-	values_changed root['revision'] new_value 20250311 old_value 20250308
prod/cloudchannel-pa-v1	values_changed root['revision'] new_value 20250311 old_value 20250308
prod/cloudchannel-pa-v1alpha1	values_changed root['resources']['opportunities']['methods']['patch']['parameters']['name']['description'] new_value Identifier. Resource name of an Opportunity in the form: opportunities/{opportunity_id}. Available in Limited view. old_value Identifier. Resource name of an Opportunity in the form: opportunities/{opportunity_id}. root['revision'] new_value 20250311 old_value 20250308 root['schemas']['GoogleCloudChannelV1alpha1CustomerDetails']['properties']['domain']['description'] new_value Required. Customer's primary website domain. Available in Limited view. old_value Required. Customer's primary website domain. root['schemas']['GoogleCloudChannelV1alpha1CustomerDetails']['properties']['organizationName']['description'] new_value Required. Name of the Customer Organization. Available in Limited view. old_value Required. Name of the Customer Organization. root['schemas']['GoogleCloudChannelV1alpha1CustomerInfo']['properties']['customerDetails']['description'] new_value Required. Firm details needed for creating a new customer or for mapping to an existing customer. Available in Limited view. old_value Required. Firm details needed for creating a new customer or for mapping to an existing customer. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['customerDisplayName']['description'] new_value Output only. Customer display name that the Opportunity is associated with. This maps to the Vector Account name. Available in Limited view. old_value Output only. Customer display name that the Opportunity is associated with. This maps to the Vector Account name. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['customerInfo']['description'] new_value Required. Information of the end customer used for matching to an existing customer account or for creating a new one. Required for Creating an Opportunity. Can't be edited after the Opportunity is Accepted. Available in Limited view. old_value Required. Information of the end customer used for matching to an existing customer account or for creating a new one. Required for Creating an Opportunity. Can't be edited after the Opportunity is Accepted. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['name']['description'] new_value Identifier. Resource name of an Opportunity in the form: opportunities/{opportunity_id}. Available in Limited view. old_value Identifier. Resource name of an Opportunity in the form: opportunities/{opportunity_id}. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['opportunityInfo']['description'] new_value Required. Information about the Opportunity provided during deal submission. Required for Creating an Opportunity. Available in Limited view. old_value Required. Information about the Opportunity provided during deal submission. Required for Creating an Opportunity. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['opportunityTeamMembers']['description'] new_value Output only. Information on the Partner users with access to the Opportunity. Present only after the Opportunity is Accepted. Unset otherwise. Can't be edited. Available in Limited view. Only lists the Partner Development Manager (PDM) roles in Limited view. old_value Output only. Information on the Partner users with access to the Opportunity. Present only after the Opportunity is Accepted. Unset otherwise. Can't be edited. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['owner']['description'] new_value Output only. Name of the Google FSR who owns the Opportunity. Available in Limited view. old_value Output only. Name of the Google FSR who owns the Opportunity. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['ownerEmail']['description'] new_value Output only. Email of the Google FSR who owns the Opportunity. Available in Limited view. old_value Output only. Email of the Google FSR who owns the Opportunity. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['partnerInfo']['description'] new_value Optional. Opportunity information related to the sourcing Partner. Present only after the Opportunity is Accepted. Unset otherwise. Can be edited. Available in Limited view. old_value Optional. Opportunity information related to the sourcing Partner. Present only after the Opportunity is Accepted. Unset otherwise. Can be edited. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['referenceOpportunityId']['description'] new_value Output only. Opportunity ID in the Partner Advantage Portal. This ID is meant for mapping the Opportunities to the old system, and has a 1 to 1 mapping with the opportunities in this Service. Available in Limited view. old_value Output only. Opportunity ID in the Partner Advantage Portal. This ID is meant for mapping the Opportunities to the old system, and has a 1 to 1 mapping with the opportunities in this Service. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['salesCycle']['description'] new_value Optional. Information related to the Sales cycle. Present only after the Opportunity is Accepted. Unset otherwise. Can be edited. Available in Limited view. old_value Optional. Information related to the Sales cycle. Present only after the Opportunity is Accepted. Unset otherwise. Can be edited. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['source']['description'] new_value Output only. Represents if the Opportunity was created by Google or by Partner. Available in Limited view. old_value Output only. Represents if the Opportunity was created by Google or by Partner. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['stage']['description'] new_value The sales stage that the Opportunity is in. New Opportunities are created in Stage 0. Can only be updated after the Opportunity is ACCEPTED. Can't be updated to CLOSED. Available in Limited view. old_value The sales stage that the Opportunity is in. New Opportunities are created in Stage 0. Can only be updated after the Opportunity is ACCEPTED. Can't be updated to CLOSED. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['state']['description'] new_value Optional. State the Opportunity is in. Client can only set the state to DRAFT or SUBMITTED. Default: DRAFT. Available in Limited view. old_value Optional. State the Opportunity is in. Client can only set the state to DRAFT or SUBMITTED. Default: DRAFT. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['stateDescription']['description'] new_value Output only. Contains the reason if the Opportunity was not accepted. Available in Limited view. old_value Output only. Contains the reason if the Opportunity was not accepted. root['schemas']['GoogleCloudChannelV1alpha1OpportunityInfo']['properties']['description']['description'] new_value Optional. Opportunity description. Available in Limited view. old_value Optional. Opportunity description. root['schemas']['GoogleCloudChannelV1alpha1OpportunityInfo']['properties']['displayName']['description'] new_value Optional. Display name for the Opportunity. Available in Limited view. old_value Optional. Display name for the Opportunity. root['schemas']['GoogleCloudChannelV1alpha1OpportunityTeamMember']['properties']['accessLevel']['description'] new_value Output only. Access Level. Available in Limited view. old_value Output only. Access Level. root['schemas']['GoogleCloudChannelV1alpha1OpportunityTeamMember']['properties']['email']['description'] new_value Output only. Email. Available in Limited view. old_value Output only. Email. root['schemas']['GoogleCloudChannelV1alpha1OpportunityTeamMember']['properties']['name']['description'] new_value Output only. Name. Available in Limited view. old_value Output only. Name. root['schemas']['GoogleCloudChannelV1alpha1SalesCycle']['properties']['closeDate']['description'] new_value Output only. For open opportunities, this is the expected close date. For closed opportunities, this is the contract signed date Available in Limited view. old_value Output only. For open opportunities, this is the expected close date. For closed opportunities, this is the contract signed date
prod/cloudchannel-pa-v2	values_changed root['revision'] new_value 20250311 old_value 20250308
prod/cloudcode-pa-	values_changed root['revision'] new_value 20250309 old_value 20250311 iterable_item_added root['schemas']['ClientMetadata']['properties']['pluginType']['enum'][5] PANTHEON root['schemas']['ClientMetadata']['properties']['pluginType']['enumDescriptions'][5] API calls coming from Pantheon and Coliseum.
prod/cloudcode-pa-v1	values_changed root['revision'] new_value 20250309 old_value 20250311
prod/cloudcode-pa-v1internal	values_changed root['revision'] new_value 20250309 old_value 20250311 iterable_item_added root['schemas']['ClientMetadata']['properties']['pluginType']['enum'][5] PANTHEON root['schemas']['ClientMetadata']['properties']['pluginType']['enumDescriptions'][5] API calls coming from Pantheon and Coliseum.
prod/cloudcommerceconsumerprocurement-	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/cloudcommerceconsumerprocurement-v1	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/cloudcommerceconsumerprocurement-v1alpha1	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/cloudcommerceinventory-pa-	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/cloudcommerceinventory-pa-v0	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/cloudcommerceinventoryconsumer-pa-	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/cloudcommerceinventoryconsumer-pa-v0	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/cloudcommerceprocurement-pa-	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/cloudcommerceprocurement-pa-v1	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/cloudmarketplace-	values_changed root['revision'] new_value 20250308 old_value 20250301 root['schemas']['UiContext']['properties']['contextId']['enumDescriptions'][243] new_value User disconnects medical records from a certain healthcare provider from syncing with Fitbit. (http://screen/8ePocZyJ9BgVSGC) old_value User disconnects their medical record from Fitbit (http://screen/8ePocZyJ9BgVSGC) iterable_item_added root['schemas']['UiContext']['properties']['contextId']['enum'][242] FITBIT_ANDROID_PHR_DEMOGRAPHIC_CONFIRMATION root['schemas']['UiContext']['properties']['contextId']['enum'][243] FITBIT_ANDROID_PHR_DEMOGRAPHIC_CONFIRMATION_DISCONNECTING root['schemas']['UiContext']['properties']['contextId']['enum'][713] PAISA_MERCHANT_FLUTTER_BUSINESS_CLASSIFICATION_HOMEPAGE_BOTTOM_SHEET_SCREEN root['schemas']['UiContext']['properties']['contextId']['enum'][922] TRAVEL_REENGAGEMENT_WEB_MAYFLOWER_PROPERTY_TRACKING_TOGGLE root['schemas']['UiContext']['properties']['contextId']['enum'][1066] YOUTUBE_MUSIC_ANDROID_STATS_RENEWAL_PROMOTION root['schemas']['UiContext']['properties']['contextId']['enum'][1079] YOUTUBE_MUSIC_IOS_STATS_RENEWAL_PROMOTION root['schemas']['UiContext']['properties']['contextId']['enumDescriptions'][242] User confirms that their demographic information matches healthcare provider records for the incoming medical record being synced to Fitbit. (http://screen/QbJ6NAzAYCFxGWx) root['schemas']['UiContext']['properties']['contextId']['enumDescriptions'][245] User disconnects all their medical record from syncing with Fitbit (http://screen/8BNCYZP6LgYfeaH) root['schemas']['UiContext']['properties']['contextId']['enumDescriptions'][713] User going through the Paisa Merchant Business Classification Home Page bottom sheet screen in Flutter app. root['schemas']['UiContext']['properties']['contextId']['enumDescriptions'][921] Hotel market tracking toggle in Mayflower listview. root['schemas']['UiContext']['properties']['contextId']['enumDescriptions'][922] Hotel property tracking toggle in Mayflower placesheet. root['schemas']['UiContext']['properties']['contextId']['enumDescriptions'][1066] User is presented with consent text for renewing their public stats consent via Nitrate promotion on the Android YTM client. root['schemas']['UiContext']['properties']['contextId']['enumDescriptions'][1079] User is presented with consent text for renewing their public stats consent via Nitrate promotion on the iOS YTM client.
prod/cloudmarketplace-v1test	values_changed root['revision'] new_value 20250308 old_value 20250301 root['schemas']['UiContext']['properties']['contextId']['enumDescriptions'][243] new_value User disconnects medical records from a certain healthcare provider from syncing with Fitbit. (http://screen/8ePocZyJ9BgVSGC) old_value User disconnects their medical record from Fitbit (http://screen/8ePocZyJ9BgVSGC) iterable_item_added root['schemas']['UiContext']['properties']['contextId']['enum'][242] FITBIT_ANDROID_PHR_DEMOGRAPHIC_CONFIRMATION root['schemas']['UiContext']['properties']['contextId']['enum'][243] FITBIT_ANDROID_PHR_DEMOGRAPHIC_CONFIRMATION_DISCONNECTING root['schemas']['UiContext']['properties']['contextId']['enum'][713] PAISA_MERCHANT_FLUTTER_BUSINESS_CLASSIFICATION_HOMEPAGE_BOTTOM_SHEET_SCREEN root['schemas']['UiContext']['properties']['contextId']['enum'][922] TRAVEL_REENGAGEMENT_WEB_MAYFLOWER_PROPERTY_TRACKING_TOGGLE root['schemas']['UiContext']['properties']['contextId']['enum'][1066] YOUTUBE_MUSIC_ANDROID_STATS_RENEWAL_PROMOTION root['schemas']['UiContext']['properties']['contextId']['enum'][1079] YOUTUBE_MUSIC_IOS_STATS_RENEWAL_PROMOTION root['schemas']['UiContext']['properties']['contextId']['enumDescriptions'][242] User confirms that their demographic information matches healthcare provider records for the incoming medical record being synced to Fitbit. (http://screen/QbJ6NAzAYCFxGWx) root['schemas']['UiContext']['properties']['contextId']['enumDescriptions'][245] User disconnects all their medical record from syncing with Fitbit (http://screen/8BNCYZP6LgYfeaH) root['schemas']['UiContext']['properties']['contextId']['enumDescriptions'][713] User going through the Paisa Merchant Business Classification Home Page bottom sheet screen in Flutter app. root['schemas']['UiContext']['properties']['contextId']['enumDescriptions'][921] Hotel market tracking toggle in Mayflower listview. root['schemas']['UiContext']['properties']['contextId']['enumDescriptions'][922] Hotel property tracking toggle in Mayflower placesheet. root['schemas']['UiContext']['properties']['contextId']['enumDescriptions'][1066] User is presented with consent text for renewing their public stats consent via Nitrate promotion on the Android YTM client. root['schemas']['UiContext']['properties']['contextId']['enumDescriptions'][1079] User is presented with consent text for renewing their public stats consent via Nitrate promotion on the iOS YTM client.
prod/cloudmarketplaceadmin-	values_changed root['revision'] new_value 20250308 old_value 20250301
prod/cloudmarketplaceadmin-v1test	values_changed root['revision'] new_value 20250308 old_value 20250301
prod/cloudmarketplacepartner-	values_changed root['revision'] new_value 20250308 old_value 20250301
prod/cloudmarketplacepartner-v2test	values_changed root['revision'] new_value 20250308 old_value 20250301
prod/cloudnumberregistry-	values_changed root['revision'] new_value 20250305 old_value 20250226
prod/cloudnumberregistry-v1alpha	values_changed root['revision'] new_value 20250305 old_value 20250226
prod/cloudsupport-pa-	values_changed root['revision'] new_value 20250313 old_value 20250305
prod/cloudsupport-pa-v1	values_changed root['revision'] new_value 20250313 old_value 20250305
prod/cloudsupportinfra-	values_changed root['revision'] new_value 20250312 old_value 20250304
prod/cloudsupportinfra-v1	values_changed root['revision'] new_value 20250312 old_value 20250304
prod/cloudsupportinfra-v1alpha1	values_changed root['revision'] new_value 20250312 old_value 20250304
prod/cloudvideosearch-	values_changed root['revision'] new_value 20250307 old_value 20250228
prod/cloudvideosearch-v1	values_changed root['revision'] new_value 20250307 old_value 20250228
prod/commerceoffercatalog-	values_changed root['revision'] new_value 20250309 old_value 20250302 root['schemas']['GoogleCloudBillingOffercatalogV1alphaOfferTerm']['properties']['offerTermTimes']['description'] new_value A list of the term boundaries on the offer. This is only relevant for subscription-based private offers. The first entry is considered the start of the first term, and the last entry is considered the end of the last term. The in-between entries are only present in the case of auto renewals. For a replacement offer, the first entry is one of the following: If the existing offer has been renewed, it is the most recent renewal time; Otherwise, it is the same as the first entry of offer_term_times of the existing offer. For offers that start upon customer acceptance, these entries will not exist until the offer is purchased, because it is impossible to know the actual start time without the purchase. Examples: * Standard interval offers with renewal, term = 2 months: 01/04 (offer start time) 03/04 (end time without renewal, which is the start of the first renewal) 05/04 (end time after renewal) * Standard interval offers without renewal, term = 2 months: 01/04 (offer start time), 03/04 (offer end time) * Custom interval offers: 01/04 (offer start time), 09/06 (offer end time) More explanations and examples can be found in go/merged-prepay-additional-design. This field will be populated at best effort and not 100% accurate for legacy postpay private offers, it should be only used for the variable revenue share feature project. old_value A list of the term boundaries on the offer. This is only relevant for subscription-based private offers. The first entry is considered the start of the first term, and the last entry is considered the end of the last term. The in-between entries are only present in the case of auto renewals. For a replacement offer, the first entry is one of the following: If the existing offer has been renewed, it is the most recent renewal time; Otherwise, it is the same as the first entry of offer_term_times of the existing offer. For offers that start upon customer acceptance, these entries will not exist until the offer is purchased, because it is impossible to know the actual start time without the purchase. Examples: * Standard interval offers with renewal, term = 2 months: 01/04 (offer start time) 03/04 (end time without renewal, which is the start of the first renewal) 05/04 (end time after renewal) * Standard interval offers without renewal, term = 2 months: 01/04 (offer start time), 03/04 (offer end time) * Custom interval offers: 01/04 (offer start time), 09/06 (offer end time) More explanations and examples can be found in go/merged-prepay-additional-design.
prod/commerceoffercatalog-v1alpha	values_changed root['revision'] new_value 20250309 old_value 20250302 root['schemas']['GoogleCloudBillingOffercatalogV1alphaOfferTerm']['properties']['offerTermTimes']['description'] new_value A list of the term boundaries on the offer. This is only relevant for subscription-based private offers. The first entry is considered the start of the first term, and the last entry is considered the end of the last term. The in-between entries are only present in the case of auto renewals. For a replacement offer, the first entry is one of the following: If the existing offer has been renewed, it is the most recent renewal time; Otherwise, it is the same as the first entry of offer_term_times of the existing offer. For offers that start upon customer acceptance, these entries will not exist until the offer is purchased, because it is impossible to know the actual start time without the purchase. Examples: * Standard interval offers with renewal, term = 2 months: 01/04 (offer start time) 03/04 (end time without renewal, which is the start of the first renewal) 05/04 (end time after renewal) * Standard interval offers without renewal, term = 2 months: 01/04 (offer start time), 03/04 (offer end time) * Custom interval offers: 01/04 (offer start time), 09/06 (offer end time) More explanations and examples can be found in go/merged-prepay-additional-design. This field will be populated at best effort and not 100% accurate for legacy postpay private offers, it should be only used for the variable revenue share feature project. old_value A list of the term boundaries on the offer. This is only relevant for subscription-based private offers. The first entry is considered the start of the first term, and the last entry is considered the end of the last term. The in-between entries are only present in the case of auto renewals. For a replacement offer, the first entry is one of the following: If the existing offer has been renewed, it is the most recent renewal time; Otherwise, it is the same as the first entry of offer_term_times of the existing offer. For offers that start upon customer acceptance, these entries will not exist until the offer is purchased, because it is impossible to know the actual start time without the purchase. Examples: * Standard interval offers with renewal, term = 2 months: 01/04 (offer start time) 03/04 (end time without renewal, which is the start of the first renewal) 05/04 (end time after renewal) * Standard interval offers without renewal, term = 2 months: 01/04 (offer start time), 03/04 (offer end time) * Custom interval offers: 01/04 (offer start time), 09/06 (offer end time) More explanations and examples can be found in go/merged-prepay-additional-design.
prod/commercepricemanagement-	values_changed root['revision'] new_value 20250309 old_value 20250302 root['schemas']['GoogleCloudBillingCommercepricemanagementV1alphaOfferTerm']['properties']['offerTermTimes']['description'] new_value Output only. A list of the term boundaries on the offer. This is only relevant for subscription-based private offers. The first entry is considered the start of the first term, and the last entry is considered the end of the last term. The in-between entries are only present in the case of auto renewals. For a replacement offer, the first entry is one of the following: If the existing offer has been renewed, it is the most recent renewal time; Otherwise, it is the same as the first entry of offer_term_times of the existing offer. For offers that start upon customer acceptance, these entries will not exist until the offer is purchased, because it is impossible to know the actual start time without the purchase. Examples: * Standard interval offers with renewal, term = 2 months: 01/04 (offer start time) 03/04 (end time without renewal, which is the start of the first renewal) 05/04 (end time after renewal) * Standard interval offers without renewal, term = 2 months: 01/04 (offer start time), 03/04 (offer end time) * Custom interval offers: 01/04 (offer start time), 09/06 (offer end time) More explanations and examples can be found in go/merged-prepay-additional-design. This field will be populated at best effort and not 100% accurate for legacy postpay private offers, it should be only used for the variable revenue share feature project. old_value Output only. A list of the term boundaries on the offer. This is only relevant for subscription-based private offers. The first entry is considered the start of the first term, and the last entry is considered the end of the last term. The in-between entries are only present in the case of auto renewals. For a replacement offer, the first entry is one of the following: If the existing offer has been renewed, it is the most recent renewal time; Otherwise, it is the same as the first entry of offer_term_times of the existing offer. For offers that start upon customer acceptance, these entries will not exist until the offer is purchased, because it is impossible to know the actual start time without the purchase. Examples: * Standard interval offers with renewal, term = 2 months: 01/04 (offer start time) 03/04 (end time without renewal, which is the start of the first renewal) 05/04 (end time after renewal) * Standard interval offers without renewal, term = 2 months: 01/04 (offer start time), 03/04 (offer end time) * Custom interval offers: 01/04 (offer start time), 09/06 (offer end time) More explanations and examples can be found in go/merged-prepay-additional-design.
prod/commercepricemanagement-v1	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/commercepricemanagement-v1alpha	values_changed root['revision'] new_value 20250309 old_value 20250302 root['schemas']['GoogleCloudBillingCommercepricemanagementV1alphaOfferTerm']['properties']['offerTermTimes']['description'] new_value Output only. A list of the term boundaries on the offer. This is only relevant for subscription-based private offers. The first entry is considered the start of the first term, and the last entry is considered the end of the last term. The in-between entries are only present in the case of auto renewals. For a replacement offer, the first entry is one of the following: If the existing offer has been renewed, it is the most recent renewal time; Otherwise, it is the same as the first entry of offer_term_times of the existing offer. For offers that start upon customer acceptance, these entries will not exist until the offer is purchased, because it is impossible to know the actual start time without the purchase. Examples: * Standard interval offers with renewal, term = 2 months: 01/04 (offer start time) 03/04 (end time without renewal, which is the start of the first renewal) 05/04 (end time after renewal) * Standard interval offers without renewal, term = 2 months: 01/04 (offer start time), 03/04 (offer end time) * Custom interval offers: 01/04 (offer start time), 09/06 (offer end time) More explanations and examples can be found in go/merged-prepay-additional-design. This field will be populated at best effort and not 100% accurate for legacy postpay private offers, it should be only used for the variable revenue share feature project. old_value Output only. A list of the term boundaries on the offer. This is only relevant for subscription-based private offers. The first entry is considered the start of the first term, and the last entry is considered the end of the last term. The in-between entries are only present in the case of auto renewals. For a replacement offer, the first entry is one of the following: If the existing offer has been renewed, it is the most recent renewal time; Otherwise, it is the same as the first entry of offer_term_times of the existing offer. For offers that start upon customer acceptance, these entries will not exist until the offer is purchased, because it is impossible to know the actual start time without the purchase. Examples: * Standard interval offers with renewal, term = 2 months: 01/04 (offer start time) 03/04 (end time without renewal, which is the start of the first renewal) 05/04 (end time after renewal) * Standard interval offers without renewal, term = 2 months: 01/04 (offer start time), 03/04 (offer end time) * Custom interval offers: 01/04 (offer start time), 09/06 (offer end time) More explanations and examples can be found in go/merged-prepay-additional-design.
prod/configdelivery-	values_changed root['revision'] new_value 20250305 old_value 20250226
prod/configdelivery-v1alpha	values_changed root['revision'] new_value 20250305 old_value 20250226
prod/connectgateway-	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/connectgateway-v1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/connectgateway-v1beta1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/containersecurity-	values_changed root['revision'] new_value 20250306 old_value 20250227
prod/containersecurity-v1	values_changed root['revision'] new_value 20250306 old_value 20250227
prod/containersecurity-v1beta	values_changed root['revision'] new_value 20250306 old_value 20250227
prod/containersecurity-v1main	values_changed root['revision'] new_value 20250306 old_value 20250227
prod/content-actions-	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/content-actions-v2	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/content-actions-v2alpha	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/content-actions-v3	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/content-alkaliauth-pa-	values_changed root['revision'] new_value 20250311 old_value 20250225
prod/content-alkaliauth-pa-v1	values_changed root['revision'] new_value 20250311 old_value 20250225
prod/content-alkalilearn-pa-	values_changed root['revision'] new_value 20250311 old_value 20250308
prod/content-alkalilearn-pa-v1	values_changed root['revision'] new_value 20250311 old_value 20250308
prod/content-alkalilearn-pa-v2	values_changed root['revision'] new_value 20250311 old_value 20250308
prod/content-alkalimetricsink-pa-	values_changed root['revision'] new_value 20250313 old_value 20250306 iterable_item_added root['schemas']['EventMetric']['properties']['metricType']['enum'][14] LARGEST_CONTENTFUL_PAINT root['schemas']['EventMetric']['properties']['metricType']['enum'][15] LARGEST_CONTENTFUL_PAINT_SPA root['schemas']['EventMetric']['properties']['metricType']['enumDescriptions'][14] Largest Contentful Paint root['schemas']['EventMetric']['properties']['metricType']['enumDescriptions'][15] Largest Contentful Paint Transition
prod/content-alkalimetricsink-pa-v1	values_changed root['revision'] new_value 20250313 old_value 20250306 iterable_item_added root['schemas']['EventMetric']['properties']['metricType']['enum'][14] LARGEST_CONTENTFUL_PAINT root['schemas']['EventMetric']['properties']['metricType']['enum'][15] LARGEST_CONTENTFUL_PAINT_SPA root['schemas']['EventMetric']['properties']['metricType']['enumDescriptions'][14] Largest Contentful Paint root['schemas']['EventMetric']['properties']['metricType']['enumDescriptions'][15] Largest Contentful Paint Transition
prod/content-autofill-	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/content-autofill-v1	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/content-cloudchannel-pa-	values_changed root['revision'] new_value 20250311 old_value 20250308
prod/content-cloudchannel-pa-v1	values_changed root['revision'] new_value 20250311 old_value 20250308
prod/content-cloudchannel-pa-v1alpha1	values_changed root['resources']['opportunities']['methods']['patch']['parameters']['name']['description'] new_value Identifier. Resource name of an Opportunity in the form: opportunities/{opportunity_id}. Available in Limited view. old_value Identifier. Resource name of an Opportunity in the form: opportunities/{opportunity_id}. root['revision'] new_value 20250311 old_value 20250308 root['schemas']['GoogleCloudChannelV1alpha1CustomerDetails']['properties']['domain']['description'] new_value Required. Customer's primary website domain. Available in Limited view. old_value Required. Customer's primary website domain. root['schemas']['GoogleCloudChannelV1alpha1CustomerDetails']['properties']['organizationName']['description'] new_value Required. Name of the Customer Organization. Available in Limited view. old_value Required. Name of the Customer Organization. root['schemas']['GoogleCloudChannelV1alpha1CustomerInfo']['properties']['customerDetails']['description'] new_value Required. Firm details needed for creating a new customer or for mapping to an existing customer. Available in Limited view. old_value Required. Firm details needed for creating a new customer or for mapping to an existing customer. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['customerDisplayName']['description'] new_value Output only. Customer display name that the Opportunity is associated with. This maps to the Vector Account name. Available in Limited view. old_value Output only. Customer display name that the Opportunity is associated with. This maps to the Vector Account name. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['customerInfo']['description'] new_value Required. Information of the end customer used for matching to an existing customer account or for creating a new one. Required for Creating an Opportunity. Can't be edited after the Opportunity is Accepted. Available in Limited view. old_value Required. Information of the end customer used for matching to an existing customer account or for creating a new one. Required for Creating an Opportunity. Can't be edited after the Opportunity is Accepted. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['name']['description'] new_value Identifier. Resource name of an Opportunity in the form: opportunities/{opportunity_id}. Available in Limited view. old_value Identifier. Resource name of an Opportunity in the form: opportunities/{opportunity_id}. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['opportunityInfo']['description'] new_value Required. Information about the Opportunity provided during deal submission. Required for Creating an Opportunity. Available in Limited view. old_value Required. Information about the Opportunity provided during deal submission. Required for Creating an Opportunity. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['opportunityTeamMembers']['description'] new_value Output only. Information on the Partner users with access to the Opportunity. Present only after the Opportunity is Accepted. Unset otherwise. Can't be edited. Available in Limited view. Only lists the Partner Development Manager (PDM) roles in Limited view. old_value Output only. Information on the Partner users with access to the Opportunity. Present only after the Opportunity is Accepted. Unset otherwise. Can't be edited. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['owner']['description'] new_value Output only. Name of the Google FSR who owns the Opportunity. Available in Limited view. old_value Output only. Name of the Google FSR who owns the Opportunity. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['ownerEmail']['description'] new_value Output only. Email of the Google FSR who owns the Opportunity. Available in Limited view. old_value Output only. Email of the Google FSR who owns the Opportunity. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['partnerInfo']['description'] new_value Optional. Opportunity information related to the sourcing Partner. Present only after the Opportunity is Accepted. Unset otherwise. Can be edited. Available in Limited view. old_value Optional. Opportunity information related to the sourcing Partner. Present only after the Opportunity is Accepted. Unset otherwise. Can be edited. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['referenceOpportunityId']['description'] new_value Output only. Opportunity ID in the Partner Advantage Portal. This ID is meant for mapping the Opportunities to the old system, and has a 1 to 1 mapping with the opportunities in this Service. Available in Limited view. old_value Output only. Opportunity ID in the Partner Advantage Portal. This ID is meant for mapping the Opportunities to the old system, and has a 1 to 1 mapping with the opportunities in this Service. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['salesCycle']['description'] new_value Optional. Information related to the Sales cycle. Present only after the Opportunity is Accepted. Unset otherwise. Can be edited. Available in Limited view. old_value Optional. Information related to the Sales cycle. Present only after the Opportunity is Accepted. Unset otherwise. Can be edited. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['source']['description'] new_value Output only. Represents if the Opportunity was created by Google or by Partner. Available in Limited view. old_value Output only. Represents if the Opportunity was created by Google or by Partner. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['stage']['description'] new_value The sales stage that the Opportunity is in. New Opportunities are created in Stage 0. Can only be updated after the Opportunity is ACCEPTED. Can't be updated to CLOSED. Available in Limited view. old_value The sales stage that the Opportunity is in. New Opportunities are created in Stage 0. Can only be updated after the Opportunity is ACCEPTED. Can't be updated to CLOSED. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['state']['description'] new_value Optional. State the Opportunity is in. Client can only set the state to DRAFT or SUBMITTED. Default: DRAFT. Available in Limited view. old_value Optional. State the Opportunity is in. Client can only set the state to DRAFT or SUBMITTED. Default: DRAFT. root['schemas']['GoogleCloudChannelV1alpha1Opportunity']['properties']['stateDescription']['description'] new_value Output only. Contains the reason if the Opportunity was not accepted. Available in Limited view. old_value Output only. Contains the reason if the Opportunity was not accepted. root['schemas']['GoogleCloudChannelV1alpha1OpportunityInfo']['properties']['description']['description'] new_value Optional. Opportunity description. Available in Limited view. old_value Optional. Opportunity description. root['schemas']['GoogleCloudChannelV1alpha1OpportunityInfo']['properties']['displayName']['description'] new_value Optional. Display name for the Opportunity. Available in Limited view. old_value Optional. Display name for the Opportunity. root['schemas']['GoogleCloudChannelV1alpha1OpportunityTeamMember']['properties']['accessLevel']['description'] new_value Output only. Access Level. Available in Limited view. old_value Output only. Access Level. root['schemas']['GoogleCloudChannelV1alpha1OpportunityTeamMember']['properties']['email']['description'] new_value Output only. Email. Available in Limited view. old_value Output only. Email. root['schemas']['GoogleCloudChannelV1alpha1OpportunityTeamMember']['properties']['name']['description'] new_value Output only. Name. Available in Limited view. old_value Output only. Name. root['schemas']['GoogleCloudChannelV1alpha1SalesCycle']['properties']['closeDate']['description'] new_value Output only. For open opportunities, this is the expected close date. For closed opportunities, this is the contract signed date Available in Limited view. old_value Output only. For open opportunities, this is the expected close date. For closed opportunities, this is the contract signed date
prod/content-cloudchannel-pa-v2	values_changed root['revision'] new_value 20250311 old_value 20250308
prod/content-cloudcommerceinventoryconsumer-pa-	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/content-cloudcommerceinventoryconsumer-pa-v0	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/content-daily-cloudsearch-	values_changed root['revision'] new_value 20250313 old_value 20250311
prod/content-daily-cloudsearch-v1	values_changed root['revision'] new_value 20250313 old_value 20250311
prod/content-dynamicmail-pa-	values_changed root['revision'] new_value 20250309 old_value 20250304
prod/content-dynamicmail-pa-v2	values_changed root['revision'] new_value 20250309 old_value 20250304
prod/content-fit-	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/content-fit-v2beta1	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/content-keep-pa-	dictionary_item_added root['schemas']['GetNoteInfoResponse']['properties']['type']['enumDeprecated'] root['schemas']['Note']['properties']['quillNote']['deprecated'] values_changed root['revision'] new_value 20250304 old_value 20250207 root['schemas']['Note']['properties']['quillNote']['description'] new_value A quillNote is a note with an empty message. old_value A quillNote is a note with an empty message.
prod/content-keep-pa-v1	dictionary_item_added root['schemas']['GetNoteInfoResponse']['properties']['type']['enumDeprecated'] root['schemas']['Note']['properties']['quillNote']['deprecated'] values_changed root['revision'] new_value 20250304 old_value 20250207 root['schemas']['Note']['properties']['quillNote']['description'] new_value A quillNote is a note with an empty message. old_value A quillNote is a note with an empty message.
prod/content-notes-pa-	dictionary_item_added root['schemas']['DownSync']['properties']['derivedNoteAttributes']['deprecated'] root['schemas']['DownSync']['properties']['derivedNoteAttributes']['description'] root['schemas']['DownSyncWriteResult']['properties']['missingEmbeddedImages']['deprecated'] root['schemas']['DownSyncWriteResult']['properties']['status']['enumDeprecated'] root['schemas']['Node']['properties']['clientChanges']['properties']['commandMetadata']['properties']['imageIdMap']['deprecated'] root['schemas']['Node']['properties']['serverChanges']['properties']['images']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['note']['properties']['commandEncoding']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['quill']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['quill']['properties']['commandEncoding']['deprecated'] values_changed root['revision'] new_value 20250304 old_value 20250210 root['schemas']['DownSyncWriteResult']['properties']['missingEmbeddedImages']['description'] new_value The embedded images referenced by the uploaded commands for which the corresponding data was not found by the server. Clients are expected to re-upload these images before issuing a new sync request. old_value The embedded images referenced by the uploaded commands for which the corresponding data was not found by the server. Clients are expected to re-upload these images before issuing a new sync request. This field is only populated when the status is set to MISSING_EMBEDDED_IMAGE. root['schemas']['Node']['properties']['clientChanges']['properties']['commandMetadata']['properties']['imageIdMap']['description'] new_value For images referenced by the model, maps images' client IDs to server IDs. old_value For images referenced by the model, maps images' client IDs to server IDs. root['schemas']['Node']['properties']['serverChanges']['properties']['images']['description'] new_value Metadata on images referenced by the model. old_value Metadata on images referenced by the model. This will include all images upon initial sync (no changes) and only images referenced by changes when changes exist. root['schemas']['DownSyncWriteResult']['properties']['status']['enumDescriptions'][2] new_value The uploaded commands refer to embedded images that have not yet been uploaded. Clients are expected to recover from this error by re-uploading the image before issuing a new sync request. old_value The uploaded commands refer to embedded images that have not yet been uploaded. Clients are expected to recover from this error by re-uploading the image before issuing a new sync request.
prod/content-notes-pa-v1	dictionary_item_added root['schemas']['DownSync']['properties']['derivedNoteAttributes']['deprecated'] root['schemas']['DownSync']['properties']['derivedNoteAttributes']['description'] root['schemas']['DownSyncWriteResult']['properties']['missingEmbeddedImages']['deprecated'] root['schemas']['DownSyncWriteResult']['properties']['status']['enumDeprecated'] root['schemas']['Node']['properties']['clientChanges']['properties']['commandMetadata']['properties']['imageIdMap']['deprecated'] root['schemas']['Node']['properties']['serverChanges']['properties']['images']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['note']['properties']['commandEncoding']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['quill']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['quill']['properties']['commandEncoding']['deprecated'] values_changed root['revision'] new_value 20250304 old_value 20250210 root['schemas']['DownSyncWriteResult']['properties']['missingEmbeddedImages']['description'] new_value The embedded images referenced by the uploaded commands for which the corresponding data was not found by the server. Clients are expected to re-upload these images before issuing a new sync request. old_value The embedded images referenced by the uploaded commands for which the corresponding data was not found by the server. Clients are expected to re-upload these images before issuing a new sync request. This field is only populated when the status is set to MISSING_EMBEDDED_IMAGE. root['schemas']['Node']['properties']['clientChanges']['properties']['commandMetadata']['properties']['imageIdMap']['description'] new_value For images referenced by the model, maps images' client IDs to server IDs. old_value For images referenced by the model, maps images' client IDs to server IDs. root['schemas']['Node']['properties']['serverChanges']['properties']['images']['description'] new_value Metadata on images referenced by the model. old_value Metadata on images referenced by the model. This will include all images upon initial sync (no changes) and only images referenced by changes when changes exist. root['schemas']['DownSyncWriteResult']['properties']['status']['enumDescriptions'][2] new_value The uploaded commands refer to embedded images that have not yet been uploaded. Clients are expected to recover from this error by re-uploading the image before issuing a new sync request. old_value The uploaded commands refer to embedded images that have not yet been uploaded. Clients are expected to recover from this error by re-uploading the image before issuing a new sync request.
prod/content-partners-pa-	values_changed root['revision'] new_value 20250311 old_value 20250305
prod/content-partners-pa-v1	values_changed root['revision'] new_value 20250311 old_value 20250305
prod/content-partners-pa-v2	values_changed root['revision'] new_value 20250311 old_value 20250305
prod/content-quantum-	values_changed root['revision'] new_value 20250311 old_value 20250309
prod/content-quantum-v1alpha1	values_changed root['revision'] new_value 20250311 old_value 20250309
prod/content-resultstore-	values_changed root['revision'] new_value 20250311 old_value 20250307
prod/content-resultstore-v2	values_changed root['revision'] new_value 20250311 old_value 20250307
prod/content-takeout-pa-	values_changed root['revision'] new_value 20250310 old_value 20250227
prod/content-takeout-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250227
prod/content-takeout-pa-v2	values_changed root['revision'] new_value 20250310 old_value 20250227
prod/content-tasks-pa-	values_changed root['revision'] new_value 20250311 old_value 20250307
prod/content-tasks-pa-v1	values_changed root['revision'] new_value 20250311 old_value 20250307
prod/contentmanager-	values_changed root['revision'] new_value 20250312 old_value 20250305 iterable_item_added root['schemas']['FieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['FieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['FieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['FieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['FieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['FieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enumDescriptions'][66] b/400713111 root['schemas']['FieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enumDescriptions'][154] b/399143770 root['schemas']['FieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enumDescriptions'][277] b/397762924 root['schemas']['FieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enumDescriptions'][372] b/399076775 root['schemas']['FieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enumDescriptions'][727] b/399143094 root['schemas']['FieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['FieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['FieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['FieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['FieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['FieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enumDescriptions'][66] b/400713111 root['schemas']['FieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enumDescriptions'][154] b/399143770 root['schemas']['FieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enumDescriptions'][277] b/397762924 root['schemas']['FieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enumDescriptions'][372] b/399076775 root['schemas']['FieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enumDescriptions'][727] b/399143094 root['schemas']['FrdDisabled']['properties']['disabledFrdIdentifier']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['FrdDisabled']['properties']['disabledFrdIdentifier']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['FrdDisabled']['properties']['disabledFrdIdentifier']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['FrdDisabled']['properties']['disabledFrdIdentifier']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['FrdDisabled']['properties']['disabledFrdIdentifier']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['FrdDisabled']['properties']['disabledFrdIdentifier']['enumDescriptions'][66] b/400713111 root['schemas']['FrdDisabled']['properties']['disabledFrdIdentifier']['enumDescriptions'][154] b/399143770 root['schemas']['FrdDisabled']['properties']['disabledFrdIdentifier']['enumDescriptions'][277] b/397762924 root['schemas']['FrdDisabled']['properties']['disabledFrdIdentifier']['enumDescriptions'][372] b/399076775 root['schemas']['FrdDisabled']['properties']['disabledFrdIdentifier']['enumDescriptions'][727] b/399143094 root['schemas']['FrdSemanticTypeUndefined']['properties']['undefinedSemanticType']['enum'][45] SEMANTIC_TYPE_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['FrdSemanticTypeUndefined']['properties']['undefinedSemanticType']['enum'][124] SEMANTIC_TYPE_ADVERTISER_SERVICE_CATEGORY root['schemas']['FrdSemanticTypeUndefined']['properties']['undefinedSemanticType']['enum'][228] SEMANTIC_TYPE_CASES_WHATSAPP_CONSENT root['schemas']['FrdSemanticTypeUndefined']['properties']['undefinedSemanticType']['enum'][285] SEMANTIC_TYPE_CS_TEAM_ID root['schemas']['FrdSemanticTypeUndefined']['properties']['undefinedSemanticType']['enum'][555] SEMANTIC_TYPE_MENU_OF_SERVICE_ORDER_ID root['schemas']['FrdSemanticTypeUndefined']['properties']['undefinedSemanticType']['enumDescriptions'][45] b/400713111 root['schemas']['FrdSemanticTypeUndefined']['properties']['undefinedSemanticType']['enumDescriptions'][124] b/399143770 root['schemas']['FrdSemanticTypeUndefined']['properties']['undefinedSemanticType']['enumDescriptions'][228] b/397762924 root['schemas']['FrdSemanticTypeUndefined']['properties']['undefinedSemanticType']['enumDescriptions'][285] b/399076775 root['schemas']['FrdSemanticTypeUndefined']['properties']['undefinedSemanticType']['enumDescriptions'][555] b/399143094 root['schemas']['FrdUndefined']['properties']['undefinedFrdIdentifier']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['FrdUndefined']['properties']['undefinedFrdIdentifier']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['FrdUndefined']['properties']['undefinedFrdIdentifier']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['FrdUndefined']['properties']['undefinedFrdIdentifier']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['FrdUndefined']['properties']['undefinedFrdIdentifier']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['FrdUndefined']['properties']['undefinedFrdIdentifier']['enumDescriptions'][66] b/400713111 root['schemas']['FrdUndefined']['properties']['undefinedFrdIdentifier']['enumDescriptions'][154] b/399143770 root['schemas']['FrdUndefined']['properties']['undefinedFrdIdentifier']['enumDescriptions'][277] b/397762924 root['schemas']['FrdUndefined']['properties']['undefinedFrdIdentifier']['enumDescriptions'][372] b/399076775 root['schemas']['FrdUndefined']['properties']['undefinedFrdIdentifier']['enumDescriptions'][727] b/399143094 root['schemas']['GetAvailableFrdValuesRequest']['properties']['resultFrdIdentifierMask']['items']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['GetAvailableFrdValuesRequest']['properties']['resultFrdIdentifierMask']['items']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['GetAvailableFrdValuesRequest']['properties']['resultFrdIdentifierMask']['items']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['GetAvailableFrdValuesRequest']['properties']['resultFrdIdentifierMask']['items']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['GetAvailableFrdValuesRequest']['properties']['resultFrdIdentifierMask']['items']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['GetAvailableFrdValuesRequest']['properties']['resultFrdIdentifierMask']['items']['enumDescriptions'][66] b/400713111 root['schemas']['GetAvailableFrdValuesRequest']['properties']['resultFrdIdentifierMask']['items']['enumDescriptions'][154] b/399143770 root['schemas']['GetAvailableFrdValuesRequest']['properties']['resultFrdIdentifierMask']['items']['enumDescriptions'][277] b/397762924 root['schemas']['GetAvailableFrdValuesRequest']['properties']['resultFrdIdentifierMask']['items']['enumDescriptions'][372] b/399076775 root['schemas']['GetAvailableFrdValuesRequest']['properties']['resultFrdIdentifierMask']['items']['enumDescriptions'][727] b/399143094 root['schemas']['LocalizedContextViewMetadataOmitForTypes']['properties']['requestSource']['items']['enum'][143] RS_RISK_MANAGEMENT_AND_COMPLIANCE root['schemas']['PropertyValue']['properties']['userProduct']['enum'][17] YOUTUBE_CREATOR_SUPPORT_ADMIN_POLICY_CONTEXT root['schemas']['PropertyValue']['properties']['userProduct']['enum'][18] YOUTUBE_CREATOR_SUPPORT_ADMIN_PROFILE_CONTEXT root['schemas']['PropertyValue']['properties']['userProduct']['enum'][417] CUSTOMER_COMPANY_TIER_SEGMENTS root['schemas']['PropertyValue']['properties']['userProduct']['enumDescriptions'][417] Specialize CDP Products Signal Groups *************************************** Customer Company Tier Segments from CustomerAccount used for Cases enrichment and/or routing. root['schemas']['WorkflowClassValueTypeDescriptor']['properties']['sourceFrd']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['WorkflowClassValueTypeDescriptor']['properties']['sourceFrd']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['WorkflowClassValueTypeDescriptor']['properties']['sourceFrd']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['WorkflowClassValueTypeDescriptor']['properties']['sourceFrd']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['WorkflowClassValueTypeDescriptor']['properties']['sourceFrd']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['WorkflowClassValueTypeDescriptor']['properties']['sourceFrd']['enumDescriptions'][66] b/400713111 root['schemas']['WorkflowClassValueTypeDescriptor']['properties']['sourceFrd']['enumDescriptions'][154] b/399143770 root['schemas']['WorkflowClassValueTypeDescriptor']['properties']['sourceFrd']['enumDescriptions'][277] b/397762924 root['schemas']['WorkflowClassValueTypeDescriptor']['properties']['sourceFrd']['enumDescriptions'][372] b/399076775 root['schemas']['WorkflowClassValueTypeDescriptor']['properties']['sourceFrd']['enumDescriptions'][727] b/399143094
prod/contentmanager-v1	values_changed root['revision'] new_value 20250312 old_value 20250305 iterable_item_added root['schemas']['FieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['FieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['FieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['FieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['FieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['FieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enumDescriptions'][66] b/400713111 root['schemas']['FieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enumDescriptions'][154] b/399143770 root['schemas']['FieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enumDescriptions'][277] b/397762924 root['schemas']['FieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enumDescriptions'][372] b/399076775 root['schemas']['FieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enumDescriptions'][727] b/399143094 root['schemas']['FieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['FieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['FieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['FieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['FieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['FieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enumDescriptions'][66] b/400713111 root['schemas']['FieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enumDescriptions'][154] b/399143770 root['schemas']['FieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enumDescriptions'][277] b/397762924 root['schemas']['FieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enumDescriptions'][372] b/399076775 root['schemas']['FieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enumDescriptions'][727] b/399143094 root['schemas']['FrdDisabled']['properties']['disabledFrdIdentifier']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['FrdDisabled']['properties']['disabledFrdIdentifier']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['FrdDisabled']['properties']['disabledFrdIdentifier']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['FrdDisabled']['properties']['disabledFrdIdentifier']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['FrdDisabled']['properties']['disabledFrdIdentifier']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['FrdDisabled']['properties']['disabledFrdIdentifier']['enumDescriptions'][66] b/400713111 root['schemas']['FrdDisabled']['properties']['disabledFrdIdentifier']['enumDescriptions'][154] b/399143770 root['schemas']['FrdDisabled']['properties']['disabledFrdIdentifier']['enumDescriptions'][277] b/397762924 root['schemas']['FrdDisabled']['properties']['disabledFrdIdentifier']['enumDescriptions'][372] b/399076775 root['schemas']['FrdDisabled']['properties']['disabledFrdIdentifier']['enumDescriptions'][727] b/399143094 root['schemas']['FrdSemanticTypeUndefined']['properties']['undefinedSemanticType']['enum'][45] SEMANTIC_TYPE_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['FrdSemanticTypeUndefined']['properties']['undefinedSemanticType']['enum'][124] SEMANTIC_TYPE_ADVERTISER_SERVICE_CATEGORY root['schemas']['FrdSemanticTypeUndefined']['properties']['undefinedSemanticType']['enum'][228] SEMANTIC_TYPE_CASES_WHATSAPP_CONSENT root['schemas']['FrdSemanticTypeUndefined']['properties']['undefinedSemanticType']['enum'][285] SEMANTIC_TYPE_CS_TEAM_ID root['schemas']['FrdSemanticTypeUndefined']['properties']['undefinedSemanticType']['enum'][555] SEMANTIC_TYPE_MENU_OF_SERVICE_ORDER_ID root['schemas']['FrdSemanticTypeUndefined']['properties']['undefinedSemanticType']['enumDescriptions'][45] b/400713111 root['schemas']['FrdSemanticTypeUndefined']['properties']['undefinedSemanticType']['enumDescriptions'][124] b/399143770 root['schemas']['FrdSemanticTypeUndefined']['properties']['undefinedSemanticType']['enumDescriptions'][228] b/397762924 root['schemas']['FrdSemanticTypeUndefined']['properties']['undefinedSemanticType']['enumDescriptions'][285] b/399076775 root['schemas']['FrdSemanticTypeUndefined']['properties']['undefinedSemanticType']['enumDescriptions'][555] b/399143094 root['schemas']['FrdUndefined']['properties']['undefinedFrdIdentifier']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['FrdUndefined']['properties']['undefinedFrdIdentifier']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['FrdUndefined']['properties']['undefinedFrdIdentifier']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['FrdUndefined']['properties']['undefinedFrdIdentifier']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['FrdUndefined']['properties']['undefinedFrdIdentifier']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['FrdUndefined']['properties']['undefinedFrdIdentifier']['enumDescriptions'][66] b/400713111 root['schemas']['FrdUndefined']['properties']['undefinedFrdIdentifier']['enumDescriptions'][154] b/399143770 root['schemas']['FrdUndefined']['properties']['undefinedFrdIdentifier']['enumDescriptions'][277] b/397762924 root['schemas']['FrdUndefined']['properties']['undefinedFrdIdentifier']['enumDescriptions'][372] b/399076775 root['schemas']['FrdUndefined']['properties']['undefinedFrdIdentifier']['enumDescriptions'][727] b/399143094 root['schemas']['GetAvailableFrdValuesRequest']['properties']['resultFrdIdentifierMask']['items']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['GetAvailableFrdValuesRequest']['properties']['resultFrdIdentifierMask']['items']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['GetAvailableFrdValuesRequest']['properties']['resultFrdIdentifierMask']['items']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['GetAvailableFrdValuesRequest']['properties']['resultFrdIdentifierMask']['items']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['GetAvailableFrdValuesRequest']['properties']['resultFrdIdentifierMask']['items']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['GetAvailableFrdValuesRequest']['properties']['resultFrdIdentifierMask']['items']['enumDescriptions'][66] b/400713111 root['schemas']['GetAvailableFrdValuesRequest']['properties']['resultFrdIdentifierMask']['items']['enumDescriptions'][154] b/399143770 root['schemas']['GetAvailableFrdValuesRequest']['properties']['resultFrdIdentifierMask']['items']['enumDescriptions'][277] b/397762924 root['schemas']['GetAvailableFrdValuesRequest']['properties']['resultFrdIdentifierMask']['items']['enumDescriptions'][372] b/399076775 root['schemas']['GetAvailableFrdValuesRequest']['properties']['resultFrdIdentifierMask']['items']['enumDescriptions'][727] b/399143094 root['schemas']['LocalizedContextViewMetadataOmitForTypes']['properties']['requestSource']['items']['enum'][143] RS_RISK_MANAGEMENT_AND_COMPLIANCE root['schemas']['PropertyValue']['properties']['userProduct']['enum'][17] YOUTUBE_CREATOR_SUPPORT_ADMIN_POLICY_CONTEXT root['schemas']['PropertyValue']['properties']['userProduct']['enum'][18] YOUTUBE_CREATOR_SUPPORT_ADMIN_PROFILE_CONTEXT root['schemas']['PropertyValue']['properties']['userProduct']['enum'][417] CUSTOMER_COMPANY_TIER_SEGMENTS root['schemas']['PropertyValue']['properties']['userProduct']['enumDescriptions'][417] Specialize CDP Products Signal Groups *************************************** Customer Company Tier Segments from CustomerAccount used for Cases enrichment and/or routing. root['schemas']['WorkflowClassValueTypeDescriptor']['properties']['sourceFrd']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['WorkflowClassValueTypeDescriptor']['properties']['sourceFrd']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['WorkflowClassValueTypeDescriptor']['properties']['sourceFrd']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['WorkflowClassValueTypeDescriptor']['properties']['sourceFrd']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['WorkflowClassValueTypeDescriptor']['properties']['sourceFrd']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['WorkflowClassValueTypeDescriptor']['properties']['sourceFrd']['enumDescriptions'][66] b/400713111 root['schemas']['WorkflowClassValueTypeDescriptor']['properties']['sourceFrd']['enumDescriptions'][154] b/399143770 root['schemas']['WorkflowClassValueTypeDescriptor']['properties']['sourceFrd']['enumDescriptions'][277] b/397762924 root['schemas']['WorkflowClassValueTypeDescriptor']['properties']['sourceFrd']['enumDescriptions'][372] b/399076775 root['schemas']['WorkflowClassValueTypeDescriptor']['properties']['sourceFrd']['enumDescriptions'][727] b/399143094
prod/contrails-	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/contrails-v1	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/corplearning-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/corplearning-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/cryptauthdevicesync-	values_changed root['revision'] new_value 20250309 old_value 20250223
prod/cryptauthdevicesync-v1	values_changed root['revision'] new_value 20250309 old_value 20250223
prod/cryptauthvault-	values_changed root['revision'] new_value 20250302 old_value 20250303
prod/cryptauthvault-v1	values_changed root['revision'] new_value 20250302 old_value 20250303
prod/daily-cloudsearch-	values_changed root['revision'] new_value 20250313 old_value 20250311
prod/daily-cloudsearch-v1	values_changed root['revision'] new_value 20250313 old_value 20250311
prod/daily-dynamicmail-pa.sandbox-	values_changed root['revision'] new_value 20250313 old_value 20250309
prod/daily-dynamicmail-pa.sandbox-v2	values_changed root['revision'] new_value 20250313 old_value 20250309
prod/dataaccessauditlogging-pa-	values_changed root['revision'] new_value 20250309 old_value 20250227 root['schemas']['DataaccessauditloggingPaSecurityDataAccessAppSpecificResources']['description'] new_value A set of resources that EndUserCredentials (EUCs) may grant access to, independent of any given user's ability to access them. As always, an API scope code check must be performed before authorizing access. Regardless of what ASRs are present, no access should be permitted unless it would also be permitted under all-principals authority for the same scope code. Repeated field names in this file should not be pluralized. This file was created before go/protostyle started recommending pluralizing repeated field names. For legacy files, go/protostyle emphasizes consistency. Design doc: go/tonic-asr. Next tag: 160 The type of each field below must be defined in //logs/proto/data_access/asr/. old_value A set of resources that EndUserCredentials (EUCs) may grant access to, independent of any given user's ability to access them. As always, an API scope code check must be performed before authorizing access. Regardless of what ASRs are present, no access should be permitted unless it would also be permitted under all-principals authority for the same scope code. Repeated field names in this file should not be pluralized. This file was created before go/protostyle started recommending pluralizing repeated field names. For legacy files, go/protostyle emphasizes consistency. Design doc: go/tonic-asr. Next tag: 157 The type of each field below must be defined in //logs/proto/data_access/asr/. root['schemas']['DataaccessauditloggingPaUtilStatusProto']['properties']['canonicalCode']['description'] new_value copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional int32 canonical_code = 6; old_value The canonical error code (see codes.proto) that most closely corresponds to this status. This may be missing, and in the common case of the generic space, it definitely will be. copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional int32 canonical_code = 6; root['schemas']['DataaccessauditloggingPaUtilStatusProto']['properties']['space']['description'] new_value copybara:strip_begin(b/383363683) Space to which this status belongs copybara:strip_end_and_replace optional string space = 2; // Space to which this status belongs old_value The following are usually only present when code != 0 Space to which this status belongs copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional string space = 2; root['schemas']['DataaccessauditloggingPaSecurityDataAccessResourceId']['properties']['semanticType']['items']['enumDescriptions'][122] new_value Google generated data, which is purely internal and from Google's system and operation. This data is not associated with (e.g., filtered to, grouped by) any specific external user/customer (an internal mdb group would be fine). This is not user data. System generated data that is associated with an end user/customer should instead use ST_SYSTEM_DIAGNOSTIC_INFO. Corresponds to http://go/cloud-dcg#operational-data Examples: * The name of a class, field, etc of Google maintained code. * Schema information of Google-owned internal DBs including SQL statements only referring to schema names (table, column, etc.). * Tool Proxy Grants guarding database backup/restores (go/cloud-dcg#operational-data) old_value Google generated data, which is purely internal and from Google's system and operation. This data is not associated with (e.g., filtered to, grouped by) any specific external user/customer (an internal mdb group would be fine). This is not user data. System generated data that is associated with an end user/customer should instead use ST_SYSTEM_DIAGNOSTIC_INFO. Corresponds to http://go/cloud-dcg#operational-data Examples: * Schema information of Google owned internal DBs including SQL statements only referring to schema names (table, column, etc.). Note: if a query has column value literals, the data type is the same as the column's annotated type in data governance (go/dg-kb) for different governance use cases. * Tool Proxy Grants guarding database backup/restores root['schemas']['DataaccessauditloggingPaSecurityDataAccessDataAccessLogProtoFieldMetadata']['properties']['semanticType']['items']['enumDescriptions'][122] new_value Google generated data, which is purely internal and from Google's system and operation. This data is not associated with (e.g., filtered to, grouped by) any specific external user/customer (an internal mdb group would be fine). This is not user data. System generated data that is associated with an end user/customer should instead use ST_SYSTEM_DIAGNOSTIC_INFO. Corresponds to http://go/cloud-dcg#operational-data Examples: * The name of a class, field, etc of Google maintained code. * Schema information of Google-owned internal DBs including SQL statements only referring to schema names (table, column, etc.). * Tool Proxy Grants guarding database backup/restores (go/cloud-dcg#operational-data) old_value Google generated data, which is purely internal and from Google's system and operation. This data is not associated with (e.g., filtered to, grouped by) any specific external user/customer (an internal mdb group would be fine). This is not user data. System generated data that is associated with an end user/customer should instead use ST_SYSTEM_DIAGNOSTIC_INFO. Corresponds to http://go/cloud-dcg#operational-data Examples: * Schema information of Google owned internal DBs including SQL statements only referring to schema names (table, column, etc.). Note: if a query has column value literals, the data type is the same as the column's annotated type in data governance (go/dg-kb) for different governance use cases. * Tool Proxy Grants guarding database backup/restores
prod/dataaccessauditlogging-pa-v1	values_changed root['revision'] new_value 20250309 old_value 20250227 root['schemas']['DataaccessauditloggingPaSecurityDataAccessAppSpecificResources']['description'] new_value A set of resources that EndUserCredentials (EUCs) may grant access to, independent of any given user's ability to access them. As always, an API scope code check must be performed before authorizing access. Regardless of what ASRs are present, no access should be permitted unless it would also be permitted under all-principals authority for the same scope code. Repeated field names in this file should not be pluralized. This file was created before go/protostyle started recommending pluralizing repeated field names. For legacy files, go/protostyle emphasizes consistency. Design doc: go/tonic-asr. Next tag: 160 The type of each field below must be defined in //logs/proto/data_access/asr/. old_value A set of resources that EndUserCredentials (EUCs) may grant access to, independent of any given user's ability to access them. As always, an API scope code check must be performed before authorizing access. Regardless of what ASRs are present, no access should be permitted unless it would also be permitted under all-principals authority for the same scope code. Repeated field names in this file should not be pluralized. This file was created before go/protostyle started recommending pluralizing repeated field names. For legacy files, go/protostyle emphasizes consistency. Design doc: go/tonic-asr. Next tag: 157 The type of each field below must be defined in //logs/proto/data_access/asr/. root['schemas']['DataaccessauditloggingPaUtilStatusProto']['properties']['canonicalCode']['description'] new_value copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional int32 canonical_code = 6; old_value The canonical error code (see codes.proto) that most closely corresponds to this status. This may be missing, and in the common case of the generic space, it definitely will be. copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional int32 canonical_code = 6; root['schemas']['DataaccessauditloggingPaUtilStatusProto']['properties']['space']['description'] new_value copybara:strip_begin(b/383363683) Space to which this status belongs copybara:strip_end_and_replace optional string space = 2; // Space to which this status belongs old_value The following are usually only present when code != 0 Space to which this status belongs copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional string space = 2; root['schemas']['DataaccessauditloggingPaSecurityDataAccessResourceId']['properties']['semanticType']['items']['enumDescriptions'][122] new_value Google generated data, which is purely internal and from Google's system and operation. This data is not associated with (e.g., filtered to, grouped by) any specific external user/customer (an internal mdb group would be fine). This is not user data. System generated data that is associated with an end user/customer should instead use ST_SYSTEM_DIAGNOSTIC_INFO. Corresponds to http://go/cloud-dcg#operational-data Examples: * The name of a class, field, etc of Google maintained code. * Schema information of Google-owned internal DBs including SQL statements only referring to schema names (table, column, etc.). * Tool Proxy Grants guarding database backup/restores (go/cloud-dcg#operational-data) old_value Google generated data, which is purely internal and from Google's system and operation. This data is not associated with (e.g., filtered to, grouped by) any specific external user/customer (an internal mdb group would be fine). This is not user data. System generated data that is associated with an end user/customer should instead use ST_SYSTEM_DIAGNOSTIC_INFO. Corresponds to http://go/cloud-dcg#operational-data Examples: * Schema information of Google owned internal DBs including SQL statements only referring to schema names (table, column, etc.). Note: if a query has column value literals, the data type is the same as the column's annotated type in data governance (go/dg-kb) for different governance use cases. * Tool Proxy Grants guarding database backup/restores root['schemas']['DataaccessauditloggingPaSecurityDataAccessDataAccessLogProtoFieldMetadata']['properties']['semanticType']['items']['enumDescriptions'][122] new_value Google generated data, which is purely internal and from Google's system and operation. This data is not associated with (e.g., filtered to, grouped by) any specific external user/customer (an internal mdb group would be fine). This is not user data. System generated data that is associated with an end user/customer should instead use ST_SYSTEM_DIAGNOSTIC_INFO. Corresponds to http://go/cloud-dcg#operational-data Examples: * The name of a class, field, etc of Google maintained code. * Schema information of Google-owned internal DBs including SQL statements only referring to schema names (table, column, etc.). * Tool Proxy Grants guarding database backup/restores (go/cloud-dcg#operational-data) old_value Google generated data, which is purely internal and from Google's system and operation. This data is not associated with (e.g., filtered to, grouped by) any specific external user/customer (an internal mdb group would be fine). This is not user data. System generated data that is associated with an end user/customer should instead use ST_SYSTEM_DIAGNOSTIC_INFO. Corresponds to http://go/cloud-dcg#operational-data Examples: * Schema information of Google owned internal DBs including SQL statements only referring to schema names (table, column, etc.). Note: if a query has column value literals, the data type is the same as the column's annotated type in data governance (go/dg-kb) for different governance use cases. * Tool Proxy Grants guarding database backup/restores
prod/datamanager-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/datamanager-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/datamixer-pa-	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/datamixer-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/dataproc-control-	values_changed root['revision'] new_value 20250311 old_value 20250224
prod/dataproc-control-v1	values_changed root['revision'] new_value 20250311 old_value 20250224
prod/dataproccontrol-	values_changed root['revision'] new_value 20250311 old_value 20250224
prod/dataproccontrol-v1	values_changed root['revision'] new_value 20250311 old_value 20250224
prod/dataprocgdc-	values_changed root['revision'] new_value 20250305 old_value 20250226
prod/dataprocgdc-v1	values_changed root['revision'] new_value 20250305 old_value 20250226
prod/dataprocgdc-v1alpha1	values_changed root['revision'] new_value 20250305 old_value 20250226
prod/dataprocrm-	values_changed root['revision'] new_value 20250306 old_value 20250303
prod/dataprocrm-v1	values_changed root['revision'] new_value 20250306 old_value 20250303
prod/datastudio-	values_changed root['revision'] new_value 20250311 old_value 20250302
prod/datastudio-v1	values_changed root['revision'] new_value 20250311 old_value 20250302
prod/developerscontentsearch-pa-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/developerscontentsearch-pa-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/deviceenrollmentforwindows-	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/deviceenrollmentforwindows-v1	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/devicemanagementforwindows-	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/devicemanagementforwindows-v1	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/directions-pa-	values_changed root['revision'] new_value 20250312 old_value 20250306
prod/directions-pa-v1	values_changed root['revision'] new_value 20250312 old_value 20250306
prod/directions-pa-v1alpha	values_changed root['revision'] new_value 20250312 old_value 20250306
prod/drivefrontend-pa-	dictionary_item_added root['schemas']['Item']['properties']['recursiveFolderCount']['deprecated'] root['schemas']['ListChangesResponse']['properties']['status'] values_changed root['revision'] new_value 20250311 old_value 20250303 root['schemas']['RemovePreventSyncUserRestrictionRequest']['properties']['userAction']['enumDescriptions'][1] new_value The user marked the detection as a false positive. old_value The user clicked the "I recogonize it" button. Indicating the detection was a false-positive. root['schemas']['RemovePreventSyncUserRestrictionRequest']['properties']['userAction']['enumDescriptions'][2] new_value The user marked the detection as a true-positive. old_value The user disconnected the DfD client from the account. Indicating the detection was a true-positive.
prod/drivefrontend-pa-v1	dictionary_item_added root['schemas']['Item']['properties']['recursiveFolderCount']['deprecated'] root['schemas']['ListChangesResponse']['properties']['status'] values_changed root['revision'] new_value 20250311 old_value 20250303 root['schemas']['RemovePreventSyncUserRestrictionRequest']['properties']['userAction']['enumDescriptions'][1] new_value The user marked the detection as a false positive. old_value The user clicked the "I recogonize it" button. Indicating the detection was a false-positive. root['schemas']['RemovePreventSyncUserRestrictionRequest']['properties']['userAction']['enumDescriptions'][2] new_value The user marked the detection as a true-positive. old_value The user disconnected the DfD client from the account. Indicating the detection was a true-positive.
prod/dynamicmail-pa-	values_changed root['revision'] new_value 20250309 old_value 20250304
prod/dynamicmail-pa-v2	values_changed root['revision'] new_value 20250309 old_value 20250304
prod/dynamiteintegration-pa-	dictionary_item_added root['schemas']['SheetsActionsNavigateAction'] root['schemas']['SheetsActionsNavigationInfo'] root['schemas']['ClientFeatureCapabilities']['properties']['speedbumpBypassLevel'] root['schemas']['DuetAiActionLinkAccount']['properties']['connectorUrl'] root['schemas']['SheetsActions']['properties']['navigateAction'] root['schemas']['SheetsActionsOpenSidebarAction']['properties']['navigationInfo'] values_changed root['revision'] new_value 20250311 old_value 20250302 root['schemas']['ClientFeatureCapabilities']['description'] new_value LINT: LEGACY_NAMES Collection of signals to tell the server how it should behave with respect to the specified feature. This is the backend version of the ClientFeatureCapabilities proto defined in frontend: http://shortn/_fTH8ERcJxW. Only the set of signals used in the backend are copied over from the frontend proto. LINT.IfChange Next tag: 52 old_value LINT: LEGACY_NAMES Collection of signals to tell the server how it should behave with respect to the specified feature. This is the backend version of the ClientFeatureCapabilities proto defined in frontend: http://shortn/_fTH8ERcJxW. Only the set of signals used in the backend are copied over from the frontend proto. LINT.IfChange Next tag: 51 root['schemas']['SlashCommand']['properties']['name']['description'] new_value The name of the slash command that must start with a `/`. old_value The name of the command. root['schemas']['WorkflowDataSource']['description'] new_value Workflow only. In a `TextInput` or `SelectionInput` widget with MULTI_SELECT type or a `DateTimePicker`, provide data source from Google. old_value Workflow only. In a `SelectionInput` or `TextInput` widget with DROPDOWN or MULTI_SELECT type, provide data source from Google. iterable_item_added root['schemas']['DuetAiActionStaticPlanData']['properties']['generateUseCase']['enum'][11] SUMMARIZE_FILE root['schemas']['DuetAiActionStaticPlanData']['properties']['generateUseCase']['enum'][58] GENERATE_ITEM_NAME_SUGGESTIONS root['schemas']['DuetAiActionStaticPlanData']['properties']['generateUseCase']['enum'][94] GENERATE_NUDGE_PROMPTS root['schemas']['DuetAiActionStaticPlanData']['properties']['generateUseCase']['enumDescriptions'][11] Generate a summary based on the content of a specified file. This use case is now used for 1P Link Summary feature. root['schemas']['DuetAiActionStaticPlanData']['properties']['generateUseCase']['enumDescriptions'][58] Generate item name suggestions from the context (e.g. drive item), and the user can apply a generated suggestion as the item name. root['schemas']['DuetAiActionStaticPlanData']['properties']['generateUseCase']['enumDescriptions'][94] Use case for generating prompts for nudges. Currently used in the PDF Viewer in Drive. root['schemas']['UiKitGemkickExtensionDetails']['properties']['operationType']['enum'][25] GEMKICK_EXTENSION_OPERATION_TYPE_CREATE_A_NOTE_FOR_CONTACT_IN_TOOL_IMPRESSION root['schemas']['UiKitGemkickExtensionDetails']['properties']['operationType']['enum'][26] GEMKICK_EXTENSION_OPERATION_TYPE_CREATE_A_NOTE_FOR_CONTACT_IN_TOOL_CLICKED iterable_item_removed root['schemas']['DuetAiActionStaticPlanData']['properties']['generateUseCase']['enum'][93] CATEGORIZE_EMAIL_FOR_DRIVE
prod/dynamiteintegration-pa-v1	dictionary_item_added root['schemas']['SheetsActionsNavigateAction'] root['schemas']['SheetsActionsNavigationInfo'] root['schemas']['ClientFeatureCapabilities']['properties']['speedbumpBypassLevel'] root['schemas']['DuetAiActionLinkAccount']['properties']['connectorUrl'] root['schemas']['SheetsActions']['properties']['navigateAction'] root['schemas']['SheetsActionsOpenSidebarAction']['properties']['navigationInfo'] values_changed root['revision'] new_value 20250311 old_value 20250302 root['schemas']['ClientFeatureCapabilities']['description'] new_value LINT: LEGACY_NAMES Collection of signals to tell the server how it should behave with respect to the specified feature. This is the backend version of the ClientFeatureCapabilities proto defined in frontend: http://shortn/_fTH8ERcJxW. Only the set of signals used in the backend are copied over from the frontend proto. LINT.IfChange Next tag: 52 old_value LINT: LEGACY_NAMES Collection of signals to tell the server how it should behave with respect to the specified feature. This is the backend version of the ClientFeatureCapabilities proto defined in frontend: http://shortn/_fTH8ERcJxW. Only the set of signals used in the backend are copied over from the frontend proto. LINT.IfChange Next tag: 51 root['schemas']['SlashCommand']['properties']['name']['description'] new_value The name of the slash command that must start with a `/`. old_value The name of the command. root['schemas']['WorkflowDataSource']['description'] new_value Workflow only. In a `TextInput` or `SelectionInput` widget with MULTI_SELECT type or a `DateTimePicker`, provide data source from Google. old_value Workflow only. In a `SelectionInput` or `TextInput` widget with DROPDOWN or MULTI_SELECT type, provide data source from Google. iterable_item_added root['schemas']['DuetAiActionStaticPlanData']['properties']['generateUseCase']['enum'][11] SUMMARIZE_FILE root['schemas']['DuetAiActionStaticPlanData']['properties']['generateUseCase']['enum'][58] GENERATE_ITEM_NAME_SUGGESTIONS root['schemas']['DuetAiActionStaticPlanData']['properties']['generateUseCase']['enum'][94] GENERATE_NUDGE_PROMPTS root['schemas']['DuetAiActionStaticPlanData']['properties']['generateUseCase']['enumDescriptions'][11] Generate a summary based on the content of a specified file. This use case is now used for 1P Link Summary feature. root['schemas']['DuetAiActionStaticPlanData']['properties']['generateUseCase']['enumDescriptions'][58] Generate item name suggestions from the context (e.g. drive item), and the user can apply a generated suggestion as the item name. root['schemas']['DuetAiActionStaticPlanData']['properties']['generateUseCase']['enumDescriptions'][94] Use case for generating prompts for nudges. Currently used in the PDF Viewer in Drive. root['schemas']['UiKitGemkickExtensionDetails']['properties']['operationType']['enum'][25] GEMKICK_EXTENSION_OPERATION_TYPE_CREATE_A_NOTE_FOR_CONTACT_IN_TOOL_IMPRESSION root['schemas']['UiKitGemkickExtensionDetails']['properties']['operationType']['enum'][26] GEMKICK_EXTENSION_OPERATION_TYPE_CREATE_A_NOTE_FOR_CONTACT_IN_TOOL_CLICKED iterable_item_removed root['schemas']['DuetAiActionStaticPlanData']['properties']['generateUseCase']['enum'][93] CATEGORIZE_EMAIL_FOR_DRIVE
prod/embeddedassistant-	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/embeddedassistant-v1	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/embeddedassistant-v1alpha2	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/embeddedassistant-v1beta1	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/emmapplecodevice-	values_changed root['revision'] new_value 20250311 old_value 20250309
prod/emmapplecodevice-v1	values_changed root['revision'] new_value 20250311 old_value 20250304
prod/enterpriseknowledgegraph-	values_changed root['revision'] new_value 20250228 old_value 20250221
prod/enterpriseknowledgegraph-v1	values_changed root['revision'] new_value 20250228 old_value 20250221
prod/eu-alpha-vision-	values_changed root['revision'] new_value 20250307 old_value 20250228
prod/eu-alpha-vision-v1	values_changed root['revision'] new_value 20250307 old_value 20250228
prod/eu-alpha-vision-v1p1beta1	values_changed root['revision'] new_value 20250307 old_value 20250228
prod/eu-alpha-vision-v1p2beta1	values_changed root['revision'] new_value 20250307 old_value 20250228
prod/eu-alpha-vision-v1p3beta1	values_changed root['revision'] new_value 20250307 old_value 20250228
prod/eu-alpha-vision-v1p4beta1	values_changed root['revision'] new_value 20250307 old_value 20250228
prod/eu-chronicle-	values_changed root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['get']['parameters']['name']['description'] new_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{region}/instances/{instance} root['revision'] new_value 20250310 old_value 20250227 root['schemas'] new_value AIOverview description AI generated overview for the search results. id AIOverview properties aiSummary description AI summary for the search results. Markdown formatted. type string complete description Whether AI overview generation is complete. type boolean suggestions description Suggested actions to continue the investigation in chat. items $ref Action type array type object Action description Action represents an action that can be performed in the host UI. id Action properties actionType description Output only. Type of action. enum ACTION_TYPE_UNSPECIFIED FOLLOW_UP NAVIGATION EXECUTION enumDescriptions The action type is unspecified. The action is a follow up action. The action is a navigation action. The action is an execution action. readOnly True type string displayText description Output only. The text that'll be displayed to the user if this is rendered in the UI as a suggested action. readOnly True type string execution $ref Execution description Metadata for execution action. followUp $ref FollowUp description Metadata for follow up action. navigation $ref Navigation description Metadata for navigation action. useCaseId description Output only. The use case ID of the action. It's used internally to identify in which context the action is used. readOnly True type string type object AlertFieldAggregation id AlertFieldAggregation properties alertCount format int32 type integer allValues items $ref AlertFieldValueCount type array baselineAlertCount format int32 type integer bottomValues items $ref AlertFieldValueCount type array fieldName type string tooManyValues type boolean topValues items $ref AlertFieldValueCount type array valueCount format int32 type integer type object AlertFieldAggregations id AlertFieldAggregations properties fields items $ref AlertFieldAggregation type array type object AlertFieldValue id AlertFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string stringValue type string uint32Value format uint32 type integer uint64Value format uint64 type string type object AlertFieldValueCount id AlertFieldValueCount properties alertCount format int32 type integer baselineAlertCount format int32 type integer value $ref AlertFieldValue type object AnalystVerdict description Verdict provided by the human analyst. These fields are used to model Mandiant sources. id AnalystVerdict properties confidenceScore description Confidence score of the verdict. format int32 type integer verdictResponse description Details of the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp at which the verdict was generated. format google-datetime type string type object AnalyticsMetadata description Stores information about an analytics metric used in a rule. id AnalyticsMetadata properties analytic description Name of the analytic. type string type object Annotation description Extra parameters that don't fit anywhere else, captured as key/value. For example "VendorID/42" in BlackBerry user agents. The following keys are modified with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference): * "Chrome" (see `browser_version`) * "ChromiumBrowser" (unavailable) * "ChromeWebview" (unavailable) * "OS_VERSION" (see `os`) * "Rest" (unavailable) * "misc" (see `device`) id Annotation properties key type string value type string type object Artifact description Information about an artifact. The artifact can only be an IP. id Artifact properties anonymous description Whether the VPN tunnels are configured for anonymous browsing or not. type boolean artifactClient $ref ArtifactClient description Entity or software accessing or utilizing network resources. asOwner description Owner of the Autonomous System to which the IP address belongs. type string asn description Autonomous System Number to which the IP address belongs. format int64 type string firstSeenTime description First seen timestamp of the IP in the customer's environment. format google-datetime type string ip description IP address of the artifact. This field can be used as an entity indicator for an external destination IP entity. type string jarm description The JARM hash for the IP address. (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a). type string lastHttpsCertificate $ref SSLCertificate description SSL certificate information about the IP address. lastHttpsCertificateDate description Most recent date for the certificate in VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the IP address in the customer's environment. format google-datetime type string location $ref Location description Location of the Artifact's IP address. network $ref Network description Network information related to the Artifact's IP address. prevalence $ref Prevalence description The prevalence of the artifact within the customer's environment. regionalInternetRegistry description RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC). type string risks description This field lists potential risks associated with the network activity. items type string type array tags description Identification attributes items type string type array tunnels description VPN tunnels. items $ref Tunnels type array whois description WHOIS information as returned from the pertinent WHOIS server. type string whoisDate description Date of the last update of the WHOIS record in VirusTotal. format google-datetime type string type object ArtifactClient description Entity or software accessing or utilizing network resources. id ArtifactClient properties behaviors description The behaviors of the client accessing the network. items type string type array proxies description The type of proxies used by the client. items type string type array type object Asset description Information about a compute asset such as a workstation, laptop, phone, virtual desktop, or VM. id Asset properties assetId description The asset ID. Value must contain the ':' character. For example, cs:abcdd23434. This field can be used as an entity indicator for asset entities. type string attribute $ref Attribute description Generic entity metadata attributes of the asset. category description The category of the asset (e.g. "End User Asset", "Workstation", "Server"). type string creationTime deprecated True description Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. format google-datetime type string deploymentStatus description The deployment status of the asset for device lifecycle purposes. enum DEPLOYMENT_STATUS_UNSPECIFIED ACTIVE PENDING_DECOMISSION DECOMISSIONED enumDescriptions Unspecified deployment status. Asset is active, functional and deployed. Asset is pending decommission and no longer deployed. Asset is decommissioned. type string firstDiscoverTime description Time the asset was first discovered (by asset management/discoverability software). format google-datetime type string firstSeenTime description The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string hardware description The asset hardware specifications. items $ref Hardware type array hostname description Asset hostname or domain name field. This field can be used as an entity indicator for asset entities. type string ip description A list of IP addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array labels deprecated True description Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata. items $ref Label type array lastBootTime description Time the asset was last boot started. format google-datetime type string lastDiscoverTime description Time the asset was last discovered (by asset management/discoverability software). format google-datetime type string location $ref Location description Location of the asset. mac description List of MAC addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array natIp description List of NAT IP addresses associated with an asset. items type string type array networkDomain description The network domain of the asset (e.g. "corp.acme.com") type string platformSoftware $ref PlatformSoftware description The asset operating system platform software. productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID or similar). This field can be used as an entity indicator for asset entities. type string software description The asset software details. items $ref Software type array systemLastUpdateTime description Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a VM), use Attribute.last_update_time. format google-datetime type string type description The type of the asset (e.g. workstation or laptop or server). enum ROLE_UNSPECIFIED WORKSTATION LAPTOP IOT NETWORK_ATTACHED_STORAGE PRINTER SCANNER SERVER TAPE_LIBRARY MOBILE enumDescriptions Unspecified asset role. A workstation or desktop. A laptop computer. An IOT asset. A network attached storage device. A printer. A scanner. A server. A tape library device. A mobile device such as a mobile phone or PDA. type string vulnerabilities description Vulnerabilities discovered on asset. items $ref Vulnerability type array type object Association description Associations represents different metadata about malware and threat actors involved with an IoC. id Association properties alias description Different aliases of the threat actor given by different sources. items $ref AssociationAlias type array associatedActors description List of associated threat actors for a malware. Not applicable for threat actors. items $ref Association type array countryCode description Country from which the threat actor/ malware is originated. items type string type array description description Human readable description about the association. type string firstReferenceTime description First time the threat actor was referenced or seen. format google-datetime type string id description Unique association id generated by mandiant. type string industriesAffected description List of industries the threat actor affects. items type string type array lastReferenceTime description Last time the threat actor was referenced or seen. format google-datetime type string name description Name of the threat actor/malware. type string regionCode $ref Location description Name of the country, the threat is originating from. role description Role of the malware. Not applicable for threat actor. type string sourceCountry deprecated True description Name of the country the threat originated from. type string sponsorRegion $ref Location description Sponsor region of the threat actor. tags description Tags. items type string type array targetedRegions description Targeted regions. items $ref Location type array type description Signifies the type of association. enum ASSOCIATION_TYPE_UNSPECIFIED THREAT_ACTOR MALWARE enumDescriptions The default Association Type. Association type Threat actor. Association type Malware. type string type object AssociationAlias description Association Alias used to represent Mandiant Threat Intelligence. id AssociationAlias properties company description Name of the provider who gave the association's name. type string name description Name of the alias. type string type object AttackDetails description MITRE ATT&CK details. id AttackDetails properties tactics description Tactics employed. items $ref Tactic type array techniques description Techniques employed. items $ref Technique type array version description ATT&CK version (e.g. 12.1). type string type object Attribute description Attribute is a container for generic entity attributes including common attributes across core entities (such as, user or asset). For example, Cloud is a generic entity attribute since it can apply to an asset (for example, a VM) or a user (for example, an identity service account). id Attribute properties cloud $ref Cloud description Cloud metadata attributes such as project ID, account ID, or organizational hierarchy. creationTime description Time the resource or entity was created or provisioned. format google-datetime type string labels description Set of labels for the entity. Should only be used for product labels (for example, Google Cloud resource labels or Azure AD sensitivity labels. Should not be used for arbitrary key-value mappings. items $ref Label type array lastUpdateTime description Time the resource or entity was last updated. format google-datetime type string permissions description System permissions for IAM entity (human principal, service account, group). items $ref Permission type array roles description System IAM roles to be assumed by resources to use the role's permissions for access control. items $ref Role type array type object Authentication description The Authentication extension captures details specific to authentication events. General guidelines for authentication events: * Details about the source of the authentication event (for example, client IP or hostname), should be captured in principal. The principal may be empty if we have no details about the source of the login. * Details about the target of the authentication event (for example, details about the machine that is being logged into or logged out of) should be captured in target. * Some authentication events may involve a third-party. For example, a user logs into a cloud service (for example, Chronicle) via their company's SSO (the event is logged by their SSO solution). In this case, the principal captures information about the user's device, the target captures details about the cloud service they logged into, and the intermediary captures details about the SSO solution. id Authentication properties authDetails description The vendor defined details of the authentication. type string mechanism description The authentication mechanism. items enum MECHANISM_UNSPECIFIED USERNAME_PASSWORD OTP HARDWARE_KEY LOCAL REMOTE REMOTE_INTERACTIVE MECHANISM_OTHER BADGE_READER NETWORK BATCH SERVICE UNLOCK NETWORK_CLEAR_TEXT NEW_CREDENTIALS INTERACTIVE CACHED_INTERACTIVE CACHED_REMOTE_INTERACTIVE CACHED_UNLOCK BIOMETRIC WEARABLE enumDescriptions The default mechanism. Username + password authentication. OTP authentication. Hardware key authentication. Local authentication. Remote authentication. RDP, Terminal Services, or VNC. Some other mechanism that is not defined here. Badge reader authentication Network authentication. Batch authentication. Service authentication Direct human-interactive unlock authentication. Network clear text authentication. Authentication with new credentials. Interactive authentication. Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Biometric device such as a fingerprint reader. Wearable such as an Apple Watch. type string type array type description The type of authentication. enum AUTHTYPE_UNSPECIFIED MACHINE SSO VPN PHYSICAL TACACS enumDescriptions The default type. A machine authentication. An SSO authentication. A VPN authentication. A Physical authentication (e.g. "Badge reader"). A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+). type string type object AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. id AuthorityKeyId properties keyid description Key hexdump. type string serialNumber description Serial number hexdump. type string type object BackstoryEntity description An Entity provides additional context about an item in a UDM event. For example, a PROCESS_LAUNCH event describes that user 'abc@example.corp' launched process 'shady.exe'. The event does not include information that user 'abc@example.com' is a recently terminated employee who administers a server storing finance data. Information stored in one or more Entities can add this additional context. id BackstoryEntity properties additional additionalProperties description Properties of the object. type any description Important entity data that cannot be adequately represented within the formal sections of the Entity. type object entity $ref Noun description Noun in the UDM event that this entity represents. metadata $ref EntityMetadata description Entity metadata such as timestamp, product, etc. metric $ref Metric description Stores statistical metrics about the entity. Used if metadata.entity_type is METRIC. relations description One or more relationships between the entity (a) and other entities, including the relationship type and related entity. items $ref Relation type array riskScore $ref EntityRisk description Stores information related to the entity's risk score. type object BackstoryFile description Information about a file. id BackstoryFile properties ahash deprecated True description Deprecated. Use authentihash instead. type string authentihash description Authentihash of the file. type string capabilitiesTags description Capabilities tags. items type string type array createTime description Timestamp when the file was created. format google-datetime type string embeddedDomains description Embedded domains found in the file. items type string type array embeddedIps description Embedded IP addresses found in the file. items type string type array embeddedUrls description Embedded urls found in the file. items type string type array exifInfo $ref ExifInfo description Exif metadata from different file formats extracted by exiftool. fileMetadata $ref FileMetadata deprecated True description Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File. fileType description FileType field. enum FILE_TYPE_UNSPECIFIED FILE_TYPE_PE_EXE FILE_TYPE_PE_DLL FILE_TYPE_MSI FILE_TYPE_NE_EXE FILE_TYPE_NE_DLL FILE_TYPE_DOS_EXE FILE_TYPE_DOS_COM FILE_TYPE_COFF FILE_TYPE_ELF FILE_TYPE_LINUX_KERNEL FILE_TYPE_RPM FILE_TYPE_LINUX FILE_TYPE_MACH_O FILE_TYPE_JAVA_BYTECODE FILE_TYPE_DMG FILE_TYPE_DEB FILE_TYPE_PKG FILE_TYPE_PYC FILE_TYPE_LNK FILE_TYPE_DESKTOP_ENTRY FILE_TYPE_JPEG FILE_TYPE_TIFF FILE_TYPE_GIF FILE_TYPE_PNG FILE_TYPE_BMP FILE_TYPE_GIMP FILE_TYPE_IN_DESIGN FILE_TYPE_PSD FILE_TYPE_TARGA FILE_TYPE_XWD FILE_TYPE_DIB FILE_TYPE_JNG FILE_TYPE_ICO FILE_TYPE_FPX FILE_TYPE_EPS FILE_TYPE_SVG FILE_TYPE_EMF FILE_TYPE_WEBP FILE_TYPE_DWG FILE_TYPE_DXF FILE_TYPE_THREEDS FILE_TYPE_OGG FILE_TYPE_FLC FILE_TYPE_FLI FILE_TYPE_MP3 FILE_TYPE_FLAC FILE_TYPE_WAV FILE_TYPE_MIDI FILE_TYPE_AVI FILE_TYPE_MPEG FILE_TYPE_QUICKTIME FILE_TYPE_ASF FILE_TYPE_DIVX FILE_TYPE_FLV FILE_TYPE_WMA FILE_TYPE_WMV FILE_TYPE_RM FILE_TYPE_MOV FILE_TYPE_MP4 FILE_TYPE_T3GP FILE_TYPE_WEBM FILE_TYPE_MKV FILE_TYPE_PDF FILE_TYPE_PS FILE_TYPE_DOC FILE_TYPE_DOCX FILE_TYPE_PPT FILE_TYPE_PPTX FILE_TYPE_XLS FILE_TYPE_XLSX FILE_TYPE_RTF FILE_TYPE_PPSX FILE_TYPE_ODP FILE_TYPE_ODS FILE_TYPE_ODT FILE_TYPE_HWP FILE_TYPE_GUL FILE_TYPE_ODF FILE_TYPE_ODG FILE_TYPE_ONE_NOTE FILE_TYPE_OOXML FILE_TYPE_SLK FILE_TYPE_EBOOK FILE_TYPE_LATEX FILE_TYPE_TTF FILE_TYPE_EOT FILE_TYPE_WOFF FILE_TYPE_CHM FILE_TYPE_ZIP FILE_TYPE_GZIP FILE_TYPE_BZIP FILE_TYPE_RZIP FILE_TYPE_DZIP FILE_TYPE_SEVENZIP FILE_TYPE_CAB FILE_TYPE_JAR FILE_TYPE_RAR FILE_TYPE_MSCOMPRESS FILE_TYPE_ACE FILE_TYPE_ARC FILE_TYPE_ARJ FILE_TYPE_ASD FILE_TYPE_BLACKHOLE FILE_TYPE_KGB FILE_TYPE_ZLIB FILE_TYPE_TAR FILE_TYPE_ZST FILE_TYPE_LZFSE FILE_TYPE_PYTHON_WHL FILE_TYPE_PYTHON_PKG FILE_TYPE_MSIX FILE_TYPE_TEXT FILE_TYPE_SCRIPT FILE_TYPE_PHP FILE_TYPE_PYTHON FILE_TYPE_PERL FILE_TYPE_RUBY FILE_TYPE_C FILE_TYPE_CPP FILE_TYPE_JAVA FILE_TYPE_SHELLSCRIPT FILE_TYPE_PASCAL FILE_TYPE_AWK FILE_TYPE_DYALOG FILE_TYPE_FORTRAN FILE_TYPE_JAVASCRIPT FILE_TYPE_POWERSHELL FILE_TYPE_VBA FILE_TYPE_M4 FILE_TYPE_OBJETIVEC FILE_TYPE_JMOD FILE_TYPE_MAKEFILE FILE_TYPE_INI FILE_TYPE_CLJ FILE_TYPE_PDB FILE_TYPE_SQL FILE_TYPE_NEKO FILE_TYPE_WER FILE_TYPE_GOLANG FILE_TYPE_M3U FILE_TYPE_BAT FILE_TYPE_MSC FILE_TYPE_RDP FILE_TYPE_SYMBIAN FILE_TYPE_PALMOS FILE_TYPE_WINCE FILE_TYPE_ANDROID FILE_TYPE_IPHONE FILE_TYPE_HTML FILE_TYPE_XML FILE_TYPE_SWF FILE_TYPE_FLA FILE_TYPE_COOKIE FILE_TYPE_TORRENT FILE_TYPE_EMAIL_TYPE FILE_TYPE_OUTLOOK FILE_TYPE_SGML FILE_TYPE_JSON FILE_TYPE_CSV FILE_TYPE_HTA FILE_TYPE_INTERNET_SHORTCUT FILE_TYPE_CAP FILE_TYPE_ISOIMAGE FILE_TYPE_SQUASHFS FILE_TYPE_VHD FILE_TYPE_APPLE FILE_TYPE_MACINTOSH FILE_TYPE_APPLESINGLE FILE_TYPE_APPLEDOUBLE FILE_TYPE_MACINTOSH_HFS FILE_TYPE_APPLE_PLIST FILE_TYPE_MACINTOSH_LIB FILE_TYPE_APPLESCRIPT FILE_TYPE_APPLESCRIPT_COMPILED FILE_TYPE_CRX FILE_TYPE_XPI FILE_TYPE_ROM FILE_TYPE_IPS FILE_TYPE_PEM FILE_TYPE_PGP FILE_TYPE_CRT enumDescriptions File type is UNSPECIFIED. File type is PE_EXE. Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL. File type is MSI. File type is NE_EXE. File type is NE_DLL. File type is DOS_EXE. File type is DOS_COM. File type is COFF. File type is ELF. File type is LINUX_KERNEL. File type is RPM. File type is LINUX. File type is MACH_O. File type is JAVA_BYTECODE. File type is DMG. File type is DEB. File type is PKG. File type is PYC. File type is LNK. File type is DESKTOP_ENTRY. File type is JPEG. File type is TIFF. File type is GIF. File type is PNG. File type is BMP. File type is GIMP. File type is Adobe InDesign. File type is PSD. Adobe Photoshop. File type is TARGA. File type is XWD. File type is DIB. File type is JNG. File type is ICO. File type is FPX. File type is EPS. File type is SVG. File type is EMF. File type is WEBP. File type is DWG. File type is DXF. File type is 3DS. File type is OGG. File type is FLC. File type is FLI. File type is MP3. File type is FLAC. File type is WAV. File type is MIDI. File type is AVI. File type is MPEG. File type is QUICKTIME. File type is ASF. File type is DIVX. File type is FLV. File type is WMA. File type is WMV. File type is RM. RealMedia type. File type is MOV. File type is MP4. File type is T3GP. File type is WEBM. File type is MKV. File type is PDF. File type is PS. File type is DOC. File type is DOCX. File type is PPT. File type is PPTX. File type is XLS. File type is XLSX. File type is RTF. File type is PPSX. File type is ODP. File type is ODS. File type is ODT. File type is HWP. File type is GUL. File type is ODF. File type is ODG. File type is ONE_NOTE. File type is OOXML. File type is SLK. File type is EBOOK. File type is LATEX. File type is TTF. File type is EOT. File type is WOFF. File type is CHM. File type is ZIP. File type is GZIP. File type is BZIP. File type is RZIP. File type is DZIP. File type is SEVENZIP. File type is CAB. File type is JAR. File type is RAR. File type is MSCOMPRESS. File type is ACE. File type is ARC. File type is ARJ. File type is ASD. File type is BLACKHOLE. File type is KGB. File type is ZLIB. File type is TAR. File type is ZST. File type is LZFSE. File type is PYTHON_WHL. File type is PYTHON_PKG. File type is MSIX, new Windows app package format. File type is TEXT. File type is SCRIPT. File type is PHP. File type is PYTHON. File type is PERL. File type is RUBY. File type is C. File type is CPP. File type is JAVA. File type is SHELLSCRIPT. File type is PASCAL. File type is AWK. File type is DYALOG. File type is FORTRAN. File type is JAVASCRIPT. File type is POWERSHELL. File type is VBA. File type is M4. File type is OBJETIVEC. File type is JMOD. File type is MAKEFILE. File type is INI. File type is CLJ. File type is PDB. File type is SQL. File type is NEKO. File type is WER. File type is GOLANG. File type is M3U. File type is BAT, Windows .bat/.cmd (old files are tagged as SHELLSCRIPT). File type is MSC, Microsoft Management Console (MMC). File type is RDP, Microsoft Remote Desktop Protocol (RDP) file. File type is SYMBIAN. File type is PALMOS. File type is WINCE. File type is ANDROID. File type is IPHONE. File type is HTML. File type is XML. File type is SWF. File type is FLA. File type is COOKIE. File type is TORRENT. File type is EMAIL_TYPE. File type is OUTLOOK. File type is SGML. File type is JSON. File type is CSV. File type is HTA (HTML Application). File type is MSHTML .url. File type is CAP. File type is ISOIMAGE. File type is SQUASHFS. File type is VHD. File type is APPLE. File type is MACINTOSH. File type is APPLESINGLE. File type is APPLEDOUBLE. File type is MACINTOSH_HFS. File type is APPLE_PLIST. File type is MACINTOSH_LIB. File type is APPLESCRIPT. File type is APPLESCRIPT_COMPILED . File type is CRX. File type is XPI. File type is ROM. File type is IPS. File type is PEM. File type is PGP. File type is CRT. type string firstSeenTime description Timestamp the file was first seen in the customer's environment. format google-datetime type string firstSubmissionTime description First submission time of the file. format google-datetime type string fullPath description The full path identifying the location of the file on the system. This field can be used as an entity indicator for file entities. type string lastAccessTime description Timestamp when the file was accessed. format google-datetime type string lastAnalysisTime description Timestamp the file was last analysed. format google-datetime type string lastModificationTime description Timestamp when the file was last updated. format google-datetime type string lastSeenTime description Timestamp the file was last seen in the customer's environment. format google-datetime type string lastSubmissionTime description Last submission time of the file. format google-datetime type string mainIcon $ref Favicon description Icon's relevant hashes. md5 description The MD5 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string mimeType description The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script". type string names description Names fields. items type string type array ntfs $ref NtfsFileMetadata description NTFS metadata. pdfInfo $ref PDFInfo description Information about the PDF file structure. peFile $ref FileMetadataPE description Metadata about the Portable Executable (PE) file. prevalence $ref Prevalence description Prevalence of the file hash in the customer's environment. securityResult $ref SecurityResult description Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata. sha1 description The SHA1 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string sha256 description The SHA256 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string signatureInfo $ref SignatureInfo description File signature information extracted from different tools. size description The size of the file in bytes. format uint64 type string ssdeep description Ssdeep of the file type string statDev description The file system identifier to which the object belongs. format uint64 type string statFlags description User defined flags for file. format uint32 type integer statInode description The file identifier. Unique identifier of object within a file system. format uint64 type string statMode description The mode of the file. A bit string indicating the permissions and privileges of the file. format uint64 type string statNlink description Number of links to file. format uint64 type string symhash description SymHash of the file. Used for Mach-O (e.g. MacOS) binaries, to identify similar files based on their symbol table. type string tags description Tags for the file. items type string type array vhash description Vhash of the file. type string type object BoolSequence description BoolSequence represents a sequence of bools. id BoolSequence properties boolVals description bool sequence. items type boolean type array type object BytesSequence description BytesSequence represents a sequence of bytes. id BytesSequence properties bytesVals description bytes sequence. items format byte type string type array type object CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CertSignature description Certificate's signature and algorithm. id CertSignature properties signature description Signature. type string signatureAlgorithm description Algorithm. type string type object Certificate description Certificate information id Certificate properties issuer description Issuer of the certificate. type string md5 description The MD5 hash of the certificate, as a hex-encoded string. type string notAfter description Indicates when the certificate is no longer valid. format google-datetime type string notBefore description Indicates when the certificate is first valid. format google-datetime type string serial description Certificate serial number. type string sha1 description The SHA1 hash of the certificate, as a hex-encoded string. type string sha256 description The SHA256 hash of the certificate, as a hex-encoded string. type string subject description Subject of the certificate. type string version description Certificate version. type string type object Chip id Chip properties text type string type enum UNSPECIFIED ALERT NETWORK_CONNECTION EDR UNPARSED_RAW_LOG LOGIN_EVENT EMAIL_EVENT GENERIC TELEMETRY enumDescriptions type string type object Client description Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash). id Client properties certificate $ref Certificate description Client certificate. ja3 description JA3 hash from the TLS ClientHello, as a hex-encoded string. type string serverName description Host name of the server, that the client is connecting to. type string supportedCiphers description Ciphers supported by the client during client hello. items type string type array type object Cloud description Metadata related to the cloud environment. id Cloud properties availabilityZone description The cloud environment availability zone (different from region which is location.name). type string environment description The Cloud environment. enum UNSPECIFIED_CLOUD_ENVIRONMENT GOOGLE_CLOUD_PLATFORM AMAZON_WEB_SERVICES MICROSOFT_AZURE enumDescriptions Default. Google Cloud Platform. Amazon Web Services. Microsoft Azure. type string project $ref Resource deprecated True description The cloud environment project information. Deprecated: Use Resource.resource_ancestors vpc $ref Resource deprecated True description The cloud environment VPC. Deprecated. type object Collection description Collection represents a container of objects (such as events, entity context metadata, detection finding metadata) and state (such as investigation details). BEGIN GOOGLE-INTERNAL See go/udm:collections for additional details. END GOOGLE-INTERNAL An example use case for Collection is to model a detection and investigation from detection finding metadata to investigative state collected in the course of the investigation. For more complex investigation and response workflows a Collection could represent an incident consisting of multiple child findings or incidents. This can be expanded on to model remediation elements of a full detection and response workflow. NEXT TAG: 20 id Collection properties caseName description The resource name of the Case that this collection belongs to. Example: projects/{project id}/locations/{region}/chronicle/cases/{internal_case_id} type string collectionElements description Constituent elements of the collection. Each element shares an association that groups it together and is a component of the overall collection. For example, a detection collection may have several constituent elements that each share a correlation association that together represent a particular pattern or behavior. items $ref Element type array createdTime description Time the collection was created. format google-datetime type string dataAccessScope description The resource name of the DataAccessScope of this collection. BEGIN GOOGLE-INTERNAL We may change this name based on the final resource design of the scope. END GOOGLE-INTERNAL type string detection description Detection metadata for findings that represent detections, can include rule details, machine learning model metadata, and indicators implicated in the detection (using the .about field). items $ref SecurityResult type array detectionTime description Timestamp within the time_window related to the time of the collection_elements. For Rule Detections, this timestamp is the end of the the time_window for multi-event rules or the time of the event for single event rules. For late-arriving events that trigger new alerts, the detection_time will be the event time of the event. format google-datetime type string feedbackHistory description The history of feedback submitted by analysts for this finding, in descending order by timestamp. This field is limited to the most recent 1000 feedback events. The primary feedback will also be included in this list. items $ref Feedback type array feedbackSummary $ref Feedback description The current primary analyst feedback. This does not include the history of feedback given, which may be supplied in `feedback`. id description Unique ID for the collection. The ID is specific to the type of collection. For example, with rule detections this is the detection ID. type string idNamespace description The ID namespace used for the Collection. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string investigation $ref Investigation description Consolidated investigation details (categorization, status, etc) typically for collections that begin as detection findings and then evolve with analyst action and feedback into investigations around the detection output. lastUpdatedTime description Time the collection was last updated. format google-datetime type string responsePlatformInfo $ref ResponsePlatformInfo description Alert related info of this same alert in customer's SOAR platform. soarAlert description A boolean field indicating that the alert is present in SOAR. type boolean soarAlertMetadata $ref SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems via SOAR. tags description Tags set by UC/DSML/RE for the Finding during creation. items type string type array timeWindow $ref Interval description Time interval that the collection represents. type description What the collection represents. enum COLLECTION_TYPE_UNSPECIFIED TELEMETRY_ALERT GCTI_FINDING UPPERCASE_ALERT RULE_DETECTION MACHINE_INTELLIGENCE_ALERT SOAR_ALERT enumDescriptions An unspecified collection type. An alert reported in customer telemetry. A finding from the Uppercase team. A detection found by applying a rule. An alert generated by Chronicle machine learning models. An alert coming from other SIEMs via Chronicle SOAR. type string type object ColumnNames id ColumnNames properties names items type string type array type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DNSRecord description DNS record. id DNSRecord properties expire description Expire. format google-duration type string minimum description Minimum. format google-duration type string priority description Priority. format int64 type string refresh description Refresh. format google-duration type string retry description Retry. format int64 type string rname description Rname. type string serial description Serial. format int64 type string ttl description Time to live. format google-duration type string type description Type. type string value description Value. type string type object DataAccessIngestionLabel id DataAccessIngestionLabel properties key description The key. type string value description The value. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessLabels id DataAccessLabels properties allowScopedAccess description Are the labels ready for scoped access type boolean customLabels description All the complex labels (UDM search syntax based). items type string type array ingestionKvLabels description All the ingestion labels (key/value pairs). items $ref DataAccessIngestionLabel type array ingestionLabels deprecated True description All the ingestion labels. items type string type array logTypes description All the LogType labels. items type string type array namespaces description All the namespaces. items type string type array type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Date description Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values. * A month and day, with a zero year (for example, an anniversary). * A year on its own, with a zero month and a zero day. * A year and month, with a zero day (for example, a credit card expiration date). Related types: * google.type.TimeOfDay * google.type.DateTime * google.protobuf.Timestamp id Date properties day description Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. format int32 type integer month description Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. format int32 type integer year description Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. format int32 type integer type object Detections id Detections properties baselineAlertsCount format int32 type integer complete type boolean detectionFieldAggregations $ref AlertFieldAggregations detections items $ref Collection type array filteredAlertsCount format int32 type integer tooManyDetections type boolean validSnapshotQuery type boolean type object Dhcp description DHCP information. id Dhcp properties chaddr description Client hardware address (chaddr). type string ciaddr description Client IP address (ciaddr). type string clientHostname description Client hostname. See RFC2132, section 3.14. type string clientIdentifier description Client identifier. See RFC2132, section 9.14. Note: Make sure to update the client_identifier_string field as well if you update this field. format byte type string clientIdentifierString description Client identifier as string. See RFC2132, section 9.14. This field holds the string value of the client_identifier. type string file description Boot image filename. type string flags description Flags. format uint32 type integer giaddr description Relay agent IP address (giaddr). type string hlen description Hardware address length. format uint32 type integer hops description Hardware ops. format uint32 type integer htype description Hardware address type. format uint32 type integer leaseTimeSeconds description Lease time in seconds. See RFC2132, section 9.2. format uint32 type integer opcode description The BOOTP op code. enum UNKNOWN_OPCODE BOOTREQUEST BOOTREPLY enumDescriptions Default opcode. Request. Reply. type string options description List of DHCP options. items $ref Option type array requestedAddress description Requested IP address. See RFC2132, section 9.1. type string seconds description Seconds elapsed since client began address acquisition/renewal process. format uint32 type integer siaddr description IP address of the next bootstrap server. type string sname description Server name that the client wishes to boot from. type string transactionId description Transaction ID. format uint32 type integer type description DHCP message type. enum UNKNOWN_MESSAGE_TYPE DISCOVER OFFER REQUEST DECLINE ACK NAK RELEASE INFORM WIN_DELETED WIN_EXPIRED enumDescriptions Default message type. DHCPDISCOVER. DHCPOFFER. DHCPREQUEST. DHCPDECLINE. DHCPACK. DHCPNAK. DHCPRELEASE. DHCPINFORM. Microsoft Windows DHCP "lease deleted". Microsoft Windows DHCP "lease expired". type string yiaddr description Your IP address (yiaddr). type string type object Dns description DNS information. id Dns properties additional description A list of additional domain name servers that can be used to verify the answer to the domain. items $ref ResourceRecord type array answers description A list of answers to the domain name query. items $ref ResourceRecord type array authoritative description Other DNS header flags. See RFC1035, section 4.1.1. type boolean authority description A list of domain name servers which verified the answers to the domain name queries. items $ref ResourceRecord type array id description DNS query id. format uint32 type integer opcode description The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS). format uint32 type integer questions description A list of domain protocol message questions. items $ref Question type array recursionAvailable description Whether a recursive DNS lookup is available. type boolean recursionDesired description Whether a recursive DNS lookup is desired. type boolean response description Set to true if the event is a DNS response. See QR field from RFC1035. type boolean responseCode description Response code. See RCODE from RFC1035. format uint32 type integer truncated description Whether the DNS response was truncated. type boolean type object Domain description Information about a domain. id Domain properties admin $ref User description Parsed contact information for the administrative contact for the domain. auditUpdateTime description Audit updated time. format google-datetime type string billing $ref User description Parsed contact information for the billing contact of the domain. categories description Categories assign to the domain as retrieved from VirusTotal. items type string type array contactEmail description Contact email address. type string creationTime description Domain creation time. format google-datetime type string expirationTime description Expiration time. format google-datetime type string favicon $ref Favicon description Includes difference hash and MD5 hash of the domain's favicon. firstSeenTime description First seen timestamp of the domain in the customer's environment. format google-datetime type string ianaRegistrarId description IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml format int32 type integer jarm description Domain's JARM hash. type string lastDnsRecords description Domain's DNS records from the last scan. items $ref DNSRecord type array lastDnsRecordsTime description Date when the DNS records list was retrieved by VirusTotal. format google-datetime type string lastHttpsCertificate $ref SSLCertificate description SSL certificate object retrieved last time the domain was analyzed. lastHttpsCertificateTime description When the certificate was retrieved by VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the domain in the customer's environment. format google-datetime type string name description The domain name. This field can be used as an entity indicator for Domain entities. type string nameServer description Repeated list of name servers. items type string type array popularityRanks description Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc items $ref PopularityRank type array prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. privateRegistration description Indicates whether the domain appears to be using a private registration service to mask the owner's contact information. type boolean registrant $ref User description Parsed contact information for the registrant of the domain. registrar description Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM". type string registryDataRawText description Registry Data raw text. format byte type string status description Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values type string tags description List of representative attributes. items type string type array tech $ref User description Parsed contact information for the technical contact for the domain updateTime description Last updated time. format google-datetime type string whoisRecordRawText description WHOIS raw text. format byte type string whoisServer description Whois server name. type string whoisTime description Date of the last update of the WHOIS record. format google-datetime type string zone $ref User description Parsed contact information for the zone. type object DoubleSequence description DoubleSequence represents a sequence of doubles. id DoubleSequence properties doubleVals description double sequence. items format double type number type array type object EC description EC public key information. id EC properties oid description Curve name. type string pub description Public key hexdump. type string type object Element description NEXT TAG: 5 id Element properties association $ref SecurityResult description Metadata that provides the relevant association for the references in the element. For a detection, this can be the correlated aspect of the references that contributed to the overall detection. For example, may include sub-rule condition, machine learning model metadata, and/or indicators implicated in this component of the detection (using the .about field). label description A name that labels the entire references group. type string references description References to model primatives including events and entities that share a common association. Even though a reference can have both UDM and entity, a collection of references (of a single element) will only have one type of message in it (either UDM / Entity). items $ref Reference type array referencesSampled description Copied from the detection event_sample.too_many_event_samples field. If true, the number of references will be capped at the sample limit (set at rule service). This is applicable to both UDM references and Entity references. type boolean type object Email description Email info. id Email properties bcc description A list of 'bcc' addresses. items type string type array bounceAddress description The envelope from address. https://en.wikipedia.org/wiki/Bounce_address type string cc description A list of 'cc' addresses. items type string type array from description The 'from' address. type string mailId description The mail (or message) ID. type string replyTo description The 'reply to' address. type string subject description The subject line(s) of the email. items type string type array to description A list of 'to' addresses. items type string type array type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityChangedCountTimelineBucket id EntityChangedCountTimelineBucket properties entityChangedInfo items $ref EntityChangedInfo type array totalChangedEntitiesCount format int32 type integer type object EntityChangedInfo id EntityChangedInfo properties artifacts $ref FieldAndValue entityCount format int32 type integer type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityMetadata description Information about the Entity and the product where the entity was created. Next Tag: 17 id EntityMetadata properties collectedTimestamp description GMT timestamp when the entity information was collected by the vendor's local collection infrastructure. format google-datetime type string creationTimestamp description GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected. format google-datetime type string description description Human-readable description of the entity. type string entityType description Entity type. If an entity has multiple possible types, this specifies the most specific type. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string eventMetadata $ref Metadata description Metadata field from the event. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object feed description Vendor feed name for a threat indicator feed. type string interval $ref Interval description Valid existence time range for the version of the entity represented by this entity data. productEntityId description A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar). type string productName description Product name that produced the entity information. type string productVersion description Version of the product that produced the entity information. type string sourceLabels description Entity source metadata labels. items $ref Label type array sourceType description The source of the entity. enum SOURCE_TYPE_UNSPECIFIED ENTITY_CONTEXT DERIVED_CONTEXT GLOBAL_CONTEXT enumDescriptions Default source type Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT) Entities derived from customer data such as prevalence, artifact first/last seen, or asset/user first seen stats. Global contextual entities such as WHOIS or Safe Browsing. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Structured fields extracted from the log. type object threat description Metadata provided by a threat intelligence feed that identified the entity as malicious. items $ref SecurityResult type array vendorName description Vendor name of the product that produced the entity information. type string type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object EntityRisk description Stores information related to the risk score of an entity. Next ID: 15 id EntityRisk properties DEPRECATEDRiskScore deprecated True description Deprecated risk score. format int32 type integer detailUri description Link to the Google Security Operations UI with information about the entity risk score. If the SecOps instance has multiple frontend paths configured, this will be a relative path that can be used to construct the full URL. type string detectionsCount description Number of detections that make up the risk score within the time window. format int32 type integer firstDetectionTime description Timestamp of the first detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastDetectionTime description Timestamp of the last detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastResetTime description Timestamp for UEBA risk score reset based deduplication. Used specifically for risk based meta rules. format google-datetime type string normalizedRiskScore description Normalized risk score for the entity. This value is between 0-1000. format int32 type integer rawRiskDelta $ref RiskDelta description Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window. riskDelta $ref RiskDelta description Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window. riskScore description Raw risk score for the entity. format float type number riskVersion description Version of the risk score calculation algorithm. type string riskWindow $ref Interval description Time window used when computing the risk score for an entity, for example 24 hours or 7 days. riskWindowHasNewDetections description Whether there are new detections for the risk window. type boolean riskWindowSize description Risk window duration for the entity. format google-duration type string type object ErrorMessage id ErrorMessage properties errorText type string type enum UNDEFINED_ERROR_TYPE INVALID_QUERY_TYPE INVALID_FIELD_PATH_TYPE UNCLOSED_BRACKET_TYPE BACKEND_ERROR_TYPE UNCLOSED_QUOTES_TYPE QUERY_TOO_LARGE_TYPE enumDescriptions type string type object EventCountTimeline id EventCountTimeline properties buckets items $ref EventCountTimelineBucket type array sizeOfBucketMs format int64 type string type object EventCountTimelineBucket id EventCountTimelineBucket properties alertCount format int32 type integer baselineAlertCount format int32 type integer baselineEventCount format int32 type integer baselineTimedEntityCount format int32 type integer entityChangedCount $ref EntityChangedCountTimelineBucket eventCount format int32 type integer filteredTimedEntityCount format int32 type integer type object Execution description Execution can be used to store metadata required for what action the UI should execute. id Execution properties metadata additionalProperties type string description Output only. The payload to use when executing the action. readOnly True type object type object ExifInfo description Exif information. id ExifInfo properties company description company name. type string compilationTime description Compilation time. format google-datetime type string entryPoint description entry point. format int64 type string fileDescription description description of a file. type string originalFile description original file name. type string product description product name. type string type object Extension description Certificate's extensions. id Extension properties authorityKeyId $ref AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. ca description Whether the subject acts as a certificate authority (CA) or not. type boolean caInfoAccess description Authority information access locations are URLs that are added to a certificate in its authority information access extension. type string certTemplateNameDc description BMP data value "DomainController". See MS Q291010. type string certificatePolicies description Different certificate policies will relate to different applications which may use the certified key. type string crlDistributionPoints description CRL distribution points to which a certificate user should refer to ascertain if the certificate has been revoked. type string extendedKeyUsage description One or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field. type string keyUsage description The purpose for which the certified public key is used. type string netscapeCertComment description Used to include free-form text comments inside certificates. type string netscapeCertificate description Identify whether the certificate subject is an SSL client, an SSL server, or a CA. type boolean oldAuthorityKeyId description Whether the certificate has an old authority key identifier extension. type boolean peLogotype description Whether the certificate includes a logotype. type boolean subjectAlternativeName description Contains one or more alternative names, using any of a variety of name forms, for the entity that is bound by the CA to the certified public key. type string subjectKeyId description Identifies the public key being certified. type string type object Extensions description Extensions to a UDM event. id Extensions properties auth $ref Authentication description An authentication extension. entityRisk $ref EntityRisk description An entity risk change extension. vulns $ref Vulnerabilities description A vulnerability extension. type object Favicon description Difference hash and MD5 hash of the domain's favicon. id Favicon properties dhash description Difference hash. type string rawMd5 description Favicon's MD5 hash. type string type object Feedback id Feedback properties comment description Optional. type string confidenceScore format int32 type integer createdTime format google-datetime type string disregarded type boolean idpUserId type string priority description Optional. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string priorityDisplay description Optional. type string reason description Optional. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore format int32 type integer rootCause description Optional. type string severity format int32 type integer severityDisplay description Optional. type string status description Optional. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object FieldAndValue id FieldAndValue properties entityNamespace type string fieldPath type string kvalueType enum UNKNOWN COLLECTOR_ID EVENT_SHARD ASSET_IP_ADDRESS MAC HOSTNAME PRODUCT_SPECIFIC_ID NAMESPACE DOMAIN_NAME RESOLVED_IP_ADDRESS STEMMED_DOMAIN_NAME PROCESS_ID FULL_COMMAND_LINE FILE_NAME FILE_PATH HASH_MD5 HASH_SHA256 HASH_SHA1 RAW_PID PARENT_PROCESS_ID EMAIL USERNAME WINDOWS_SID EMPLOYEE_ID PRODUCT_OBJECT_ID USER_DISPLAY_NAME CLOUD_RESOURCE_NAME REGISTRY_KEY REGISTRY_VALUE_DATA REGISTRY_VALUE_NAME enumDescriptions type string value type string type object FileMetadata description Metadata about a file. Place metadata about different file types here, for example data from the Microsoft Windows VersionInfo block or digital signer details. Use a different sub-message per file type. id FileMetadata properties pe $ref PeFileMetadata deprecated True description Metadata for Microsoft Windows PE files. Deprecate PeFileMetadata in favor of single File proto. type object FileMetadataCodesign description File metadata from the codesign utility. id FileMetadataCodesign properties compilationTime description Code sign timestamp format google-datetime type string format description Code sign format. type string id description Code sign identifier. type string teamId description The assigned team identifier of the developer who signed the application. type string type object FileMetadataImports description File metadata imports. id FileMetadataImports properties functions description Function field. items type string type array library description Library field. type string type object FileMetadataPE description Metadata about the Portable Executable (PE) file. id FileMetadataPE properties compilationExiftoolTime description info.exiftool.TimeStamp. format google-datetime type string compilationTime description info.pe-timestamp. format google-datetime type string entryPoint description info.pe-entry-point. format int64 type string entryPointExiftool description info.exiftool.EntryPoint. format int64 type string imphash description Imphash of the file. type string imports description FilemetadataImports fields. items $ref FileMetadataImports type array resource description FilemetadataPeResourceInfo fields. items $ref FileMetadataPeResourceInfo type array resourcesLanguageCount deprecated True description Deprecated: use resources_language_count_str. items $ref StringToInt64MapEntry type array resourcesLanguageCountStr description Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10 items $ref Label type array resourcesTypeCount deprecated True description Deprecated: use resources_type_count_str. items $ref StringToInt64MapEntry type array resourcesTypeCountStr description Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5 items $ref Label type array section description FilemetadataSection fields. items $ref FileMetadataSection type array signatureInfo $ref FileMetadataSignatureInfo deprecated True description FilemetadataSignatureInfo field. deprecated, user File.signature_info instead. type object FileMetadataPeResourceInfo description File metadata for PE resource. id FileMetadataPeResourceInfo properties entropy description Entropy of the resource. format double type number fileType description File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum. type string filetypeMagic description Type of resource content, as identified by the magic Python module. type string languageCode description Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US | type string sha256Hex description SHA256_hex field.. type string type object FileMetadataSection description File metadata section. id FileMetadataSection properties entropy description Entropy of the section. format double type number md5Hex description MD5 hex of the file. type string name description Name of the section. type string rawSizeBytes description Raw file size in bytes. format int64 type string virtualSizeBytes description Virtual file size in bytes. format int64 type string type object FileMetadataSignatureInfo description Signature information. id FileMetadataSignatureInfo properties signer deprecated True description Deprecated: use signers field. items type string type array signers description File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority. items $ref SignerInfo type array verificationMessage description Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found. type string verified description True if verification_message == "Signed" type boolean x509 description List of certificates. items $ref X509 type array type object FilterProperties id FilterProperties properties hidden type boolean stringProperties additionalProperties $ref StringValues type object type object FindingVariable description A structure that holds the value and associated metadata for values extracted while producing a Finding. id FindingVariable properties boolSeq $ref BoolSequence description The value in boolsequence format. boolVal description The value in boolean format. type boolean bytesSeq $ref BytesSequence description The value in bytessequence format. bytesVal description The value in bytes format. format byte type string doubleSeq $ref DoubleSequence description The value in doublesequence format. doubleVal description The value in double format. format double type number int64Seq $ref Int64Sequence description The value in int64sequence format. int64Val description The value in int64 format. format int64 type string nullVal description Whether the value is null. type boolean sourcePath description The UDM field path for the field which this value was derived from. Example: `principal.user.username` type string stringSeq $ref StringSequence description The value in stringsequence format. stringVal description The value in string format. Enum values are returned as strings. type string type description The type of the variable. enum TYPE_UNSPECIFIED MATCH OUTCOME enumDescriptions An unspecified variable type. A variable coming from the match conditions. A variable representing significant data that was found in the detection logic. type string uint64Seq $ref Uint64Sequence description The value in uint64sequence format. uint64Val description The value in uint64 format. format uint64 type string value description The value in string form. type string type object FollowUp description FollowUp can be used to store metadata required to send a follow up message by the UI. id FollowUp properties followUp description Output only. The text to use as input when generating the follow up message. readOnly True type string type object Ftp description FTP info. id Ftp properties command description The FTP command. type string type object FunctionResponse id FunctionResponse properties rows items $ref FunctionResponseRow type array tooManyRows type boolean type object FunctionResponseRow id FunctionResponseRow properties values items $ref UdmFieldValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description LINT.IfChange(stats_data) Stats results when the query is for statistics NEXT TAG = 6; id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats properties dataQueryExpression description Expression that represent the subset of the requested query used to filter data. The expression will be used to enable features such as drill-down from stats results to UDM events. In that case, the new query will be composed by this expression and the expression related to a stats result. type string results description Result rows that are queried. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData type array sortOrder description Indicates the columns used for sorting and the order in which they are sorted. If no ORDER section is specified in the query, this will be empty. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort type array tooManyResults description If true, there are too many results to return and some have been omitted. type boolean totalResults description The total number of results returned. format int32 type integer type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData description Represents a single column in the set of columns returned as the stats query result. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData properties column description Used to store column names. type string filterExpression description Expression used to compose a query for filtering/drill-downs related to the data in this column. type string filterable description To identify if the column can be used for filtering/drill-downs. type boolean values description To store store column data. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort description Contains the column name and which direction the column is sorted (ascending or descenging). id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort properties descending description Whether the column is sorted in descending order (ascending by default); type boolean name description Name of the column. type string type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType description Singular vs list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType properties list $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description List of values in a column e.g. IPs value $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Single value in a column. type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description Store list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList properties values description List of values in one cell of the column. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Value of the column based on data type id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue properties boolVal description Boolean value. type boolean bytesVal description Bytes value. format byte type string dateVal $ref Date description Date values. doubleVal description Double value. format double type number int64Val description Integer value (signed). format int64 type string nullVal description True if the value is NULL. type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any description For any proto values that are not any of the above. type object stringVal description String value. Enum values are returned as strings. type string timestampVal description Timestamp values. format google-datetime type string uint64Val description Un-signed integer value. format uint64 type string type object Group description Information about an organizational group. id Group properties attribute $ref Attribute description Generic entity metadata attributes of the group. creationTime deprecated True description Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata. format google-datetime type string emailAddresses description Email addresses of the group. items type string type array groupDisplayName description Group display name. e.g. "Finance". type string productObjectId description Product globally unique user object identifier, such as an LDAP Object Identifier. type string windowsSid description Microsoft Windows SID of the group. type string type object GroupAggregationByField id GroupAggregationByField properties baselineEventCount format int32 type integer eventCount format int32 type integer fieldName type string fieldValue $ref UdmFieldValue fields items $ref UdmFieldAggregation type array valueCount format int32 type integer type object Hardware description Hardware specification details for a resource, including both physical and virtual hardware. id Hardware properties cpuClockSpeed description Clock speed of the hardware CPU in MHz. format uint64 type string cpuMaxClockSpeed description Maximum possible clock speed of the hardware CPU in MHz. format uint64 type string cpuModel description Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5"). type string cpuNumberCores description Number of CPU cores. format uint64 type string cpuPlatform description Platform of the hardware CPU (e.g. "Intel Broadwell"). type string manufacturer description Hardware manufacturer. type string model description Hardware model. type string ram description Amount of the hardware ramdom access memory (RAM) in Mb. format uint64 type string serialNumber description Hardware serial number. type string type object Http description Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target". id Http properties method description The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE"). type string parsedUserAgent $ref UserAgentProto description The parsed user_agent string. referralUrl description The URL for the HTTP referer. type string responseCode description The response status code, for example 200, 302, 404, or 500. format int32 type integer userAgent description The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent. type string type object Id description Identifier to identify a UDM object like a UDM event, Entity, Collection. The full identifier for persistence is created by setting the 32 most significant bits as the Id.Namespace enum and the rest according to go/udm:ids. This is a convenience wrapper to define the id space enum values and provide an easy interface for RPCs, most persistence use cases should use a denormalized form. See go/udm:ids for background and details. id Id properties id description Full raw ID. format byte type string namespace description Namespace the id belongs to. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string stringId description Some ids are stored as strings that are not able to be translated to bytes, so store these separately. Ex. detection id of the form de_aaaaaaaa-aaaa... type string type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{location}/instances/{instance} readOnly True type string type object InstanceUdmSearchResponse id InstanceUdmSearchResponse properties baselineEventsCount format int32 type integer complete type boolean detections $ref Detections filteredEventsCount format int32 type integer instanceId type string prevalence $ref UdmPrevalenceResponse progress format double type number runtimeErrors $ref RuntimeError timeline $ref EventCountTimeline tooManyEvents type boolean type object Int64Sequence description Int64Sequence represents a sequence of int64s. id Int64Sequence properties int64Vals description int64 sequence. items format int64 type string type array type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object Investigation description Represents the aggregated state of an investigation such as categorization, severity, and status. Can be expanded to include analyst assignment details and more. id Investigation properties comments description Comment added by the Analyst. items type string type array priority description Priority of the Alert or Finding set by analyst. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string reason description Reason for closing the Case or Alert. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation description Describes whether a finding was useful or not-useful. enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore description Risk score for a finding set by an analyst. format uint32 type integer rootCause description Root cause of the Alert or Finding set by analyst. type string severityScore description Severity score for a finding set by an analyst. format uint32 type integer status description Describes the workflow status of a finding. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict description Describes reason a finding investigation was resolved. enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object IoCStats description Information about the threat intelligence source. These fields are used to model Mandiant sources. id IoCStats properties benignCount description Count of responses where the IoC was identified as benign. format int32 type integer firstLevelSource description Name of first level IoC source, for example Mandiant or a third-party. type string iocStatsType description Describes the source of the IoCStat. enum UNSPECIFIED_IOC_STATS_TYPE MANDIANT_SOURCES THIRD_PARTY_SOURCES THREAT_INTELLIGENCE_IOC_STATS enumDescriptions IoCStat source is unidentified. IoCStat is from a Mandiant Source. IoCStat is from a third-party source. IoCStat is from a threat intelligence feed. type string maliciousCount description Count of responses where the IoC was identified as malicious. format int32 type integer quality description Level of confidence in the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total number of response from the source. format int32 type integer secondLevelSource description Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph. type string sourceCount description Number of sources from which information was extracted. format int32 type integer type object Label description Key value labels. id Label properties key description The key. type string rbacEnabled description Indicates whether this label can be used for Data RBAC type boolean source description Where the label is derived from. type string value description The value. type string type object LatLng description An object that represents a latitude/longitude pair. This is expressed as a pair of doubles to represent degrees latitude and degrees longitude. Unless specified otherwise, this object must conform to the WGS84 standard. Values must be within normalized ranges. id LatLng properties latitude description The latitude in degrees. It must be in the range [-90.0, +90.0]. format double type number longitude description The longitude in degrees. It must be in the range [-180.0, +180.0]. format double type number type object LegacyFederatedUdmSearchViewResponse description Response to a Federated UDM Search query. This will be used by StreamSearchOperation RPC to return the results of a federated search operation. id LegacyFederatedUdmSearchViewResponse properties activityTimeline $ref EventCountTimeline description Timeline of event counts broken into hourly/daily buckets to identify activity. aiOverview $ref AIOverview description LINT.ThenChange( //depot/google3/google/cloud/chronicle/v1main/dashboard_query.proto:data_sources, //depot/google3/googlex/security/malachite/proto/udm_search.proto:data_sources ) AI generated overview for the search results. Only populated if the AI features are enabled for the customer and generate_ai_overview is set to true in the request. baselineEventsCount description The number of events in the baseline query. format int32 type integer complete description Streaming for this response is done. There will be no additional updates. type boolean dataSources description Datasource of the query and results in case of a statistics query items enum SEARCH_DATA_SOURCE_UNSPECIFIED SEARCH_UDM SEARCH_ENTITY SEARCH_RULE_DETECTIONS SEARCH_RULESETS enumDescriptions Unspecified data source. Events Entities To be used for detections data source. To be used for ruleset with detections datasource. type string type array detectionFieldAggregations $ref AlertFieldAggregations description List of detection fields with aggregated values. This enabled filtering in the Alerts panel for federated search. events $ref UdmEventList description List of UDM events. NOTE: After complete is set to true, the `UdmEventList` message will be omitted from the response. The latest message should be used as reference. If the `UdmEventList` message is returned again, then it should replace the previous value. fieldAggregations $ref UdmFieldAggregations description List of UDM fields with aggregated values. filteredEventsCount description The number of events in the snapshot that match the snapshot_query. This is <= `baseline_events_count`. If the snapshot query is empty this will be equivalent to `baseline_events_count`. format int32 type integer groupedFieldAggregations $ref UdmFieldAggregations description List of grouped fields with aggregated values. instanceAggregations $ref UdmFieldAggregations description Instance aggregations for the search results. Provides information on the number of events per instance for the aggregations panel in the UI. This allows users to easily drill-down into the individual instances. instanceUdmSearchResponses description All the instance specific UDM search responses. items $ref InstanceUdmSearchResponse type array operation description The name of the operation resource representing the UDM Search operation. This can be passed to `StreamSearchOperation` to fetch stored results or stream the results of an in-progress operation. The metadata type of the operation is `UdmSearchMetadata`. The response type is `LegacyFetchUdmSearchViewResponse`. Format: projects/{project}/locations/{location}/instances/{instance}/operations/{operation} type string progress description Progress of the query represented as a double between 0 and 1. format double type number queryValidationErrors description Parse error for the baseline_query and/or the snapshot_query. items $ref ErrorMessage type array runtimeErrors description Runtime errors. items $ref RuntimeError type array stats $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description Stats results when the query is for statistics statsFunctionParameterValidationErrorMessage description If the request's stats_function_parameter` is invalid, this field will contain the detailed error message. type string statsFunctionResponse $ref FunctionResponse description Result for statistical function. timeline $ref EventCountTimeline description Timeline of event counts broken into buckets. This populates the trend-over-time chart in the UI. tooLargeResponse description If true, the response to be returned to the UI is too large and some events have been omitted. type boolean tooManyEvents description If true, there are too many events to return and some have been omitted. type boolean validBaselineQuery description Indicates whether the request baseline_query is a valid structured query or not. If not, `query_validation_errors` will include the parse error. type boolean validSnapshotQuery description Indicates whether the request baseline and snapshot queries are valid. If not, `query_validation_errors` will include the parse error. type boolean type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Location description Information about a location. id Location properties city description The city. type string countryOrRegion description The country or region. type string deskName description Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D"). type string floorName description Floor name, number or a combination of the two for a building. (e.g. "1-A"). type string name description Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2"). type string regionCoordinates $ref LatLng description Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. regionLatitude deprecated True description Deprecated: use region_coordinates. format float type number regionLongitude deprecated True description Deprecated: use region_coordinates. format float type number state description The state. type string type object Manual description Entities are added manually. id Manual properties type object Measure description Describes the precomputed measure. id Measure properties aggregateFunction description Function used to calculate the aggregated measure. enum AGGREGATE_FUNCTION_UNSPECIFIED MIN MAX COUNT SUM AVG STDDEV enumDescriptions Default value. Minimum. Maximum. Count. Sum. Average. Standard Deviation. type string value description Value of the aggregated measure. format double type number type object Metadata description General information associated with a UDM event. id Metadata properties baseLabels $ref DataAccessLabels description Data access labels on the base event. collectedTimestamp description The GMT timestamp when the event was collected by the vendor's local collection infrastructure. format google-datetime type string description description A human-readable unparsable description of the event. type string enrichmentLabels $ref DataAccessLabels description Data access labels from all the contextual events used to enrich the base event. enrichmentState description The enrichment state. enum ENRICHMENT_STATE_UNSPECIFIED ENRICHED UNENRICHED enumDescriptions Unspecified. The event has been enriched by Chronicle. The event has not been enriched by Chronicle. type string eventTimestamp description The GMT timestamp when the event was generated. format google-datetime type string eventType description The event type. If an event has multiple possible types, this specifies the most specific type. enum EVENTTYPE_UNSPECIFIED PROCESS_UNCATEGORIZED PROCESS_LAUNCH PROCESS_INJECTION PROCESS_PRIVILEGE_ESCALATION PROCESS_TERMINATION PROCESS_OPEN PROCESS_MODULE_LOAD REGISTRY_UNCATEGORIZED REGISTRY_CREATION REGISTRY_MODIFICATION REGISTRY_DELETION SETTING_UNCATEGORIZED SETTING_CREATION SETTING_MODIFICATION SETTING_DELETION MUTEX_UNCATEGORIZED MUTEX_CREATION FILE_UNCATEGORIZED FILE_CREATION FILE_DELETION FILE_MODIFICATION FILE_READ FILE_COPY FILE_OPEN FILE_MOVE FILE_SYNC USER_UNCATEGORIZED USER_LOGIN USER_LOGOUT USER_CREATION USER_CHANGE_PASSWORD USER_CHANGE_PERMISSIONS USER_STATS USER_BADGE_IN USER_DELETION USER_RESOURCE_CREATION USER_RESOURCE_UPDATE_CONTENT USER_RESOURCE_UPDATE_PERMISSIONS USER_COMMUNICATION USER_RESOURCE_ACCESS USER_RESOURCE_DELETION GROUP_UNCATEGORIZED GROUP_CREATION GROUP_DELETION GROUP_MODIFICATION EMAIL_UNCATEGORIZED EMAIL_TRANSACTION EMAIL_URL_CLICK NETWORK_UNCATEGORIZED NETWORK_FLOW NETWORK_CONNECTION NETWORK_FTP NETWORK_DHCP NETWORK_DNS NETWORK_HTTP NETWORK_SMTP STATUS_UNCATEGORIZED STATUS_HEARTBEAT STATUS_STARTUP STATUS_SHUTDOWN STATUS_UPDATE SCAN_UNCATEGORIZED SCAN_FILE SCAN_PROCESS_BEHAVIORS SCAN_PROCESS SCAN_HOST SCAN_VULN_HOST SCAN_VULN_NETWORK SCAN_NETWORK SCHEDULED_TASK_UNCATEGORIZED SCHEDULED_TASK_CREATION SCHEDULED_TASK_DELETION SCHEDULED_TASK_ENABLE SCHEDULED_TASK_DISABLE SCHEDULED_TASK_MODIFICATION SYSTEM_AUDIT_LOG_UNCATEGORIZED SYSTEM_AUDIT_LOG_WIPE SERVICE_UNSPECIFIED SERVICE_CREATION SERVICE_DELETION SERVICE_START SERVICE_STOP SERVICE_MODIFICATION GENERIC_EVENT RESOURCE_CREATION RESOURCE_DELETION RESOURCE_PERMISSIONS_CHANGE RESOURCE_READ RESOURCE_WRITTEN DEVICE_FIRMWARE_UPDATE DEVICE_CONFIG_UPDATE DEVICE_PROGRAM_UPLOAD DEVICE_PROGRAM_DOWNLOAD ANALYST_UPDATE_VERDICT ANALYST_UPDATE_REPUTATION ANALYST_UPDATE_SEVERITY_SCORE ANALYST_UPDATE_STATUS ANALYST_ADD_COMMENT ANALYST_UPDATE_PRIORITY ANALYST_UPDATE_ROOT_CAUSE ANALYST_UPDATE_REASON ANALYST_UPDATE_RISK_SCORE ENTITY_RISK_CHANGE enumDeprecated False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False enumDescriptions Default event type Activity related to a process which does not match any other event types. Process launch. Process injecting into another process. Process privilege escalation. Process termination. Process being opened. Process loading a module. Registry event which does not match any of the other event types. Registry creation. Registry modification. Registry deletion. Settings-related event which does not match any of the other event types. Setting creation. Setting modification. Setting deletion. Any mutex event other than creation. Mutex creation. File event which does not match any of the other event types. File created. File deleted. File modified. File read. File copied. Used for file copies, for example, to a thumb drive. File opened. File moved or renamed. File synced (for example, Google Drive, Dropbox, backup). User activity which does not match any of the other event types. User login. User logout. User creation. User password change event. Change in user permissions. Deprecated. Used to update user info for an LDAP dump. User physically badging into a location. User deletion. User creating a virtual resource. This is equivalent to RESOURCE_CREATION. User updating content of a virtual resource. This is equivalent to RESOURCE_WRITTEN. User updating permissions of a virtual resource. This is equivalent to RESOURCE_PERMISSIONS_CHANGE. User initiating communication through a medium (for example, video). User accessing a virtual resource. This is equivalent to RESOURCE_READ. User deleting a virtual resource. This is equivalent to RESOURCE_DELETION. A group activity that does not fall into one of the other event types. A group creation. A group deletion. A group modification. Email messages An email transaction. Deprecated: use NETWORK_HTTP instead. An email URL click event. A network event that does not fit into one of the other event types. Aggregated flow stats like netflow. Network connection details like from a FW. FTP telemetry. DHCP payload. DNS payload. HTTP telemetry. SMTP telemetry. A status message that does not fit into one of the other event types. Heartbeat indicating product is alive. An agent startup. An agent shutdown. A software or fingerprint update. Scan item that does not fit into one of the other event types. A file scan. Scan process behaviors. Please use SCAN_PROCESS instead. Scan process. Scan results from scanning an entire host device for threats/sensitive documents. Vulnerability scan logs about host vulnerabilities (e.g., out of date software) and network vulnerabilities (e.g., unprotected service detected via a network scan). Vulnerability scan logs about network vulnerabilities. Scan network for suspicious activity Scheduled task event that does not fall into one of the other event types. Scheduled task creation. Scheduled task deletion. Scheduled task being enabled. Scheduled task being disabled. Scheduled task being modified. A system audit log event that is not a wipe. A system audit log wipe. Service event that does not fit into one of the other event types. A service creation. A service deletion. A service start. A service stop. A service modification. Operating system events that are not described by any of the other event types. Might include uncategorized Microsoft Windows event logs. The resource was created/provisioned. This is equivalent to USER_RESOURCE_CREATION. The resource was deleted/deprovisioned. This is equivalent to USER_RESOURCE_DELETION. The resource had it's permissions or ACLs updated. This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS. The resource was read. This is equivalent to USER_RESOURCE_ACCESS. The resource was written to. This is equivalent to USER_RESOURCE_UPDATE_CONTENT. Firmware update. Configuration update. A program or application uploaded to a device. A program or application downloaded to a device. Analyst update about the Verdict (such as true positive, false positive, or disregard) of a finding. Analyst update about the Reputation (such as useful or not useful) of a finding. Analyst update about the Severity score (0-100) of a finding. Analyst update about the finding status. Analyst addition of a comment for a finding. Analyst update about the priority (such as low, medium, or high) for a finding. Analyst update about the root cause for a finding. Analyst update about the reason (such as malicious or not malicious) for a finding. Analyst update about the risk score (0-100) of a finding. An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. type string id description ID of the UDM event. Can be used for raw and normalized event retrieval. format byte type string ingestedTimestamp description The GMT timestamp when the event was ingested (received) by Chronicle. format google-datetime type string ingestionLabels description User-configured ingestion metadata labels. items $ref Label type array logType description The string value of log type. type string productDeploymentId description The deployment identifier assigned by the vendor for a product deployment. type string productEventType description A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start"). type string productLogId description A vendor-specific event identifier to uniquely identify the event (e.g. a GUID). type string productName description The name of the product. type string productVersion description The version of the product. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Flattened fields extracted from the log. type object tags $ref Tags description Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser. urlBackToProduct description A URL that takes the user to the source product console for this event. type string vendorName description The name of the product vendor. type string type object Metric description Stores precomputed aggregated analytic data for an entity. id Metric properties dimensions description All group by clauses used to calculate the metric. items enum DIMENSION_UNSPECIFIED PRINCIPAL_DEVICE TARGET_USER TARGET_DEVICE PRINCIPAL_USER TARGET_IP PRINCIPAL_FILE_HASH PRINCIPAL_COUNTRY SECURITY_CATEGORY NETWORK_ASN CLIENT_CERTIFICATE_HASH DNS_QUERY_TYPE DNS_DOMAIN HTTP_USER_AGENT EVENT_TYPE PRODUCT_NAME PRODUCT_EVENT_TYPE PARENT_FOLDER_PATH TARGET_RESOURCE_NAME PRINCIPAL_APPLICATION TARGET_APPLICATION EMAIL_TO_ADDRESS EMAIL_FROM_ADDRESS MAIL_ID PRINCIPAL_IP SECURITY_ACTION SECURITY_RULE_ID TARGET_NETWORK_ORGANIZATION_NAME PRINCIPAL_NETWORK_ORGANIZATION_NAME PRINCIPAL_PROCESS_FILE_PATH PRINCIPAL_PROCESS_FILE_HASH SECURITY_RESULT_RULE_NAME TARGET_RESOURCE_LABEL_KEY VENDOR_NAME TARGET_RESOURCE_TYPE TARGET_LOCATION_NAME enumDescriptions Default Principal Device Target User Target Device Principal User Target IP Principal File Hash Principal Country Security Category Network ASN Client Certificate Hash DNS Query Type DNS Domain HTTP User Agent Event Type Product Name Product Event Type Parent Folder Path Target resource Name Principal Application. Target Application. Email To Address. Email From Address. Mail Id. Principal IP. Security Action. Security Rule Id. Target Network Organization name. Principal Network Organization name. Principal Process File Path. Principal Process File SHA256 Hash. Security Result rule name. Target Resource label key. Vendor name. Target Resource type. Target Location name. type string type array exportWindow description Export window for which the metric was exported. format int64 type string firstSeen description Timestamp of the first time the entity was seen in the environment. format google-datetime type string lastSeen description Time stamp of the last time last time the entity was seen in the environment. format google-datetime type string metricName description Name of the analytic. enum METRIC_NAME_UNSPECIFIED NETWORK_BYTES_INBOUND NETWORK_BYTES_OUTBOUND NETWORK_BYTES_TOTAL AUTH_ATTEMPTS_SUCCESS AUTH_ATTEMPTS_FAIL AUTH_ATTEMPTS_TOTAL DNS_BYTES_OUTBOUND NETWORK_FLOWS_INBOUND NETWORK_FLOWS_OUTBOUND NETWORK_FLOWS_TOTAL DNS_QUERIES_SUCCESS DNS_QUERIES_FAIL DNS_QUERIES_TOTAL FILE_EXECUTIONS_SUCCESS FILE_EXECUTIONS_FAIL FILE_EXECUTIONS_TOTAL HTTP_QUERIES_SUCCESS HTTP_QUERIES_FAIL HTTP_QUERIES_TOTAL WORKSPACE_EMAILS_SENT_TOTAL WORKSPACE_TOTAL_DOWNLOAD_ACTIONS WORKSPACE_TOTAL_CHANGE_ACTIONS WORKSPACE_AUTH_ATTEMPTS_TOTAL WORKSPACE_NETWORK_BYTES_OUTBOUND WORKSPACE_NETWORK_BYTES_TOTAL ALERT_EVENT_NAME_COUNT RESOURCE_CREATION_TOTAL RESOURCE_CREATION_SUCCESS RESOURCE_READ_SUCCESS RESOURCE_READ_FAIL RESOURCE_DELETION_SUCCESS enumDescriptions Default Total received network bytes. Total network sent bytes. Total network sent bytes and received bytes. Successful authentication attempts. Failed authentication attempts. Total authentication attempts. Total number of sent bytes for DNS events. Total number of events having non-null received bytes. Total number of events having non-null sent bytes. Total events having non-null sent or received bytes. DNS query success count - Number of events with response_code = 0. Number of events with response_code != 0. Total number of DNS queries made. Number of successfule file executions. Number of failed file executions. Total number file executions. Number of successful HTTP queries. Number of failed HTTP queries. Total number of HTTP queries. Total number of emails sent in Google Workspace. Total number of download actions in Google Workspace. Total number of change actions in Google Workspace. Total number of authentication attempts in Google Workspace. Number of outbound network bytes (total sent) in Google Workspace. Total number of network bytes (both sent and received) in Google Workspace. Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH. First-time analytic tracking successful resource creations. Volume-based analytic tracking successful resource creations. Volume-based analytic tracking successful resource reads. Volume-based analytic tracking failed resource reads. Volume-based analytic tracking successful resource deletions. type string sumMeasure $ref Measure description Sum of all precomputed measures for the given metric. totalEvents description Total number of events used to calculate the given precomputed metric. format int64 type string type object Navigation description Navigation can be used to store the metadata required to navigate the user to a new URL. id Navigation properties targetUri description Output only. The URI to redirect the user to. readOnly True type string type object Network description A network event. id Network properties applicationProtocol description The application protocol. enum UNKNOWN_APPLICATION_PROTOCOL AFP APPC AMQP ATOM BEEP BITCOIN BIT_TORRENT CFDP CIP COAP COTP DCERPC DDS DEVICE_NET DHCP DICOM DNP3 DNS E_DONKEY ENRP FAST_TRACK FINGER FREENET FTAM GOOSE GOPHER GRPC HL7 H323 HTTP HTTPS IEC104 IRCP KADEMLIA KRB5 LDAP LPD MIME MMS MODBUS MQTT NETCONF NFS NIS NNTP NTCIP NTP OSCAR PNRP PTP QUIC RDP RELP RIP RLOGIN RPC RTMP RTP RTPS RTSP SAP SDP SIP SLP SMB SMTP SNMP SNTP SSH SSMS STYX SV TCAP TDS TOR TSP VTP WHOIS WEB_DAV X400 X500 XMPP enumDescriptions The default application protocol. Apple Filing Protocol. Advanced Program-to-Program Communication. Advanced Message Queuing Protocol. Publishing Protocol. Block Extensible Exchange Protocol. Crypto currency protocol. Peer-to-peer file sharing. Coherent File Distribution Protocol. Common Industrial Protocol. Constrained Application Protocol. Connection Oriented Transport Protocol. DCE/RPC. Data Distribution Service. Automation industry protocol. DHCP. Digital Imaging and Communications in Medicine Protocol. Distributed Network Protocol 3 (DNP3) DNS. Classic file sharing protocol. Endpoint Handlespace Redundancy Protocol. Filesharing peer-to-peer protocol. User Information Protocol. Censorship resistant peer-to-peer network. File Transfer Access and Management. GOOSE Protocol. Gopher protocol. gRPC Remote Procedure Call. Health Level Seven. Packet-based multimedia communications system. HTTP. HTTPS. IEC 60870-5-104 (IEC 104) Protocol. Internet Relay Chat Protocol. Peer-to-peer hashtables. Kerberos 5. Lightweight Directory Access Protocol. Line Printer Daemon Protocol. Multipurpose Internet Mail Extensions and Secure MIME. Multimedia Messaging Service. Serial communications protocol. Message Queuing Telemetry Transport. Network Configuration. Network File System. Network Information Service. Network News Transfer Protocol. National Transportation Communications for Intelligent Transportation System. Network Time Protocol. AOL Instant Messenger Protocol. Peer Name Resolution Protocol. Precision Time Protocol. QUIC. Remote Desktop Protocol. Reliable Event Logging Protocol. Routing Information Protocol. Remote Login in UNIX Systems. Remote Procedure Call. Real Time Messaging Protocol. Real-time Transport Protocol. Real Time Publish Subscribe. Real Time Streaming Protocol. Session Announcement Protocol. Session Description Protocol. Session Initiation Protocol. Service Location Protocol. Server Message Block. Simple Mail Transfer Protocol. Simple Network Management Protocol. Simple Network Time Protocol. Secure Shell. Secure SMS Messaging Protocol. Styx/9P - Plan 9 from Bell Labs distributed file system protocol. Sampled Values Protocol. Transaction Capabilities Application Part. Tabular Data Stream. Anonymity network. Time Stamp Protocol. Virtual Terminal Protocol. Remote Directory Access Protocol. Web Distributed Authoring and Versioning. Message Handling Service Protocol. Directory Access Protocol (DAP). Extensible Messaging and Presence Protocol. type string applicationProtocolVersion description The version of the application protocol. e.g. "1.1, 2.0" type string asn description Autonomous system number. type string carrierName description Carrier identification. type string communityId description Community ID network flow value. type string dhcp $ref Dhcp description DHCP info. direction description The direction of network traffic. enum UNKNOWN_DIRECTION INBOUND OUTBOUND BROADCAST enumDescriptions The default direction. An inbound request. An outbound request. A broadcast. type string dns $ref Dns description DNS info. dnsDomain description DNS domain name. type string email $ref Email description Email info for the sender/recipient. ftp $ref Ftp description FTP info. http $ref Http description HTTP info. ipProtocol description The IP protocol. enum UNKNOWN_IP_PROTOCOL ICMP IGMP TCP UDP IP6IN4 GRE ESP ICMP6 EIGRP ETHERIP PIM VRRP SCTP enumDescriptions The default protocol. ICMP. IGMP TCP. UDP. IPv6 Encapsulation Generic Routing Encapsulation Encapsulating Security Payload ICMPv6 Enhanced Interior Gateway Routing Ethernet-within-IP Encapsulation Protocol Independent Multicast Virtual Router Redundancy Protocol Stream Control Transmission Protocol type string ipSubnetRange description Associated human-readable IP subnet range (e.g. 10.1.2.0/24). type string organizationName description Organization name (e.g Google). type string parentSessionId description The ID of the parent network session. type string receivedBytes description The number of bytes received. format uint64 type string receivedPackets description The number of packets received. format int64 type string sentBytes description The number of bytes sent. format uint64 type string sentPackets description The number of packets sent. format int64 type string sessionDuration description The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer. format google-duration type string sessionId description The ID of the network session. type string smtp $ref Smtp description SMTP info. Store fields specific to SMTP not covered by Email. tls $ref Tls description TLS info. type object Noun description The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event. id Noun properties administrativeDomain description Domain which the device belongs to (for example, the Microsoft Windows domain). type string application description The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle". type string artifact $ref Artifact description Information about an artifact. asset $ref Asset description Information about the asset. assetId description The asset ID. This field can be used as an entity indicator for asset entities. type string cloud $ref Cloud deprecated True description Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud). domain $ref Domain description Information about the domain. email description Email address. Only filled in for security_result.about type string file $ref BackstoryFile description Information about the file. group $ref Group description Information about the group. hostname description Client hostname or domain name field. Hostname also doubles as the domain for remote entities. This field can be used as an entity indicator for asset entities. type string investigation $ref Investigation description Analyst feedback/investigation for alerts. ip description A list of IP addresses associated with a network connection. This field can be used as an entity indicator for asset entities. items type string type array ipGeoArtifact description Enriched geographic information corresponding to an IP address. Specifically, location and network data. items $ref Artifact type array ipLocation deprecated True description Deprecated: use ip_geo_artifact.location instead. items $ref Location type array labels deprecated True description Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels). items $ref Label type array location $ref Location description Physical location. For cloud environments, set the region in location.name. mac description List of MAC addresses associated with a device. This field can be used as an entity indicator for asset entities. items type string type array namespace description Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition. This field can be used along with an asset indicator to identify an asset. type string natIp description A list of NAT translated IP addresses associated with a network connection. items type string type array natPort description NAT external network port number when a specific network connection is described within an event. format int32 type integer network $ref Network description Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). objectReference $ref Id description Finding to which the Analyst updated the feedback. platform description Platform. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description Platform patch level. For example, "Build 17134.48" type string platformVersion description Platform version. For example, "Microsoft Windows 1803". type string port description Source or destination network port number when a specific network connection is described within an event. format int32 type integer process $ref Process description Information about the process. processAncestors description Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery. items $ref Process type array registry $ref Registry description Registry information. resource $ref Resource description Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun. resourceAncestors description Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource). items $ref Resource type array securityResult description A list of security results. items $ref SecurityResult type array url description The URL. type string urlMetadata $ref Url description Information about the URL. user $ref User description Information about the user. userManagementChain description Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery. items $ref User type array type object NtfsFileMetadata description NTFS-specific file metadata. id NtfsFileMetadata properties changeTime description NTFS MFT entry changed timestamp. format google-datetime type string filenameAccessTime description NTFS $FILE_NAME attribute accessed timestamp. format google-datetime type string filenameChangeTime description NTFS $FILE_NAME attribute changed timestamp. format google-datetime type string filenameCreateTime description NTFS $FILE_NAME attribute created timestamp. format google-datetime type string filenameModifyTime description NTFS $FILE_NAME attribute modified timestamp. format google-datetime type string type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object Option description DHCP options. id Option properties code description Code. See RFC1533. format uint32 type integer data description Data. format byte type string type object PDFInfo description Information about the PDF file structure. See https://developers.virustotal.com/reference/pdf_info id PDFInfo properties acroform description Number of /AcroForm tags found in the PDF. format int64 type string autoaction description Number of /AA tags found in the PDF. format int64 type string embeddedFile description Number of /EmbeddedFile tags found in the PDF. format int64 type string encrypted description Whether the document is encrypted or not. This is defined by the /Encrypt tag. format int64 type string endobjCount description Number of object definitions (endobj keyword). format int64 type string endstreamCount description Number of defined stream objects (stream keyword). format int64 type string flash description Number of /RichMedia tags found in the PDF. format int64 type string header description PDF version. type string javascript description Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios. format int64 type string jbig2Compression description Number of /JBIG2Decode tags found in the PDF. format int64 type string js description Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios. format int64 type string launchActionCount description Number of /Launch tags found in the PDF file. format int64 type string objCount description Number of objects definitions (obj keyword). format int64 type string objectStreamCount description Number of object streams. format int64 type string openaction description Number of /OpenAction tags found in the PDF. format int64 type string pageCount description Number of pages in the PDF. format int64 type string startxref description Number of startxref keywords in the PDF. format int64 type string streamCount description Number of defined stream objects (stream keyword). format int64 type string suspiciousColors description Number of colors expressed with more than 3 bytes (CVE-2009-3459). format int64 type string trailer description Number of trailer keywords in the PDF. format int64 type string xfa description Number of \XFA tags found in the PDF. format int64 type string xref description Number of xref keywords in the PDF. format int64 type string type object PeFileMetadata description Metadata about a Microsoft Windows Portable Executable. id PeFileMetadata properties importHash description Hash of PE imports. type string type object Permission description System permission for resource access and modification. id Permission properties description description Description of the permission (e.g. 'Ability to update detect rules'). type string name description Name of the permission (e.g. chronicle.analyst.updateRule). type string type description Type of the permission. enum UNKNOWN_PERMISSION_TYPE ADMIN_WRITE ADMIN_READ DATA_WRITE DATA_READ enumDescriptions Default permission type. Administrator write permission. Administrator read permission. Data resource access write permission. Data resource access read permission. type string type object PlatformSoftware description Platform software information about an operating system. id PlatformSoftware properties platform description The platform operating system. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description The platform software patch level ( e.g. "Build 17134.48", "SP1"). type string platformVersion description The platform software version ( e.g. "Microsoft Windows 1803"). type string type object PopularityRank description Domain's position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo. id PopularityRank properties giver description Name of the rank serial number hexdump. type string ingestionTime description Timestamp when the rank was ingested. format google-datetime type string rank description Rank position. format int64 type string type object Prevalence description The prevalence of a resource within the customer's environment. This measures how common it is for assets to access the resource. id Prevalence properties dayCount description The number of days over which rolling_max is calculated. format int32 type integer dayMax description The max prevalence score in a day interval window. format int32 type integer dayMaxSubDomains description The max prevalence score in a day interval window across sub-domains. This field is only valid for domains. format int32 type integer rollingMax description The maximum number of assets per day accessing the resource over the trailing day_count days. format int32 type integer rollingMaxSubDomains description The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains. format int32 type integer type object Process description Information about a process. id Process properties accessMask description A bit mask representing the level of access. format uint64 type string commandLine description The command line command that created the process. This field can be used as an entity indicator for process entities. type string commandLineHistory description The command line history of the process. items type string type array egid description The effective group ID of the process. type string euid description The effective user ID of the process. type string file $ref BackstoryFile description Information about the file in use by the process. integrityLevelRid description The Microsoft Windows integrity level relative ID (RID) of the process. format uint64 type string parentPid deprecated True description The ID of the parent process. Deprecated: use parent_process.pid instead. type string parentProcess $ref Process description Information about the parent process. pgid description The identifier that points to the process group ID leader. type string pid description The process ID. This field can be used as an entity indicator for process entities. type string productSpecificParentProcessId deprecated True description A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. type string productSpecificProcessId description A product specific process id. type string rgid description The real group ID of the process. type string ruid description The real user ID of the process. type string sessionLeaderPid description The process ID of the session leader process. type string tokenElevationType description The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled. enum UNKNOWN TYPE_1 TYPE_2 TYPE_3 enumDescriptions An undetermined token type. A full token with no privileges removed or groups disabled. An elevated token with no privileges removed or groups disabled. Used when running as administrator. A limited token with administrative privileges removed and administrative groups disabled. type string tty description The teletype terminal which the command was executed within. type string type object ProviderMLVerdict description Deprecated. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. id ProviderMLVerdict properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer confidenceScore description Confidence score of the verdict. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer mandiantSources description List of mandiant sources from which the verdict was generated. items $ref Source type array sourceProvider description Source provider giving the ML verdict. type string thirdPartySources description List of third-party sources from which the verdict was generated. items $ref Source type array type object PublicKey description Subject public key info. id PublicKey properties algorithm description Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the certificate. type string rsa $ref RSA description RSA public key information. type object Question description DNS Questions. See RFC1035, section 4.1.2. id Question properties class description The code specifying the class of the query. format uint32 type integer name description The domain name. type string prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. type description The code specifying the type of the query. format uint32 type integer type object RSA description RSA public key information. id RSA properties exponent description Key exponent hexdump. type string keySize description Key size. format int64 type string modulus description Key modulus hexdump. type string type object Reference description Reference to model primatives including event and entity. As support is added for fast retrieval of objects by identifiers, this will be expanded to include ID references rather than full object copies. BEGIN GOOGLE-INTERNAL See go/udm:ids for additional details. END GOOGLE-INTERNAL id Reference properties entity $ref BackstoryEntity description Entity being referenced. End one-of event $ref UDM description Only one of event or entity will be populated for a single reference. Start one-of Event being referenced. id $ref Id description Id being referenced. This field will also be populated for both event and entity with the event id. For detections, only this field will be populated. type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Registry description Information about a registry key or value. id Registry properties registryKey description Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...). type string registryValueData description Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp). type string registryValueName description Name of the registry value associated with an application or system component (e.g. TEMP). type string registryValueType description Type of the registry value. enum TYPE_UNSPECIFIED NONE SZ EXPAND_SZ BINARY DWORD DWORD_LITTLE_ENDIAN DWORD_BIG_ENDIAN LINK MULTI_SZ RESOURCE_LIST QWORD QWORD_LITTLE_ENDIAN enumDescriptions Default registry value type used when the type is unknown. The registry value is not set and only the key exists. A null-terminated string. A null-terminated string that contains unexpanded references to environment variables Binary data in any form. A 32-bit number. A 32-bit number in little-endian format. A 32-bit number in big-endian format. A null-terminated Unicode string that contains the target path of a symbolic link. A sequence of null-terminated strings, terminated by an empty string A device driver resource list. A 64-bit number. A 64-bit number in little-endian format. type string type object Relation description Defines the relationship between the entity (a) and another entity (b). id Relation properties direction description Directionality of relationship between primary entity (a) and the related entity (b). enum DIRECTIONALITY_UNSPECIFIED BIDIRECTIONAL UNIDIRECTIONAL enumDescriptions Default value. Modeled in both directions. Primary entity (a) to related entity (b) and related entity (b) to primary entity (a). Modeled in a single direction. Primary entity (a) to related entity (b). type string entity $ref Noun description Entity (b) that the primary entity (a) is related to. entityLabel description Label to identify the Noun of the relation. enum ENTITY_LABEL_UNSPECIFIED PRINCIPAL TARGET OBSERVER SRC NETWORK SECURITY_RESULT INTERMEDIARY enumDescriptions Default value. The Noun represents a principal type object. The Noun represents a target type object. The Noun represents an observer type object. The Noun represents src type object. The Noun represents a network type object. The Noun represents a SecurityResult object. The Noun represents an intermediary type object. type string entityType description Type of the related entity (b) in this relationship. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string relationship description Type of relationship. enum RELATIONSHIP_UNSPECIFIED OWNS ADMINISTERS MEMBER EXECUTES DOWNLOADED_FROM CONTACTS enumDescriptions Default value Related entity is owned by the primary entity (e.g. user owns device asset). Related entity is administered by the primary entity (e.g. user administers a group). Primary entity is a member of the related entity (e.g. user is a member of a group). Primary entity may have executed the related entity. Primary entity may have been downloaded from the related entity. Primary entity contacts the related entity. type string uid description UID of the relationship. format byte type string type object Resource description Information about a resource such as a task, Cloud Storage bucket, database, disk, logical policy, or something similar. id Resource properties attribute $ref Attribute description Generic entity metadata attributes of the resource. id deprecated True description Deprecated: Use resource.name or resource.product_object_id. type string name description The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. type string parent deprecated True description The parent of the resource. For a database table, the parent is the database. For a storage object, the bucket name. Deprecated: use resource_ancestors.name. type string productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) This field can be used as an entity indicator for a Resource entity. type string resourceSubtype description Resource sub-type (e.g. "BigQuery", "Bigtable"). type string resourceType description Resource type. enum UNSPECIFIED MUTEX TASK PIPE DEVICE FIREWALL_RULE MAILBOX_FOLDER VPC_NETWORK VIRTUAL_MACHINE STORAGE_BUCKET STORAGE_OBJECT DATABASE TABLE CLOUD_PROJECT CLOUD_ORGANIZATION SERVICE_ACCOUNT ACCESS_POLICY CLUSTER SETTING DATASET BACKEND_SERVICE POD CONTAINER FUNCTION RUNTIME IP_ADDRESS DISK VOLUME IMAGE SNAPSHOT REPOSITORY CREDENTIAL LOAD_BALANCER GATEWAY SUBNET USER enumDescriptions Default type. Mutex. Task. Named pipe. Device. Firewall rule. Mailbox folder. VPC Network. Virtual machine. Storage bucket. Storage object. Database. Data table. Cloud project. Cloud organization. Service account. Access policy. Cluster. Settings. Dataset. Endpoint that receive traffic from a load balancer or proxy. Pod, which is a collection of containers. Often used in Kubernetes. Container. Cloud function. Runtime. IP address. Disk. Volume. Machine image. Snapshot. Repository. Credential, e.g. access keys, ssh keys, tokens, certificates. Load balancer. Gateway. Subnet. User. type string type deprecated True description Deprecated: use resource_type instead. type string type object ResourceRecord description DNS Resource Records. See RFC1035, section 4.1.3. id ResourceRecord properties binaryData description The raw bytes of any non-UTF8 strings that might be included as part of a DNS response. format byte type string class description The code specifying the class of the resource record. format uint32 type integer data description The payload or response to the DNS question for all responses encoded in UTF-8 format type string name description The name of the owner of the resource record. type string ttl description The time interval for which the resource record can be cached before the source of the information should again be queried. format uint32 type integer type description The code specifying the type of the resource record. format uint32 type integer type object ResponsePlatformInfo description Related info of an Alert in customer's SOAR platform. id ResponsePlatformInfo properties alertId description Id of the alert in SOAR product. type string responsePlatformType description Type of SOAR product. enum RESPONSE_PLATFORM_TYPE_UNSPECIFIED RESPONSE_PLATFORM_TYPE_SIEMPLIFY enumDescriptions Response platform not specified. Siemplify type string type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object RiskDelta description Describes the difference in risk score between two points in time. id RiskDelta properties previousRangeEndTime description End time of the previous time window. format google-datetime type string previousRiskScore description Risk score from previous risk window format int32 type integer riskScoreDelta description Difference in the normalized risk score from the previous recorded value. format int32 type integer riskScoreNumericDelta description Numeric change between current and previous risk score format int32 type integer type object Role description System role for resource access and modification. id Role properties description description System role description for user. type string name description System role name for user. type string type description System role type for well known roles. enum TYPE_UNSPECIFIED ADMINISTRATOR SERVICE_ACCOUNT enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object RuntimeError id RuntimeError properties errorText type string timeRange $ref Interval type object SSLCertificate description SSL certificate. id SSLCertificate properties certExtensions additionalProperties description Properties of the object. type any description Certificate's extensions. type object certSignature $ref CertSignature description Certificate's signature and algorithm. ec $ref EC description EC public key information. extension $ref Extension deprecated True description (DEPRECATED) certificate's extension. firstSeenTime description Date the certificate was first retrieved by VirusTotal. format google-datetime type string issuer $ref Subject description Certificate's issuer data. publicKey $ref PublicKey description Public key information. serialNumber description Certificate's serial number hexdump. type string signatureAlgorithm description Algorithm used for the signature (for example, "sha1RSA"). type string size description Certificate content length. format int64 type string subject $ref Subject description Certificate's subject data. thumbprint description Certificate's content SHA1 hash. type string thumbprintSha256 description Certificate's content SHA256 hash. type string validity $ref Validity description Certificate's validity period. version description Certificate version (typically "V1", "V2" or "V3"). type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object SearchDataTableColumnInfo id SearchDataTableColumnInfo properties isDefault type boolean originalColumn type string type object SearchDataTableInfo id SearchDataTableInfo properties columnInfo items $ref SearchDataTableColumnInfo type array dataTable type string type object SearchDataTableRow id SearchDataTableRow properties column type string value type string type object SearchDataTableRowInfo id SearchDataTableRowInfo properties dataTable type string rows items $ref SearchDataTableRow type array type object SecurityResult description Security related metadata for the event. A security result might be something like "virus detected and quarantined," "malicious connection blocked," or "sensitive data included in document foo.doc." Each security result, of which there may be more than one, may either pertain to the whole event, or to a specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (such as process, user, IP, domain, URL, IP, or email address) in the about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty. id SecurityResult properties about $ref Noun description If the security result is about a specific entity (Noun), add it here. This field is not populated when the SecurityResult appears in a finding (a detection or alert). action description Actions taken for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_ACTION ALLOW BLOCK ALLOW_WITH_MODIFICATION QUARANTINE FAIL CHALLENGE enumDescriptions The default action. Allowed. Blocked. Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded). Put somewhere for later analysis (does NOT imply block). Failed (e.g. the event was allowed but failed). Challenged (e.g. the user was challenged by a Captcha, 2FA). type string type array actionDetails description The detail of the action taken as provided by the vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string alertState description The alerting types of this security result. This is primarily set for rule-generated detections and alerts. enum UNSPECIFIED NOT_ALERTING ALERTING enumDescriptions The security result type is not known. The security result is not an alert. The security result is an alert. type string analyticsMetadata description Stores metadata about each risk analytic metric the rule uses. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref AnalyticsMetadata type array associations description Associations related to the threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref Association type array attackDetails $ref AttackDetails description MITRE ATT&CK details. This field is not populated when the SecurityResult appears in a finding (a detection or alert). campaigns description Campaigns using this IOC threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array category description The security category. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_CATEGORY SOFTWARE_MALICIOUS SOFTWARE_SUSPICIOUS SOFTWARE_PUA NETWORK_MALICIOUS NETWORK_SUSPICIOUS NETWORK_CATEGORIZED_CONTENT NETWORK_DENIAL_OF_SERVICE NETWORK_RECON NETWORK_COMMAND_AND_CONTROL ACL_VIOLATION AUTH_VIOLATION EXPLOIT DATA_EXFILTRATION DATA_AT_REST DATA_DESTRUCTION TOR_EXIT_NODE MAIL_SPAM MAIL_PHISHING MAIL_SPOOFING POLICY_VIOLATION SOCIAL_ENGINEERING PHISHING enumDescriptions The default category. Malware, spyware, rootkit. Below the conviction threshold; probably bad. Potentially Unwanted App (such as adware). Includes C&C or network exploit. Suspicious activity, such as potential reverse tunnel. Non-security related: URL has category like gambling or porn. DoS, DDoS. Port scan detected by an IDS, probing of web app. If we know this is a C&C channel. Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc. Authentication failed (e.g. bad password or bad 2-factor authentication). Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits. DLP: Sensitive data transmission, copy to thumb drive. DLP: Sensitive data found at rest in a scan. Attempt to destroy/delete data. TOR Exit Nodes. Spam email, message, etc. Phishing email, chat messages, etc. Spoofed source email address, etc. Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action). Threats which manipulate to break normal security procedures. Phishing pages, pops, https phishing etc. type string type array categoryDetails description For vendor-specific categories. For web categorization, put type in here such as "gambling" or "porn". This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array confidence description The confidence level of the result as estimated by the product. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string confidenceDetails description Additional detail with regards to the confidence of a security event as estimated by the product vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string confidenceScore description The confidence score of the security result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format float type number description description A human-readable description (e.g. "user password was wrong"). This can be more detailed than the summary. type string detectionDepth description The depth of the detection chain. Applies only to composite detections. format int64 type string detectionFields description An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (the security result matched variables). This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array firstDiscoveredTime description First time the IoC threat was discovered in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastDiscoveredTime description Last time the IoC was seen in the provider data. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastUpdatedTime description Last time the IoC threat was updated in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string outcomes description A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to a stringified version of their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array priority description The priority of the result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_PRIORITY LOW_PRIORITY MEDIUM_PRIORITY HIGH_PRIORITY enumDescriptions Default priority level. Low priority. Medium priority. High priority. type string priorityDetails description Vendor-specific information about the security result priority. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string reports description Reports that reference this IOC threat. These are the report IDs. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array riskScore description The risk score of the security result. format float type number ruleAuthor description Author of the security rule. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string ruleId description A vendor-specific ID for a rule, varying by observer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe"). type string ruleLabels description A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John"). This is primarily set in rule-generated detections and alerts. items $ref Label type array ruleName description Name of the security rule (e.g. "BlockInboundToOracle"). type string ruleSet description The curated detection's rule set identifier. (for example, "windows-threats") This is primarily set in rule-generated detections and alerts. type string ruleSetDisplayName description The curated detections rule set display name. This is primarily set in rule-generated detections and alerts. type string ruleType description The type of security rule. type string ruleVersion description Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed. type string rulesetCategoryDisplayName description The curated detection rule set category display name. (for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration", the rule_set_category is "Cloud Threats"). This is primarily set in rule-generated detections and alerts. type string severity description The severity of the result. enum UNKNOWN_SEVERITY INFORMATIONAL ERROR NONE LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Info severity. An error. No malicious result. Low-severity malicious result. Medium-severity malicious result. High-severity malicious result. Critical-severity malicious result. type string severityDetails description Vendor-specific severity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string summary description A short human-readable summary (e.g. "failed login occurred") type string threatFeedName description Vendor feed name for a threat indicator feed. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatId description Vendor-specific ID for a threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatIdNamespace description The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string threatName description A vendor-assigned classification common across multiple customers (for example, "W32/File-A", "Slammer"). This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatStatus description Current status of the threat This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_STATUS_UNSPECIFIED ACTIVE CLEARED FALSE_POSITIVE enumDescriptions Default threat status Active threat. Cleared threat. False positive. type string threatVerdict description GCTI threat verdict on the security result entity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_VERDICT_UNSPECIFIED UNDETECTED SUSPICIOUS MALICIOUS enumDescriptions Unspecified threat verdict level. Undetected threat verdict level. Suspicious threat verdict level. Malicious threat verdict level. type string urlBackToProduct description URL that takes the user to the source product console for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string variables additionalProperties $ref FindingVariable description A list of outcomes and match variables that represent the results of this security finding. This list represents a mapping of names of the requested outcomes or match variables, to their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). type object verdict $ref Verdict deprecated True description Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead. verdictInfo description Verdict information about the IoC from the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref VerdictInfo type array type object Server description Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash). id Server properties certificate $ref Certificate description Server certificate. ja3s description JA3 hash from the TLS ServerHello, as a hex-encoded string. type string type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object SignatureInfo description File signature information extracted from different tools. id SignatureInfo properties codesign $ref FileMetadataCodesign description Signature information extracted from the codesign utility. sigcheck $ref FileMetadataSignatureInfo description Signature information extracted from the sigcheck tool. type object SignerInfo description File metadata related to the signer information. id SignerInfo properties certIssuer description Company that issued the certificate. type string name description Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority. type string status description It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid."). type string validUsage description Indicates which situations the certificate is valid for (e.g. "Code Signing"). type string type object Smtp description SMTP info. See RFC 2821. id Smtp properties helo description The client's 'HELO'/'EHLO' string. type string isTls description If the connection switched to TLS. type boolean isWebmail description If the message was sent via a webmail client. type boolean mailFrom description The client's 'MAIL FROM' string. type string messagePath description The message's path (extracted from the headers). type string rcptTo description The client's 'RCPT TO' string(s). items type string type array serverResponse description The server's response(s) to the client. items type string type array type object SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems. id SoarAlertMetadata properties alertId description Alert ID in the source SIEM system. type string product description Name of the product the alert is coming from. type string sourceRule description Name of the rule triggering the alert in the source SIEM. type string sourceSystem description Name of the Source SIEM system. type string sourceSystemTicketId description Ticket id for the alert in the source system. type string sourceSystemUri description Url to the source SIEM system. type string vendor description Name of the vendor. type string type object Software description Information about a software package or application. id Software properties description description The description of the software. type string name description The name of the software. type string permissions description System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE" items $ref Permission type array vendorName description The name of the software vendor. type string version description The version of the software. type string type object Source description Deprecated. Information about the threat intelligence source. These fields are used to model Mandiant sources. id Source properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer name description Name of the IoC source. type string quality description Quality of the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total response count from this source. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer threatIntelligenceSources description Different threat intelligence sources from which IoC info was extracted. items $ref Source type array type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object StringSequence description StringSequence represents a sequence of string. id StringSequence properties stringVals description string sequence. items type string type array type object StringToInt64MapEntry id StringToInt64MapEntry properties key description Key field. type string value description Value field. format int64 type string type object StringValue id StringValue properties displayValue type string rawValue type string type object StringValues id StringValues properties values items $ref StringValue type array type object Subject description Subject data. id Subject properties commonName description CN: CommonName. type string countryName description C: Country name. type string locality description L: Locality. type string organization description O: Organization. type string organizationalUnit description OU: OrganizationalUnit. type string stateOrProvinceName description ST: StateOrProvinceName. type string type object Tactic description Tactic information related to an attack or threat. id Tactic properties id description Tactic ID (e.g. "TA0043"). type string name description Tactic Name (e.g. "Reconnaissance") type string type object Tags description Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenant_id based on certain customer-defined parameters. id Tags properties dataTapConfigName description A list of sink name values defined in DataTap configurations. items type string type array tenantId description A list of subtenant ids that this event belongs to. items format byte type string type array type object Technique description Technique information related to an attack or threat. id Technique properties id description Technique ID (e.g. "T1595"). type string name description Technique Name (e.g. "Active Scanning"). type string subtechniqueId description Subtechnique ID (e.g. "T1595.001"). type string subtechniqueName description Subtechnique Name (e.g. "Scanning IP Blocks"). type string type object TimeOff description System record for leave/time-off from a Human Capital Management (HCM) system. id TimeOff properties description description Description of the leave if available (e.g. 'Vacation'). type string interval $ref Interval description Interval duration of the leave. type object Tls description Transport Layer Security (TLS) information. id Tls properties cipher description Cipher used during the connection. type string client $ref Client description Certificate information for the client certificate. curve description Elliptical curve used for a given cipher. type string established description Indicates whether the TLS negotiation was successful. type boolean nextProtocol description Protocol to be used for tunnel. type string resumed description Indicates whether the TLS connection was resumed from a previous TLS negotiation. type boolean server $ref Server description Certificate information for the server certificate. version description TLS version. type string versionProtocol description Protocol. type string type object Tracker description URL Tracker. id Tracker properties id description Tracker ID, if available. type string timestamp description Tracker ingestion date. format google-datetime type string tracker description Tracker name. type string url description Tracker script URL. type string type object Tunnels description VPN tunnels. id Tunnels properties provider description The provider of the VPN tunnels being used. type string type description The type of the VPN tunnels. type string type object UDM description A Unified Data Model event. id UDM properties about description Represents entities referenced by the event that are not otherwise described in principal, src, target, intermediary or observer. For example, it could be used to track email file attachments, domains/URLs/IPs embedded within an email body, and DLLs that are loaded during a PROCESS_LAUNCH event. items $ref Noun type array additional additionalProperties description Properties of the object. type any description Any important vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model. type object extensions $ref Extensions description All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object intermediary description Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a proxy server or SMTP relay server. If an active event (that has a principal and possibly target) passes through any intermediaries, they're added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that 'principal', 'target', and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C). items $ref Noun type array metadata $ref Metadata description Event metadata such as timestamp, source product, etc. network $ref Network description All network details go here, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). observer $ref Noun description Represents an observer entity (for example, a packet sniffer or network-based vulnerability scanner), which is not a direct intermediary, but which observes and reports on the event in question. principal $ref Noun description Represents the acting entity that originates the activity described in the event. The principal must include at least one machine detail (hostname, MACs, IPs, port, product-specific identifiers like an EDR asset ID) or user detail (for example, username), and optionally include process details. It must NOT include any of the following fields: email, files, registry keys or values. securityResult description A list of security results. items $ref SecurityResult type array src $ref Noun description Represents a source entity being acted upon by the participant along with the device or process context for the source object (the machine where the source object resides). For example, if user U copies file A on machine X to file B on machine Y, both file A and machine X would be specified in the src portion of the UDM event. target $ref Noun description Represents a target entity being referenced by the event or an object on the target entity. For example, in a firewall connection from device A to device B, A is described as the principal and B is described as the target. For a process injection by process C into target process D, process C is described as the principal and process D is described as the target. type object UdmColumnList id UdmColumnList properties values items $ref UdmColumnValue type array type object UdmColumnType id UdmColumnType properties list $ref UdmColumnList value $ref UdmColumnValue type object UdmColumnValue id UdmColumnValue properties boolVal type boolean bytesVal format byte type string dateVal $ref Date doubleVal format double type number int64Val format int64 type string nullVal type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any type object stringVal type string timestampVal format google-datetime type string uint64Val format uint64 type string type object UdmEventInfo id UdmEventInfo properties alertNumber format int32 type integer annotations items enum ANNOTATION_UNSPECIFIED ANNOTATION_ALERT enumDescriptions type string type array chip $ref Chip deprecated True connectedComponentLabel description Optional. format byte type string datatableRowInfo items $ref SearchDataTableRowInfo type array detections items $ref Collection type array displayName deprecated True type string entity $ref BackstoryEntity event $ref UDM eventLogToken type string filterProperties $ref FilterProperties deprecated True outcomes items $ref UdmColumnType type array tenantId description Optional. type string uid format byte type string type object UdmEventList id UdmEventList properties columnNames $ref ColumnNames complete type boolean datatableInfo items $ref SearchDataTableInfo type array events items $ref UdmEventInfo type array progress format double type number tooManyEvents type boolean type object UdmFieldAggregation id UdmFieldAggregation properties aggregationType enum UNSPECIFIED_FIELD_AGGREGATION_TYPE UDM_FIELD_AGGREGATION_TYPE ENTITY_FIELD_AGGREGATION_TYPE enumDescriptions type string allValues items $ref UdmValueCount type array baselineEventCount format int32 type integer bottomValues items $ref UdmValueCount type array eventCount format int32 type integer fieldName type string tooManyValues type boolean topValues items $ref UdmValueCount type array valueCount format int32 type integer type object UdmFieldAggregations id UdmFieldAggregations properties complete type boolean fields items $ref UdmFieldAggregation type array groupByFields items $ref GroupAggregationByField type array type object UdmFieldValue id UdmFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string isNull type boolean stringValue type string timestampValue format google-datetime type string uint32Value format uint32 type integer uint64Value format uint64 type string type object UdmPrevalence id UdmPrevalence properties artifacts items $ref FieldAndValue type array prevalence format int32 type integer type object UdmPrevalenceBucket id UdmPrevalenceBucket properties prevalence items $ref UdmPrevalence type array type object UdmPrevalenceResponse id UdmPrevalenceResponse properties buckets items $ref UdmPrevalenceBucket type array partialPrevalence type boolean type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UdmValueCount id UdmValueCount properties baselineEventCount format int32 type integer eventCount format int32 type integer value $ref UdmFieldValue type object Uint64Sequence description Uint64Sequence represents a sequence of uint64s. id Uint64Sequence properties uint64Vals description uint64 sequence. items format uint64 type string type array type object Url description Url. id Url properties categories description Categorisation done by VirusTotal partners. items type string type array favicon $ref Favicon description Difference hash and MD5 hash of the URL's. htmlMeta additionalProperties description Properties of the object. type any description Meta tags (only for URLs downloading HTML). type object lastFinalUrl description If the original URL redirects, where does it end. type string lastHttpResponseCode description HTTP response code of the last response. format int32 type integer lastHttpResponseContentLength description Length in bytes of the content received. format int64 type string lastHttpResponseContentSha256 description URL response body's SHA256 hash. type string lastHttpResponseCookies additionalProperties description Properties of the object. type any description Website's cookies. type object lastHttpResponseHeaders additionalProperties description Properties of the object. type any description Headers and values of the last HTTP response. type object tags description Tags. items type string type array title description Webpage title. type string trackers description Trackers found in the URL in a historical manner. items $ref Tracker type array url description URL. type string type object User description Information about a user. id User properties accountExpirationTime description User account expiration timestamp. format google-datetime type string accountLockoutTime description User account lockout timestamp. format google-datetime type string accountType description Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/ enum ACCOUNT_TYPE_UNSPECIFIED DOMAIN_ACCOUNT_TYPE LOCAL_ACCOUNT_TYPE CLOUD_ACCOUNT_TYPE SERVICE_ACCOUNT_TYPE DEFAULT_ACCOUNT_TYPE enumDescriptions Default user account type. A human account part of some domain in directory services. A local machine account. A SaaS service account type (such as Slack or GitHub). A non-human account for data access. A system built in default account. type string attribute $ref Attribute description Generic entity metadata attributes of the user. companyName description User job company name. type string department description User job department items type string type array emailAddresses description Email addresses of the user. This field can be used as an entity indicator for user entities. items type string type array employeeId description Human capital management identifier. This field can be used as an entity indicator for user entities. type string firstName description First name of the user (e.g. "John"). type string firstSeenTime description The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string groupIdentifiers description Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar). items type string type array groupid deprecated True description The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. type string hireDate description User job employment hire date. format google-datetime type string lastBadPasswordAttemptTime description User last bad password attempt timestamp. format google-datetime type string lastLoginTime description User last login timestamp. format google-datetime type string lastName description Last name of the user (e.g. "Locke"). type string lastPasswordChangeTime description User last password change timestamp. format google-datetime type string managers description User job manager(s). items $ref User type array middleName description Middle name of the user. type string officeAddress $ref Location description User job office location. passwordExpirationTime description User password expiration timestamp. format google-datetime type string personalAddress $ref Location description Personal address of the user. phoneNumbers description Phone numbers for the user. items type string type array productObjectId description A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar). This field can be used as an entity indicator for user entities. type string roleDescription deprecated True description System role description for user. Deprecated: use attribute.roles. type string roleName deprecated True description System role name for user. Deprecated: use attribute.roles. type string terminationDate description User job employment termination date. format google-datetime type string timeOff description User time off leaves from active work. items $ref TimeOff type array title description User job title. type string userAuthenticationStatus description System authentication status for user. enum UNKNOWN_AUTHENTICATION_STATUS ACTIVE SUSPENDED NO_ACTIVE_CREDENTIALS DELETED enumDescriptions The default authentication status. The authentication method is in active state. The authentication method is in suspended/disabled state. The authentication method has no active credentials. The authentication method has been deleted. type string userDisplayName description The display name of the user (e.g. "John Locke"). type string userRole deprecated True description System role for user. Deprecated: use attribute.roles. enum UNKNOWN_ROLE ADMINISTRATOR SERVICE_ACCOUNT enumDeprecated False False True enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. Deprecated: not a role, instead set User.account_type. type string userid description The ID of the user. This field can be used as an entity indicator for user entities. type string windowsSid description The Microsoft Windows SID of the user. This field can be used as an entity indicator for user entities. type string type object UserAgentProto id UserAgentProto properties annotation items $ref Annotation type array browser description Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents. type string browserEngineVersion description Version of the rendering engine e.g. "8.01" for "Opera/8.01" type string browserVersion description Minor and lower versions unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string carrier description Mobile specific: name of mobile carrier type string device description (Usually) Mobile specific: name of hardware device, may or may not contain the full model name. e.g. iPhone, Palm750, SPH-M800. Reduced to "K" for Android devices with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string deviceVersion description (Usually) Mobile specific: version of hardware device Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string family description User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.. enum USER_DEFINED MSIE GECKO APPLEWEBKIT OPERA KHTML OTHER APPLE BLACKBERRY DOCOMO GOOGLE OPENWAVE POLARIS OBIGO TELECA MICROSOFT NOKIA NETFRONT SEMC SMIT KOREAN CLIENT_HINTS enumDescriptions Used to represent new families supported by user-defined parsers Desktop user agent families WebKit based browsers e.g. Safari e.g. Konqueror Mobile and non-browser user agent families UA's w/o enough data to fit into a family Apple apps e.g. YouTube on iPhone Google Earth, Sketchup, UpdateChecker etc... UP.Browser Windows Media Player, RSS platform etc... Sony Ericsson Mobile Communications SKT, LGT Constructed from UA-CH instead of UserAgent string. type string googleToolbarVersion description Version number of GoogleToolbar, if installed. Applies only to MSIE and Firefox at this time. type string javaConfiguration description Mobile specific: e.g. Configuration/CLDC-1.1 type string javaConfigurationVersion type string javaProfile description Mobile specific: e.g. Profile/MIDP-2.0 type string javaProfileVersion type string locale description Locale in which the browser is running as country code and optionally language pair. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string messaging description Mobile specific: e.g. MMP/2.0 type string messagingVersion type string os description Full name of the operating system e.g. "Darwin/9.7.0", "Android 1.5", "Windows 98" Version is reduced, and other data might also be missing, for reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string osVariant description Extra qualifier for the OS e.g. "(i386)", "Build/CUPCAKE", "PalmSource/Palm-D061" Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string platform description The platform describes the environment in which the browser or app runs. For desktop user agents, Platform is a string describing the OS family e.g. Windows, Macintosh, Linux. For mobile user agents, Platform either describes the OS family (if available) or the hardware maker. e.g. Linux, or HTC, LG, Palm. type string security description Security level reported by user agent, either U, I or N. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string subFamily description Sub-family identifies individual regexps when a family has more than 1. This is used to generate the right UA string from a protobuf. Examples in the AppleWebKit family: Chrome and Safari. Can also be an arbitrary identifier. type string type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Validity description Defines certificate's validity period. id Validity properties expiryTime description Expiry date. format google-datetime type string issueTime description Issue date. format google-datetime type string type object Verdict description Deprecated. Encapsulates the threat verdict provided by human analysts and ML models. These fields are used to model Mandiant sources. id Verdict properties analystVerdict $ref AnalystVerdict description Human analyst verdict provided by sources like Mandiant. neighbourInfluence description Describes the neighbour influence of the verdict. type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer verdict $ref ProviderMLVerdict description ML Verdict provided by sources like Mandiant. type object VerdictInfo description Describes the threat verdict provided by human analysts and machine learning models. These fields are used to model Mandiant sources. id VerdictInfo properties benignCount description Count of responses where this IoC was marked as benign. format int32 type integer categoryDetails description Tags related to the verdict. type string confidenceScore description Confidence score of the verdict. format int32 type integer globalCustomerCount description Global customer count over the last 30 days format int32 type integer globalHitsCount description Global hit count over the last 30 days. format int32 type integer iocStats description List of IoCStats from which the verdict was generated. items $ref IoCStats type array maliciousCount description Count of responses where this IoC was marked as malicious. format int32 type integer neighbourInfluence description Describes the near neighbor influence of the verdict. type string pwn description Whether one or more Mandiant incident response customers had this indicator in their environment. type boolean pwnFirstTaggedTime description The timestamp of the first time a pwn was associated to this entity. format google-datetime type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer sourceProvider description Source provider giving the machine learning verdict. type string verdictResponse description Details about the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp when the verdict was generated. format google-datetime type string verdictType description Type of verdict. enum VERDICT_TYPE_UNSPECIFIED PROVIDER_ML_VERDICT ANALYST_VERDICT enumDescriptions Verdict category not specified. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. Verdict provided by the human analyst. These fields are used to model Mandiant sources. type string type object Vulnerabilities description The Vulnerabilities extension captures details on observed/detected vulnerabilities. id Vulnerabilities properties vulnerabilities description A list of vulnerabilities. items $ref Vulnerability type array type object Vulnerability description A vulnerability. id Vulnerability properties about $ref Noun description If the vulnerability is about a specific noun (e.g. executable), then add it here. cveDescription description Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record type string cveId description Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id type string cvssBaseScore description CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting. format float type number cvssVector description Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator type string cvssVersion description Version of CVSS Vector/Score. type string description description Description of the vulnerability. type string firstFound description Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset. format google-datetime type string lastFound description Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset. format google-datetime type string name description Name of the vulnerability (e.g. "Unsupported OS Version detected"). type string scanEndTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable. format google-datetime type string scanStartTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable. format google-datetime type string severity description The severity of the vulnerability. enum UNKNOWN_SEVERITY LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Low severity. Medium severity. High severity. Critical severity. type string severityDetails description Vendor-specific severity type string vendor description Vendor of scan that discovered vulnerability. type string vendorKnowledgeBaseArticleId description Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase type string vendorVulnerabilityId description Vendor specific vulnerability id (e.g. Microsoft security bulletin id). type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object X509 description File certificate. id X509 properties algorithm description Certificate algorithm. type string certIssuer description Issuer of the certificate. type string name description Certificate name. type string serialNumber description Certificate serial number. type string thumbprint description Certificate thumbprint. type string type object old_value CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{region}/instances/{instance} readOnly True type string type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Manual description Entities are added manually. id Manual properties type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object
prod/eu-chronicle-v1alpha	dictionary_item_added root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['delete'] root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['undelete'] root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['legacy']['methods']['legacyCreateOrUpdateCase'] root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['legacy']['methods']['legacyCreateSoarAlert'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue'] root['schemas']['GoogleCloudStorageEventDrivenSettings'] root['schemas']['InstanceUdmSearchResponse'] root['schemas']['LegacyCreateOrUpdateCaseRequest'] root['schemas']['LegacyCreateSoarAlertRequest'] root['schemas']['LegacyFederatedUdmSearchViewResponse'] root['schemas']['LegacySoarAlert'] root['schemas']['SQSV2AccessKeySecretAuth'] root['schemas']['SoarEvent'] root['schemas']['UndeleteInstanceRequest'] root['schemas']['BackstoryFile']['properties']['symhash'] root['schemas']['ColumnMetadata']['properties']['latitude'] root['schemas']['ColumnMetadata']['properties']['longitude'] root['schemas']['EntityRisk']['properties']['riskWindowHasNewDetections'] root['schemas']['Extensions']['properties']['entityRisk'] root['schemas']['FeedDetails']['properties']['googleCloudStorageEventDrivenSettings'] root['schemas']['Instance']['properties']['customerCode'] root['schemas']['Instance']['properties']['deleteTime'] root['schemas']['Instance']['properties']['purgeTime'] root['schemas']['Instance']['properties']['wipeoutStatus'] root['schemas']['SQSAuthV2']['properties']['sqsV2AccessKeySecretAuth'] dictionary_item_removed root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['findings'] root['schemas']['FetchSimilarFindingsResponse'] root['schemas']['OmniflowAmazonS3Settings'] root['schemas']['OmniflowAmazonSQSSettings'] root['schemas']['OmniflowGoogleCloudStorageSettings'] root['schemas']['OmniflowS3Auth'] root['schemas']['FeedDetails']['properties']['omniflowAmazonS3Settings'] root['schemas']['FeedDetails']['properties']['omniflowAmazonSqsSettings'] root['schemas']['FeedDetails']['properties']['omniflowGcsSettings'] root['schemas']['FeedDetails']['properties']['feedSourceType']['enumDeprecated'] root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enumDeprecated'] root['schemas']['PackLogType']['properties']['recommendedSourceType']['enumDeprecated'] values_changed root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['generateCollectionAgentAuth']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to generate a collection agent auth json file for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to generate a collection agent auth json file for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['generateSoarAuthJwt']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['generateWorkspaceConnectionToken']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to create workspace token for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to create workspace token for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['get']['parameters']['name']['description'] new_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['report']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['legacy']['methods']['legacyBatchGetCases']['parameters']['instance']['description'] new_value Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}/legacy old_value Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}/legacy root['revision'] new_value 20250310 old_value 20250227 root['schemas']['EntityRisk']['description'] new_value Stores information related to the risk score of an entity. Next ID: 15 old_value Stores information related to the risk score of an entity. Next ID: 14 root['schemas']['EntityRisk']['properties']['riskWindowSize']['description'] new_value Risk window duration for the entity. old_value Risk window duration for the Entity. root['schemas']['Instance']['properties']['name']['description'] new_value Output only. The resource name of this instance. Format: projects/{project}/locations/{location}/instances/{instance} old_value Output only. The resource name of this instance. Format: projects/{project}/locations/{region}/instances/{instance} root['schemas']['SQSAuthV2']['properties']['additionalS3AccessKeySecretAuth']['description'] new_value Required. Deprecated. If the S3 objects referred to by the SQS queue require different auth info other than the SQS auth, that can be specified here. Additional S3AccessKeySecret. Required. old_value Required. If the S3 objects referred to by the SQS queue require different auth info other than the SQS auth, that can be specified here. Additional S3AccessKeySecret. Required. root['schemas']['StatusProto']['properties']['canonicalCode']['description'] new_value copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional int32 canonical_code = 6; old_value The canonical error code (see codes.proto) that most closely corresponds to this status. This may be missing, and in the common case of the generic space, it definitely will be. copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional int32 canonical_code = 6; root['schemas']['StatusProto']['properties']['space']['description'] new_value copybara:strip_begin(b/383363683) Space to which this status belongs copybara:strip_end_and_replace optional string space = 2; // Space to which this status belongs old_value The following are usually only present when code != 0 Space to which this status belongs copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional string space = 2; iterable_item_added root['schemas']['AnalyticValue']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['AnalyticValue']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['EnrichmentDisablementTarget']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['EnrichmentDisablementTarget']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['EventTypesSuggestion']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['EventTypesSuggestion']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][19] GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN root['schemas']['FeedDetails']['properties']['feedSourceType']['enumDescriptions'][19] Google Cloud Storage Feed backed by Omniflow STS driven by pubsub events. root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][19] GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enumDescriptions'][19] Google Cloud Storage Feed backed by Omniflow STS driven by pubsub events. root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][1412] BLOCKDAEMON_METOMIC root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2124] JIT root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2125] PROCORE root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2126] HP_INC_MFP root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2127] MERU_CONTENTKEEPER_PROXY root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2128] KPMG_JAPAN_HR root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2129] FORD_ADFS_IDP root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2130] FORD_BLUE_DNS root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2131] TSA_VMS root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2132] ALLIANZ_CPAM root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2133] HKBK_ASE1_DIGITALGUARDIAN_NDLP root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2134] PANORAYS root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2135] BBVA_BAEMPRE root['schemas']['Metadata']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['Metadata']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][19] GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN root['schemas']['PackLogType']['properties']['recommendedSourceType']['enumDescriptions'][19] Google Cloud Storage Feed backed by Omniflow STS driven by pubsub events. root['schemas']['RawLog']['properties']['type']['enum'][1412] BLOCKDAEMON_METOMIC root['schemas']['RawLog']['properties']['type']['enum'][2124] JIT root['schemas']['RawLog']['properties']['type']['enum'][2125] PROCORE root['schemas']['RawLog']['properties']['type']['enum'][2126] HP_INC_MFP root['schemas']['RawLog']['properties']['type']['enum'][2127] MERU_CONTENTKEEPER_PROXY root['schemas']['RawLog']['properties']['type']['enum'][2128] KPMG_JAPAN_HR root['schemas']['RawLog']['properties']['type']['enum'][2129] FORD_ADFS_IDP root['schemas']['RawLog']['properties']['type']['enum'][2130] FORD_BLUE_DNS root['schemas']['RawLog']['properties']['type']['enum'][2131] TSA_VMS root['schemas']['RawLog']['properties']['type']['enum'][2132] ALLIANZ_CPAM root['schemas']['RawLog']['properties']['type']['enum'][2133] HKBK_ASE1_DIGITALGUARDIAN_NDLP root['schemas']['RawLog']['properties']['type']['enum'][2134] PANORAYS root['schemas']['RawLog']['properties']['type']['enum'][2135] BBVA_BAEMPRE root['schemas']['RawLogEventInformation']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['RawLogEventInformation']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['SIEventData']['properties']['rawLogType']['enum'][1412] BLOCKDAEMON_METOMIC root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2124] JIT root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2125] PROCORE root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2126] HP_INC_MFP root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2127] MERU_CONTENTKEEPER_PROXY root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2128] KPMG_JAPAN_HR root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2129] FORD_ADFS_IDP root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2130] FORD_BLUE_DNS root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2131] TSA_VMS root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2132] ALLIANZ_CPAM root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2133] HKBK_ASE1_DIGITALGUARDIAN_NDLP root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2134] PANORAYS root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2135] BBVA_BAEMPRE iterable_item_removed root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][14] OMNIFLOW_GOOGLE_CLOUD_STORAGE root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][15] OMNIFLOW_AMAZON_S3 root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][16] OMNIFLOW_AMAZON_SQS root['schemas']['FeedDetails']['properties']['feedSourceType']['enumDescriptions'][14] root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][14] OMNIFLOW_GOOGLE_CLOUD_STORAGE root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][15] OMNIFLOW_AMAZON_S3 root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][16] OMNIFLOW_AMAZON_SQS root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enumDescriptions'][14] root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][14] OMNIFLOW_GOOGLE_CLOUD_STORAGE root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][15] OMNIFLOW_AMAZON_S3 root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][16] OMNIFLOW_AMAZON_SQS root['schemas']['PackLogType']['properties']['recommendedSourceType']['enumDescriptions'][14]
prod/eu-chronicle-v1beta	values_changed root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['get']['parameters']['name']['description'] new_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{region}/instances/{instance} root['revision'] new_value 20250310 old_value 20250227 root['schemas'] new_value AIOverview description AI generated overview for the search results. id AIOverview properties aiSummary description AI summary for the search results. Markdown formatted. type string complete description Whether AI overview generation is complete. type boolean suggestions description Suggested actions to continue the investigation in chat. items $ref Action type array type object Action description Action represents an action that can be performed in the host UI. id Action properties actionType description Output only. Type of action. enum ACTION_TYPE_UNSPECIFIED FOLLOW_UP NAVIGATION EXECUTION enumDescriptions The action type is unspecified. The action is a follow up action. The action is a navigation action. The action is an execution action. readOnly True type string displayText description Output only. The text that'll be displayed to the user if this is rendered in the UI as a suggested action. readOnly True type string execution $ref Execution description Metadata for execution action. followUp $ref FollowUp description Metadata for follow up action. navigation $ref Navigation description Metadata for navigation action. useCaseId description Output only. The use case ID of the action. It's used internally to identify in which context the action is used. readOnly True type string type object AlertFieldAggregation id AlertFieldAggregation properties alertCount format int32 type integer allValues items $ref AlertFieldValueCount type array baselineAlertCount format int32 type integer bottomValues items $ref AlertFieldValueCount type array fieldName type string tooManyValues type boolean topValues items $ref AlertFieldValueCount type array valueCount format int32 type integer type object AlertFieldAggregations id AlertFieldAggregations properties fields items $ref AlertFieldAggregation type array type object AlertFieldValue id AlertFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string stringValue type string uint32Value format uint32 type integer uint64Value format uint64 type string type object AlertFieldValueCount id AlertFieldValueCount properties alertCount format int32 type integer baselineAlertCount format int32 type integer value $ref AlertFieldValue type object AnalystVerdict description Verdict provided by the human analyst. These fields are used to model Mandiant sources. id AnalystVerdict properties confidenceScore description Confidence score of the verdict. format int32 type integer verdictResponse description Details of the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp at which the verdict was generated. format google-datetime type string type object AnalyticsMetadata description Stores information about an analytics metric used in a rule. id AnalyticsMetadata properties analytic description Name of the analytic. type string type object Annotation description Extra parameters that don't fit anywhere else, captured as key/value. For example "VendorID/42" in BlackBerry user agents. The following keys are modified with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference): * "Chrome" (see `browser_version`) * "ChromiumBrowser" (unavailable) * "ChromeWebview" (unavailable) * "OS_VERSION" (see `os`) * "Rest" (unavailable) * "misc" (see `device`) id Annotation properties key type string value type string type object Artifact description Information about an artifact. The artifact can only be an IP. id Artifact properties anonymous description Whether the VPN tunnels are configured for anonymous browsing or not. type boolean artifactClient $ref ArtifactClient description Entity or software accessing or utilizing network resources. asOwner description Owner of the Autonomous System to which the IP address belongs. type string asn description Autonomous System Number to which the IP address belongs. format int64 type string firstSeenTime description First seen timestamp of the IP in the customer's environment. format google-datetime type string ip description IP address of the artifact. This field can be used as an entity indicator for an external destination IP entity. type string jarm description The JARM hash for the IP address. (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a). type string lastHttpsCertificate $ref SSLCertificate description SSL certificate information about the IP address. lastHttpsCertificateDate description Most recent date for the certificate in VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the IP address in the customer's environment. format google-datetime type string location $ref Location description Location of the Artifact's IP address. network $ref Network description Network information related to the Artifact's IP address. prevalence $ref Prevalence description The prevalence of the artifact within the customer's environment. regionalInternetRegistry description RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC). type string risks description This field lists potential risks associated with the network activity. items type string type array tags description Identification attributes items type string type array tunnels description VPN tunnels. items $ref Tunnels type array whois description WHOIS information as returned from the pertinent WHOIS server. type string whoisDate description Date of the last update of the WHOIS record in VirusTotal. format google-datetime type string type object ArtifactClient description Entity or software accessing or utilizing network resources. id ArtifactClient properties behaviors description The behaviors of the client accessing the network. items type string type array proxies description The type of proxies used by the client. items type string type array type object Asset description Information about a compute asset such as a workstation, laptop, phone, virtual desktop, or VM. id Asset properties assetId description The asset ID. Value must contain the ':' character. For example, cs:abcdd23434. This field can be used as an entity indicator for asset entities. type string attribute $ref Attribute description Generic entity metadata attributes of the asset. category description The category of the asset (e.g. "End User Asset", "Workstation", "Server"). type string creationTime deprecated True description Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. format google-datetime type string deploymentStatus description The deployment status of the asset for device lifecycle purposes. enum DEPLOYMENT_STATUS_UNSPECIFIED ACTIVE PENDING_DECOMISSION DECOMISSIONED enumDescriptions Unspecified deployment status. Asset is active, functional and deployed. Asset is pending decommission and no longer deployed. Asset is decommissioned. type string firstDiscoverTime description Time the asset was first discovered (by asset management/discoverability software). format google-datetime type string firstSeenTime description The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string hardware description The asset hardware specifications. items $ref Hardware type array hostname description Asset hostname or domain name field. This field can be used as an entity indicator for asset entities. type string ip description A list of IP addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array labels deprecated True description Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata. items $ref Label type array lastBootTime description Time the asset was last boot started. format google-datetime type string lastDiscoverTime description Time the asset was last discovered (by asset management/discoverability software). format google-datetime type string location $ref Location description Location of the asset. mac description List of MAC addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array natIp description List of NAT IP addresses associated with an asset. items type string type array networkDomain description The network domain of the asset (e.g. "corp.acme.com") type string platformSoftware $ref PlatformSoftware description The asset operating system platform software. productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID or similar). This field can be used as an entity indicator for asset entities. type string software description The asset software details. items $ref Software type array systemLastUpdateTime description Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a VM), use Attribute.last_update_time. format google-datetime type string type description The type of the asset (e.g. workstation or laptop or server). enum ROLE_UNSPECIFIED WORKSTATION LAPTOP IOT NETWORK_ATTACHED_STORAGE PRINTER SCANNER SERVER TAPE_LIBRARY MOBILE enumDescriptions Unspecified asset role. A workstation or desktop. A laptop computer. An IOT asset. A network attached storage device. A printer. A scanner. A server. A tape library device. A mobile device such as a mobile phone or PDA. type string vulnerabilities description Vulnerabilities discovered on asset. items $ref Vulnerability type array type object Association description Associations represents different metadata about malware and threat actors involved with an IoC. id Association properties alias description Different aliases of the threat actor given by different sources. items $ref AssociationAlias type array associatedActors description List of associated threat actors for a malware. Not applicable for threat actors. items $ref Association type array countryCode description Country from which the threat actor/ malware is originated. items type string type array description description Human readable description about the association. type string firstReferenceTime description First time the threat actor was referenced or seen. format google-datetime type string id description Unique association id generated by mandiant. type string industriesAffected description List of industries the threat actor affects. items type string type array lastReferenceTime description Last time the threat actor was referenced or seen. format google-datetime type string name description Name of the threat actor/malware. type string regionCode $ref Location description Name of the country, the threat is originating from. role description Role of the malware. Not applicable for threat actor. type string sourceCountry deprecated True description Name of the country the threat originated from. type string sponsorRegion $ref Location description Sponsor region of the threat actor. tags description Tags. items type string type array targetedRegions description Targeted regions. items $ref Location type array type description Signifies the type of association. enum ASSOCIATION_TYPE_UNSPECIFIED THREAT_ACTOR MALWARE enumDescriptions The default Association Type. Association type Threat actor. Association type Malware. type string type object AssociationAlias description Association Alias used to represent Mandiant Threat Intelligence. id AssociationAlias properties company description Name of the provider who gave the association's name. type string name description Name of the alias. type string type object AttackDetails description MITRE ATT&CK details. id AttackDetails properties tactics description Tactics employed. items $ref Tactic type array techniques description Techniques employed. items $ref Technique type array version description ATT&CK version (e.g. 12.1). type string type object Attribute description Attribute is a container for generic entity attributes including common attributes across core entities (such as, user or asset). For example, Cloud is a generic entity attribute since it can apply to an asset (for example, a VM) or a user (for example, an identity service account). id Attribute properties cloud $ref Cloud description Cloud metadata attributes such as project ID, account ID, or organizational hierarchy. creationTime description Time the resource or entity was created or provisioned. format google-datetime type string labels description Set of labels for the entity. Should only be used for product labels (for example, Google Cloud resource labels or Azure AD sensitivity labels. Should not be used for arbitrary key-value mappings. items $ref Label type array lastUpdateTime description Time the resource or entity was last updated. format google-datetime type string permissions description System permissions for IAM entity (human principal, service account, group). items $ref Permission type array roles description System IAM roles to be assumed by resources to use the role's permissions for access control. items $ref Role type array type object Authentication description The Authentication extension captures details specific to authentication events. General guidelines for authentication events: * Details about the source of the authentication event (for example, client IP or hostname), should be captured in principal. The principal may be empty if we have no details about the source of the login. * Details about the target of the authentication event (for example, details about the machine that is being logged into or logged out of) should be captured in target. * Some authentication events may involve a third-party. For example, a user logs into a cloud service (for example, Chronicle) via their company's SSO (the event is logged by their SSO solution). In this case, the principal captures information about the user's device, the target captures details about the cloud service they logged into, and the intermediary captures details about the SSO solution. id Authentication properties authDetails description The vendor defined details of the authentication. type string mechanism description The authentication mechanism. items enum MECHANISM_UNSPECIFIED USERNAME_PASSWORD OTP HARDWARE_KEY LOCAL REMOTE REMOTE_INTERACTIVE MECHANISM_OTHER BADGE_READER NETWORK BATCH SERVICE UNLOCK NETWORK_CLEAR_TEXT NEW_CREDENTIALS INTERACTIVE CACHED_INTERACTIVE CACHED_REMOTE_INTERACTIVE CACHED_UNLOCK BIOMETRIC WEARABLE enumDescriptions The default mechanism. Username + password authentication. OTP authentication. Hardware key authentication. Local authentication. Remote authentication. RDP, Terminal Services, or VNC. Some other mechanism that is not defined here. Badge reader authentication Network authentication. Batch authentication. Service authentication Direct human-interactive unlock authentication. Network clear text authentication. Authentication with new credentials. Interactive authentication. Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Biometric device such as a fingerprint reader. Wearable such as an Apple Watch. type string type array type description The type of authentication. enum AUTHTYPE_UNSPECIFIED MACHINE SSO VPN PHYSICAL TACACS enumDescriptions The default type. A machine authentication. An SSO authentication. A VPN authentication. A Physical authentication (e.g. "Badge reader"). A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+). type string type object AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. id AuthorityKeyId properties keyid description Key hexdump. type string serialNumber description Serial number hexdump. type string type object BackstoryEntity description An Entity provides additional context about an item in a UDM event. For example, a PROCESS_LAUNCH event describes that user 'abc@example.corp' launched process 'shady.exe'. The event does not include information that user 'abc@example.com' is a recently terminated employee who administers a server storing finance data. Information stored in one or more Entities can add this additional context. id BackstoryEntity properties additional additionalProperties description Properties of the object. type any description Important entity data that cannot be adequately represented within the formal sections of the Entity. type object entity $ref Noun description Noun in the UDM event that this entity represents. metadata $ref EntityMetadata description Entity metadata such as timestamp, product, etc. metric $ref Metric description Stores statistical metrics about the entity. Used if metadata.entity_type is METRIC. relations description One or more relationships between the entity (a) and other entities, including the relationship type and related entity. items $ref Relation type array riskScore $ref EntityRisk description Stores information related to the entity's risk score. type object BackstoryFile description Information about a file. id BackstoryFile properties ahash deprecated True description Deprecated. Use authentihash instead. type string authentihash description Authentihash of the file. type string capabilitiesTags description Capabilities tags. items type string type array createTime description Timestamp when the file was created. format google-datetime type string embeddedDomains description Embedded domains found in the file. items type string type array embeddedIps description Embedded IP addresses found in the file. items type string type array embeddedUrls description Embedded urls found in the file. items type string type array exifInfo $ref ExifInfo description Exif metadata from different file formats extracted by exiftool. fileMetadata $ref FileMetadata deprecated True description Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File. fileType description FileType field. enum FILE_TYPE_UNSPECIFIED FILE_TYPE_PE_EXE FILE_TYPE_PE_DLL FILE_TYPE_MSI FILE_TYPE_NE_EXE FILE_TYPE_NE_DLL FILE_TYPE_DOS_EXE FILE_TYPE_DOS_COM FILE_TYPE_COFF FILE_TYPE_ELF FILE_TYPE_LINUX_KERNEL FILE_TYPE_RPM FILE_TYPE_LINUX FILE_TYPE_MACH_O FILE_TYPE_JAVA_BYTECODE FILE_TYPE_DMG FILE_TYPE_DEB FILE_TYPE_PKG FILE_TYPE_PYC FILE_TYPE_LNK FILE_TYPE_DESKTOP_ENTRY FILE_TYPE_JPEG FILE_TYPE_TIFF FILE_TYPE_GIF FILE_TYPE_PNG FILE_TYPE_BMP FILE_TYPE_GIMP FILE_TYPE_IN_DESIGN FILE_TYPE_PSD FILE_TYPE_TARGA FILE_TYPE_XWD FILE_TYPE_DIB FILE_TYPE_JNG FILE_TYPE_ICO FILE_TYPE_FPX FILE_TYPE_EPS FILE_TYPE_SVG FILE_TYPE_EMF FILE_TYPE_WEBP FILE_TYPE_DWG FILE_TYPE_DXF FILE_TYPE_THREEDS FILE_TYPE_OGG FILE_TYPE_FLC FILE_TYPE_FLI FILE_TYPE_MP3 FILE_TYPE_FLAC FILE_TYPE_WAV FILE_TYPE_MIDI FILE_TYPE_AVI FILE_TYPE_MPEG FILE_TYPE_QUICKTIME FILE_TYPE_ASF FILE_TYPE_DIVX FILE_TYPE_FLV FILE_TYPE_WMA FILE_TYPE_WMV FILE_TYPE_RM FILE_TYPE_MOV FILE_TYPE_MP4 FILE_TYPE_T3GP FILE_TYPE_WEBM FILE_TYPE_MKV FILE_TYPE_PDF FILE_TYPE_PS FILE_TYPE_DOC FILE_TYPE_DOCX FILE_TYPE_PPT FILE_TYPE_PPTX FILE_TYPE_XLS FILE_TYPE_XLSX FILE_TYPE_RTF FILE_TYPE_PPSX FILE_TYPE_ODP FILE_TYPE_ODS FILE_TYPE_ODT FILE_TYPE_HWP FILE_TYPE_GUL FILE_TYPE_ODF FILE_TYPE_ODG FILE_TYPE_ONE_NOTE FILE_TYPE_OOXML FILE_TYPE_SLK FILE_TYPE_EBOOK FILE_TYPE_LATEX FILE_TYPE_TTF FILE_TYPE_EOT FILE_TYPE_WOFF FILE_TYPE_CHM FILE_TYPE_ZIP FILE_TYPE_GZIP FILE_TYPE_BZIP FILE_TYPE_RZIP FILE_TYPE_DZIP FILE_TYPE_SEVENZIP FILE_TYPE_CAB FILE_TYPE_JAR FILE_TYPE_RAR FILE_TYPE_MSCOMPRESS FILE_TYPE_ACE FILE_TYPE_ARC FILE_TYPE_ARJ FILE_TYPE_ASD FILE_TYPE_BLACKHOLE FILE_TYPE_KGB FILE_TYPE_ZLIB FILE_TYPE_TAR FILE_TYPE_ZST FILE_TYPE_LZFSE FILE_TYPE_PYTHON_WHL FILE_TYPE_PYTHON_PKG FILE_TYPE_MSIX FILE_TYPE_TEXT FILE_TYPE_SCRIPT FILE_TYPE_PHP FILE_TYPE_PYTHON FILE_TYPE_PERL FILE_TYPE_RUBY FILE_TYPE_C FILE_TYPE_CPP FILE_TYPE_JAVA FILE_TYPE_SHELLSCRIPT FILE_TYPE_PASCAL FILE_TYPE_AWK FILE_TYPE_DYALOG FILE_TYPE_FORTRAN FILE_TYPE_JAVASCRIPT FILE_TYPE_POWERSHELL FILE_TYPE_VBA FILE_TYPE_M4 FILE_TYPE_OBJETIVEC FILE_TYPE_JMOD FILE_TYPE_MAKEFILE FILE_TYPE_INI FILE_TYPE_CLJ FILE_TYPE_PDB FILE_TYPE_SQL FILE_TYPE_NEKO FILE_TYPE_WER FILE_TYPE_GOLANG FILE_TYPE_M3U FILE_TYPE_BAT FILE_TYPE_MSC FILE_TYPE_RDP FILE_TYPE_SYMBIAN FILE_TYPE_PALMOS FILE_TYPE_WINCE FILE_TYPE_ANDROID FILE_TYPE_IPHONE FILE_TYPE_HTML FILE_TYPE_XML FILE_TYPE_SWF FILE_TYPE_FLA FILE_TYPE_COOKIE FILE_TYPE_TORRENT FILE_TYPE_EMAIL_TYPE FILE_TYPE_OUTLOOK FILE_TYPE_SGML FILE_TYPE_JSON FILE_TYPE_CSV FILE_TYPE_HTA FILE_TYPE_INTERNET_SHORTCUT FILE_TYPE_CAP FILE_TYPE_ISOIMAGE FILE_TYPE_SQUASHFS FILE_TYPE_VHD FILE_TYPE_APPLE FILE_TYPE_MACINTOSH FILE_TYPE_APPLESINGLE FILE_TYPE_APPLEDOUBLE FILE_TYPE_MACINTOSH_HFS FILE_TYPE_APPLE_PLIST FILE_TYPE_MACINTOSH_LIB FILE_TYPE_APPLESCRIPT FILE_TYPE_APPLESCRIPT_COMPILED FILE_TYPE_CRX FILE_TYPE_XPI FILE_TYPE_ROM FILE_TYPE_IPS FILE_TYPE_PEM FILE_TYPE_PGP FILE_TYPE_CRT enumDescriptions File type is UNSPECIFIED. File type is PE_EXE. Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL. File type is MSI. File type is NE_EXE. File type is NE_DLL. File type is DOS_EXE. File type is DOS_COM. File type is COFF. File type is ELF. File type is LINUX_KERNEL. File type is RPM. File type is LINUX. File type is MACH_O. File type is JAVA_BYTECODE. File type is DMG. File type is DEB. File type is PKG. File type is PYC. File type is LNK. File type is DESKTOP_ENTRY. File type is JPEG. File type is TIFF. File type is GIF. File type is PNG. File type is BMP. File type is GIMP. File type is Adobe InDesign. File type is PSD. Adobe Photoshop. File type is TARGA. File type is XWD. File type is DIB. File type is JNG. File type is ICO. File type is FPX. File type is EPS. File type is SVG. File type is EMF. File type is WEBP. File type is DWG. File type is DXF. File type is 3DS. File type is OGG. File type is FLC. File type is FLI. File type is MP3. File type is FLAC. File type is WAV. File type is MIDI. File type is AVI. File type is MPEG. File type is QUICKTIME. File type is ASF. File type is DIVX. File type is FLV. File type is WMA. File type is WMV. File type is RM. RealMedia type. File type is MOV. File type is MP4. File type is T3GP. File type is WEBM. File type is MKV. File type is PDF. File type is PS. File type is DOC. File type is DOCX. File type is PPT. File type is PPTX. File type is XLS. File type is XLSX. File type is RTF. File type is PPSX. File type is ODP. File type is ODS. File type is ODT. File type is HWP. File type is GUL. File type is ODF. File type is ODG. File type is ONE_NOTE. File type is OOXML. File type is SLK. File type is EBOOK. File type is LATEX. File type is TTF. File type is EOT. File type is WOFF. File type is CHM. File type is ZIP. File type is GZIP. File type is BZIP. File type is RZIP. File type is DZIP. File type is SEVENZIP. File type is CAB. File type is JAR. File type is RAR. File type is MSCOMPRESS. File type is ACE. File type is ARC. File type is ARJ. File type is ASD. File type is BLACKHOLE. File type is KGB. File type is ZLIB. File type is TAR. File type is ZST. File type is LZFSE. File type is PYTHON_WHL. File type is PYTHON_PKG. File type is MSIX, new Windows app package format. File type is TEXT. File type is SCRIPT. File type is PHP. File type is PYTHON. File type is PERL. File type is RUBY. File type is C. File type is CPP. File type is JAVA. File type is SHELLSCRIPT. File type is PASCAL. File type is AWK. File type is DYALOG. File type is FORTRAN. File type is JAVASCRIPT. File type is POWERSHELL. File type is VBA. File type is M4. File type is OBJETIVEC. File type is JMOD. File type is MAKEFILE. File type is INI. File type is CLJ. File type is PDB. File type is SQL. File type is NEKO. File type is WER. File type is GOLANG. File type is M3U. File type is BAT, Windows .bat/.cmd (old files are tagged as SHELLSCRIPT). File type is MSC, Microsoft Management Console (MMC). File type is RDP, Microsoft Remote Desktop Protocol (RDP) file. File type is SYMBIAN. File type is PALMOS. File type is WINCE. File type is ANDROID. File type is IPHONE. File type is HTML. File type is XML. File type is SWF. File type is FLA. File type is COOKIE. File type is TORRENT. File type is EMAIL_TYPE. File type is OUTLOOK. File type is SGML. File type is JSON. File type is CSV. File type is HTA (HTML Application). File type is MSHTML .url. File type is CAP. File type is ISOIMAGE. File type is SQUASHFS. File type is VHD. File type is APPLE. File type is MACINTOSH. File type is APPLESINGLE. File type is APPLEDOUBLE. File type is MACINTOSH_HFS. File type is APPLE_PLIST. File type is MACINTOSH_LIB. File type is APPLESCRIPT. File type is APPLESCRIPT_COMPILED . File type is CRX. File type is XPI. File type is ROM. File type is IPS. File type is PEM. File type is PGP. File type is CRT. type string firstSeenTime description Timestamp the file was first seen in the customer's environment. format google-datetime type string firstSubmissionTime description First submission time of the file. format google-datetime type string fullPath description The full path identifying the location of the file on the system. This field can be used as an entity indicator for file entities. type string lastAccessTime description Timestamp when the file was accessed. format google-datetime type string lastAnalysisTime description Timestamp the file was last analysed. format google-datetime type string lastModificationTime description Timestamp when the file was last updated. format google-datetime type string lastSeenTime description Timestamp the file was last seen in the customer's environment. format google-datetime type string lastSubmissionTime description Last submission time of the file. format google-datetime type string mainIcon $ref Favicon description Icon's relevant hashes. md5 description The MD5 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string mimeType description The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script". type string names description Names fields. items type string type array ntfs $ref NtfsFileMetadata description NTFS metadata. pdfInfo $ref PDFInfo description Information about the PDF file structure. peFile $ref FileMetadataPE description Metadata about the Portable Executable (PE) file. prevalence $ref Prevalence description Prevalence of the file hash in the customer's environment. securityResult $ref SecurityResult description Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata. sha1 description The SHA1 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string sha256 description The SHA256 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string signatureInfo $ref SignatureInfo description File signature information extracted from different tools. size description The size of the file in bytes. format uint64 type string ssdeep description Ssdeep of the file type string statDev description The file system identifier to which the object belongs. format uint64 type string statFlags description User defined flags for file. format uint32 type integer statInode description The file identifier. Unique identifier of object within a file system. format uint64 type string statMode description The mode of the file. A bit string indicating the permissions and privileges of the file. format uint64 type string statNlink description Number of links to file. format uint64 type string symhash description SymHash of the file. Used for Mach-O (e.g. MacOS) binaries, to identify similar files based on their symbol table. type string tags description Tags for the file. items type string type array vhash description Vhash of the file. type string type object BoolSequence description BoolSequence represents a sequence of bools. id BoolSequence properties boolVals description bool sequence. items type boolean type array type object BytesSequence description BytesSequence represents a sequence of bytes. id BytesSequence properties bytesVals description bytes sequence. items format byte type string type array type object CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CertSignature description Certificate's signature and algorithm. id CertSignature properties signature description Signature. type string signatureAlgorithm description Algorithm. type string type object Certificate description Certificate information id Certificate properties issuer description Issuer of the certificate. type string md5 description The MD5 hash of the certificate, as a hex-encoded string. type string notAfter description Indicates when the certificate is no longer valid. format google-datetime type string notBefore description Indicates when the certificate is first valid. format google-datetime type string serial description Certificate serial number. type string sha1 description The SHA1 hash of the certificate, as a hex-encoded string. type string sha256 description The SHA256 hash of the certificate, as a hex-encoded string. type string subject description Subject of the certificate. type string version description Certificate version. type string type object Chip id Chip properties text type string type enum UNSPECIFIED ALERT NETWORK_CONNECTION EDR UNPARSED_RAW_LOG LOGIN_EVENT EMAIL_EVENT GENERIC TELEMETRY enumDescriptions type string type object Client description Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash). id Client properties certificate $ref Certificate description Client certificate. ja3 description JA3 hash from the TLS ClientHello, as a hex-encoded string. type string serverName description Host name of the server, that the client is connecting to. type string supportedCiphers description Ciphers supported by the client during client hello. items type string type array type object Cloud description Metadata related to the cloud environment. id Cloud properties availabilityZone description The cloud environment availability zone (different from region which is location.name). type string environment description The Cloud environment. enum UNSPECIFIED_CLOUD_ENVIRONMENT GOOGLE_CLOUD_PLATFORM AMAZON_WEB_SERVICES MICROSOFT_AZURE enumDescriptions Default. Google Cloud Platform. Amazon Web Services. Microsoft Azure. type string project $ref Resource deprecated True description The cloud environment project information. Deprecated: Use Resource.resource_ancestors vpc $ref Resource deprecated True description The cloud environment VPC. Deprecated. type object Collection description Collection represents a container of objects (such as events, entity context metadata, detection finding metadata) and state (such as investigation details). BEGIN GOOGLE-INTERNAL See go/udm:collections for additional details. END GOOGLE-INTERNAL An example use case for Collection is to model a detection and investigation from detection finding metadata to investigative state collected in the course of the investigation. For more complex investigation and response workflows a Collection could represent an incident consisting of multiple child findings or incidents. This can be expanded on to model remediation elements of a full detection and response workflow. NEXT TAG: 20 id Collection properties caseName description The resource name of the Case that this collection belongs to. Example: projects/{project id}/locations/{region}/chronicle/cases/{internal_case_id} type string collectionElements description Constituent elements of the collection. Each element shares an association that groups it together and is a component of the overall collection. For example, a detection collection may have several constituent elements that each share a correlation association that together represent a particular pattern or behavior. items $ref Element type array createdTime description Time the collection was created. format google-datetime type string dataAccessScope description The resource name of the DataAccessScope of this collection. BEGIN GOOGLE-INTERNAL We may change this name based on the final resource design of the scope. END GOOGLE-INTERNAL type string detection description Detection metadata for findings that represent detections, can include rule details, machine learning model metadata, and indicators implicated in the detection (using the .about field). items $ref SecurityResult type array detectionTime description Timestamp within the time_window related to the time of the collection_elements. For Rule Detections, this timestamp is the end of the the time_window for multi-event rules or the time of the event for single event rules. For late-arriving events that trigger new alerts, the detection_time will be the event time of the event. format google-datetime type string feedbackHistory description The history of feedback submitted by analysts for this finding, in descending order by timestamp. This field is limited to the most recent 1000 feedback events. The primary feedback will also be included in this list. items $ref Feedback type array feedbackSummary $ref Feedback description The current primary analyst feedback. This does not include the history of feedback given, which may be supplied in `feedback`. id description Unique ID for the collection. The ID is specific to the type of collection. For example, with rule detections this is the detection ID. type string idNamespace description The ID namespace used for the Collection. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string investigation $ref Investigation description Consolidated investigation details (categorization, status, etc) typically for collections that begin as detection findings and then evolve with analyst action and feedback into investigations around the detection output. lastUpdatedTime description Time the collection was last updated. format google-datetime type string responsePlatformInfo $ref ResponsePlatformInfo description Alert related info of this same alert in customer's SOAR platform. soarAlert description A boolean field indicating that the alert is present in SOAR. type boolean soarAlertMetadata $ref SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems via SOAR. tags description Tags set by UC/DSML/RE for the Finding during creation. items type string type array timeWindow $ref Interval description Time interval that the collection represents. type description What the collection represents. enum COLLECTION_TYPE_UNSPECIFIED TELEMETRY_ALERT GCTI_FINDING UPPERCASE_ALERT RULE_DETECTION MACHINE_INTELLIGENCE_ALERT SOAR_ALERT enumDescriptions An unspecified collection type. An alert reported in customer telemetry. A finding from the Uppercase team. A detection found by applying a rule. An alert generated by Chronicle machine learning models. An alert coming from other SIEMs via Chronicle SOAR. type string type object ColumnNames id ColumnNames properties names items type string type array type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DNSRecord description DNS record. id DNSRecord properties expire description Expire. format google-duration type string minimum description Minimum. format google-duration type string priority description Priority. format int64 type string refresh description Refresh. format google-duration type string retry description Retry. format int64 type string rname description Rname. type string serial description Serial. format int64 type string ttl description Time to live. format google-duration type string type description Type. type string value description Value. type string type object DataAccessIngestionLabel id DataAccessIngestionLabel properties key description The key. type string value description The value. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessLabels id DataAccessLabels properties allowScopedAccess description Are the labels ready for scoped access type boolean customLabels description All the complex labels (UDM search syntax based). items type string type array ingestionKvLabels description All the ingestion labels (key/value pairs). items $ref DataAccessIngestionLabel type array ingestionLabels deprecated True description All the ingestion labels. items type string type array logTypes description All the LogType labels. items type string type array namespaces description All the namespaces. items type string type array type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Date description Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values. * A month and day, with a zero year (for example, an anniversary). * A year on its own, with a zero month and a zero day. * A year and month, with a zero day (for example, a credit card expiration date). Related types: * google.type.TimeOfDay * google.type.DateTime * google.protobuf.Timestamp id Date properties day description Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. format int32 type integer month description Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. format int32 type integer year description Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. format int32 type integer type object Detections id Detections properties baselineAlertsCount format int32 type integer complete type boolean detectionFieldAggregations $ref AlertFieldAggregations detections items $ref Collection type array filteredAlertsCount format int32 type integer tooManyDetections type boolean validSnapshotQuery type boolean type object Dhcp description DHCP information. id Dhcp properties chaddr description Client hardware address (chaddr). type string ciaddr description Client IP address (ciaddr). type string clientHostname description Client hostname. See RFC2132, section 3.14. type string clientIdentifier description Client identifier. See RFC2132, section 9.14. Note: Make sure to update the client_identifier_string field as well if you update this field. format byte type string clientIdentifierString description Client identifier as string. See RFC2132, section 9.14. This field holds the string value of the client_identifier. type string file description Boot image filename. type string flags description Flags. format uint32 type integer giaddr description Relay agent IP address (giaddr). type string hlen description Hardware address length. format uint32 type integer hops description Hardware ops. format uint32 type integer htype description Hardware address type. format uint32 type integer leaseTimeSeconds description Lease time in seconds. See RFC2132, section 9.2. format uint32 type integer opcode description The BOOTP op code. enum UNKNOWN_OPCODE BOOTREQUEST BOOTREPLY enumDescriptions Default opcode. Request. Reply. type string options description List of DHCP options. items $ref Option type array requestedAddress description Requested IP address. See RFC2132, section 9.1. type string seconds description Seconds elapsed since client began address acquisition/renewal process. format uint32 type integer siaddr description IP address of the next bootstrap server. type string sname description Server name that the client wishes to boot from. type string transactionId description Transaction ID. format uint32 type integer type description DHCP message type. enum UNKNOWN_MESSAGE_TYPE DISCOVER OFFER REQUEST DECLINE ACK NAK RELEASE INFORM WIN_DELETED WIN_EXPIRED enumDescriptions Default message type. DHCPDISCOVER. DHCPOFFER. DHCPREQUEST. DHCPDECLINE. DHCPACK. DHCPNAK. DHCPRELEASE. DHCPINFORM. Microsoft Windows DHCP "lease deleted". Microsoft Windows DHCP "lease expired". type string yiaddr description Your IP address (yiaddr). type string type object Dns description DNS information. id Dns properties additional description A list of additional domain name servers that can be used to verify the answer to the domain. items $ref ResourceRecord type array answers description A list of answers to the domain name query. items $ref ResourceRecord type array authoritative description Other DNS header flags. See RFC1035, section 4.1.1. type boolean authority description A list of domain name servers which verified the answers to the domain name queries. items $ref ResourceRecord type array id description DNS query id. format uint32 type integer opcode description The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS). format uint32 type integer questions description A list of domain protocol message questions. items $ref Question type array recursionAvailable description Whether a recursive DNS lookup is available. type boolean recursionDesired description Whether a recursive DNS lookup is desired. type boolean response description Set to true if the event is a DNS response. See QR field from RFC1035. type boolean responseCode description Response code. See RCODE from RFC1035. format uint32 type integer truncated description Whether the DNS response was truncated. type boolean type object Domain description Information about a domain. id Domain properties admin $ref User description Parsed contact information for the administrative contact for the domain. auditUpdateTime description Audit updated time. format google-datetime type string billing $ref User description Parsed contact information for the billing contact of the domain. categories description Categories assign to the domain as retrieved from VirusTotal. items type string type array contactEmail description Contact email address. type string creationTime description Domain creation time. format google-datetime type string expirationTime description Expiration time. format google-datetime type string favicon $ref Favicon description Includes difference hash and MD5 hash of the domain's favicon. firstSeenTime description First seen timestamp of the domain in the customer's environment. format google-datetime type string ianaRegistrarId description IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml format int32 type integer jarm description Domain's JARM hash. type string lastDnsRecords description Domain's DNS records from the last scan. items $ref DNSRecord type array lastDnsRecordsTime description Date when the DNS records list was retrieved by VirusTotal. format google-datetime type string lastHttpsCertificate $ref SSLCertificate description SSL certificate object retrieved last time the domain was analyzed. lastHttpsCertificateTime description When the certificate was retrieved by VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the domain in the customer's environment. format google-datetime type string name description The domain name. This field can be used as an entity indicator for Domain entities. type string nameServer description Repeated list of name servers. items type string type array popularityRanks description Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc items $ref PopularityRank type array prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. privateRegistration description Indicates whether the domain appears to be using a private registration service to mask the owner's contact information. type boolean registrant $ref User description Parsed contact information for the registrant of the domain. registrar description Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM". type string registryDataRawText description Registry Data raw text. format byte type string status description Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values type string tags description List of representative attributes. items type string type array tech $ref User description Parsed contact information for the technical contact for the domain updateTime description Last updated time. format google-datetime type string whoisRecordRawText description WHOIS raw text. format byte type string whoisServer description Whois server name. type string whoisTime description Date of the last update of the WHOIS record. format google-datetime type string zone $ref User description Parsed contact information for the zone. type object DoubleSequence description DoubleSequence represents a sequence of doubles. id DoubleSequence properties doubleVals description double sequence. items format double type number type array type object EC description EC public key information. id EC properties oid description Curve name. type string pub description Public key hexdump. type string type object Element description NEXT TAG: 5 id Element properties association $ref SecurityResult description Metadata that provides the relevant association for the references in the element. For a detection, this can be the correlated aspect of the references that contributed to the overall detection. For example, may include sub-rule condition, machine learning model metadata, and/or indicators implicated in this component of the detection (using the .about field). label description A name that labels the entire references group. type string references description References to model primatives including events and entities that share a common association. Even though a reference can have both UDM and entity, a collection of references (of a single element) will only have one type of message in it (either UDM / Entity). items $ref Reference type array referencesSampled description Copied from the detection event_sample.too_many_event_samples field. If true, the number of references will be capped at the sample limit (set at rule service). This is applicable to both UDM references and Entity references. type boolean type object Email description Email info. id Email properties bcc description A list of 'bcc' addresses. items type string type array bounceAddress description The envelope from address. https://en.wikipedia.org/wiki/Bounce_address type string cc description A list of 'cc' addresses. items type string type array from description The 'from' address. type string mailId description The mail (or message) ID. type string replyTo description The 'reply to' address. type string subject description The subject line(s) of the email. items type string type array to description A list of 'to' addresses. items type string type array type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityChangedCountTimelineBucket id EntityChangedCountTimelineBucket properties entityChangedInfo items $ref EntityChangedInfo type array totalChangedEntitiesCount format int32 type integer type object EntityChangedInfo id EntityChangedInfo properties artifacts $ref FieldAndValue entityCount format int32 type integer type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityMetadata description Information about the Entity and the product where the entity was created. Next Tag: 17 id EntityMetadata properties collectedTimestamp description GMT timestamp when the entity information was collected by the vendor's local collection infrastructure. format google-datetime type string creationTimestamp description GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected. format google-datetime type string description description Human-readable description of the entity. type string entityType description Entity type. If an entity has multiple possible types, this specifies the most specific type. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string eventMetadata $ref Metadata description Metadata field from the event. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object feed description Vendor feed name for a threat indicator feed. type string interval $ref Interval description Valid existence time range for the version of the entity represented by this entity data. productEntityId description A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar). type string productName description Product name that produced the entity information. type string productVersion description Version of the product that produced the entity information. type string sourceLabels description Entity source metadata labels. items $ref Label type array sourceType description The source of the entity. enum SOURCE_TYPE_UNSPECIFIED ENTITY_CONTEXT DERIVED_CONTEXT GLOBAL_CONTEXT enumDescriptions Default source type Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT) Entities derived from customer data such as prevalence, artifact first/last seen, or asset/user first seen stats. Global contextual entities such as WHOIS or Safe Browsing. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Structured fields extracted from the log. type object threat description Metadata provided by a threat intelligence feed that identified the entity as malicious. items $ref SecurityResult type array vendorName description Vendor name of the product that produced the entity information. type string type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object EntityRisk description Stores information related to the risk score of an entity. Next ID: 15 id EntityRisk properties DEPRECATEDRiskScore deprecated True description Deprecated risk score. format int32 type integer detailUri description Link to the Google Security Operations UI with information about the entity risk score. If the SecOps instance has multiple frontend paths configured, this will be a relative path that can be used to construct the full URL. type string detectionsCount description Number of detections that make up the risk score within the time window. format int32 type integer firstDetectionTime description Timestamp of the first detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastDetectionTime description Timestamp of the last detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastResetTime description Timestamp for UEBA risk score reset based deduplication. Used specifically for risk based meta rules. format google-datetime type string normalizedRiskScore description Normalized risk score for the entity. This value is between 0-1000. format int32 type integer rawRiskDelta $ref RiskDelta description Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window. riskDelta $ref RiskDelta description Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window. riskScore description Raw risk score for the entity. format float type number riskVersion description Version of the risk score calculation algorithm. type string riskWindow $ref Interval description Time window used when computing the risk score for an entity, for example 24 hours or 7 days. riskWindowHasNewDetections description Whether there are new detections for the risk window. type boolean riskWindowSize description Risk window duration for the entity. format google-duration type string type object ErrorMessage id ErrorMessage properties errorText type string type enum UNDEFINED_ERROR_TYPE INVALID_QUERY_TYPE INVALID_FIELD_PATH_TYPE UNCLOSED_BRACKET_TYPE BACKEND_ERROR_TYPE UNCLOSED_QUOTES_TYPE QUERY_TOO_LARGE_TYPE enumDescriptions type string type object EventCountTimeline id EventCountTimeline properties buckets items $ref EventCountTimelineBucket type array sizeOfBucketMs format int64 type string type object EventCountTimelineBucket id EventCountTimelineBucket properties alertCount format int32 type integer baselineAlertCount format int32 type integer baselineEventCount format int32 type integer baselineTimedEntityCount format int32 type integer entityChangedCount $ref EntityChangedCountTimelineBucket eventCount format int32 type integer filteredTimedEntityCount format int32 type integer type object Execution description Execution can be used to store metadata required for what action the UI should execute. id Execution properties metadata additionalProperties type string description Output only. The payload to use when executing the action. readOnly True type object type object ExifInfo description Exif information. id ExifInfo properties company description company name. type string compilationTime description Compilation time. format google-datetime type string entryPoint description entry point. format int64 type string fileDescription description description of a file. type string originalFile description original file name. type string product description product name. type string type object Extension description Certificate's extensions. id Extension properties authorityKeyId $ref AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. ca description Whether the subject acts as a certificate authority (CA) or not. type boolean caInfoAccess description Authority information access locations are URLs that are added to a certificate in its authority information access extension. type string certTemplateNameDc description BMP data value "DomainController". See MS Q291010. type string certificatePolicies description Different certificate policies will relate to different applications which may use the certified key. type string crlDistributionPoints description CRL distribution points to which a certificate user should refer to ascertain if the certificate has been revoked. type string extendedKeyUsage description One or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field. type string keyUsage description The purpose for which the certified public key is used. type string netscapeCertComment description Used to include free-form text comments inside certificates. type string netscapeCertificate description Identify whether the certificate subject is an SSL client, an SSL server, or a CA. type boolean oldAuthorityKeyId description Whether the certificate has an old authority key identifier extension. type boolean peLogotype description Whether the certificate includes a logotype. type boolean subjectAlternativeName description Contains one or more alternative names, using any of a variety of name forms, for the entity that is bound by the CA to the certified public key. type string subjectKeyId description Identifies the public key being certified. type string type object Extensions description Extensions to a UDM event. id Extensions properties auth $ref Authentication description An authentication extension. entityRisk $ref EntityRisk description An entity risk change extension. vulns $ref Vulnerabilities description A vulnerability extension. type object Favicon description Difference hash and MD5 hash of the domain's favicon. id Favicon properties dhash description Difference hash. type string rawMd5 description Favicon's MD5 hash. type string type object Feedback id Feedback properties comment description Optional. type string confidenceScore format int32 type integer createdTime format google-datetime type string disregarded type boolean idpUserId type string priority description Optional. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string priorityDisplay description Optional. type string reason description Optional. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore format int32 type integer rootCause description Optional. type string severity format int32 type integer severityDisplay description Optional. type string status description Optional. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object FieldAndValue id FieldAndValue properties entityNamespace type string fieldPath type string kvalueType enum UNKNOWN COLLECTOR_ID EVENT_SHARD ASSET_IP_ADDRESS MAC HOSTNAME PRODUCT_SPECIFIC_ID NAMESPACE DOMAIN_NAME RESOLVED_IP_ADDRESS STEMMED_DOMAIN_NAME PROCESS_ID FULL_COMMAND_LINE FILE_NAME FILE_PATH HASH_MD5 HASH_SHA256 HASH_SHA1 RAW_PID PARENT_PROCESS_ID EMAIL USERNAME WINDOWS_SID EMPLOYEE_ID PRODUCT_OBJECT_ID USER_DISPLAY_NAME CLOUD_RESOURCE_NAME REGISTRY_KEY REGISTRY_VALUE_DATA REGISTRY_VALUE_NAME enumDescriptions type string value type string type object FileMetadata description Metadata about a file. Place metadata about different file types here, for example data from the Microsoft Windows VersionInfo block or digital signer details. Use a different sub-message per file type. id FileMetadata properties pe $ref PeFileMetadata deprecated True description Metadata for Microsoft Windows PE files. Deprecate PeFileMetadata in favor of single File proto. type object FileMetadataCodesign description File metadata from the codesign utility. id FileMetadataCodesign properties compilationTime description Code sign timestamp format google-datetime type string format description Code sign format. type string id description Code sign identifier. type string teamId description The assigned team identifier of the developer who signed the application. type string type object FileMetadataImports description File metadata imports. id FileMetadataImports properties functions description Function field. items type string type array library description Library field. type string type object FileMetadataPE description Metadata about the Portable Executable (PE) file. id FileMetadataPE properties compilationExiftoolTime description info.exiftool.TimeStamp. format google-datetime type string compilationTime description info.pe-timestamp. format google-datetime type string entryPoint description info.pe-entry-point. format int64 type string entryPointExiftool description info.exiftool.EntryPoint. format int64 type string imphash description Imphash of the file. type string imports description FilemetadataImports fields. items $ref FileMetadataImports type array resource description FilemetadataPeResourceInfo fields. items $ref FileMetadataPeResourceInfo type array resourcesLanguageCount deprecated True description Deprecated: use resources_language_count_str. items $ref StringToInt64MapEntry type array resourcesLanguageCountStr description Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10 items $ref Label type array resourcesTypeCount deprecated True description Deprecated: use resources_type_count_str. items $ref StringToInt64MapEntry type array resourcesTypeCountStr description Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5 items $ref Label type array section description FilemetadataSection fields. items $ref FileMetadataSection type array signatureInfo $ref FileMetadataSignatureInfo deprecated True description FilemetadataSignatureInfo field. deprecated, user File.signature_info instead. type object FileMetadataPeResourceInfo description File metadata for PE resource. id FileMetadataPeResourceInfo properties entropy description Entropy of the resource. format double type number fileType description File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum. type string filetypeMagic description Type of resource content, as identified by the magic Python module. type string languageCode description Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US | type string sha256Hex description SHA256_hex field.. type string type object FileMetadataSection description File metadata section. id FileMetadataSection properties entropy description Entropy of the section. format double type number md5Hex description MD5 hex of the file. type string name description Name of the section. type string rawSizeBytes description Raw file size in bytes. format int64 type string virtualSizeBytes description Virtual file size in bytes. format int64 type string type object FileMetadataSignatureInfo description Signature information. id FileMetadataSignatureInfo properties signer deprecated True description Deprecated: use signers field. items type string type array signers description File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority. items $ref SignerInfo type array verificationMessage description Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found. type string verified description True if verification_message == "Signed" type boolean x509 description List of certificates. items $ref X509 type array type object FilterProperties id FilterProperties properties hidden type boolean stringProperties additionalProperties $ref StringValues type object type object FindingVariable description A structure that holds the value and associated metadata for values extracted while producing a Finding. id FindingVariable properties boolSeq $ref BoolSequence description The value in boolsequence format. boolVal description The value in boolean format. type boolean bytesSeq $ref BytesSequence description The value in bytessequence format. bytesVal description The value in bytes format. format byte type string doubleSeq $ref DoubleSequence description The value in doublesequence format. doubleVal description The value in double format. format double type number int64Seq $ref Int64Sequence description The value in int64sequence format. int64Val description The value in int64 format. format int64 type string nullVal description Whether the value is null. type boolean sourcePath description The UDM field path for the field which this value was derived from. Example: `principal.user.username` type string stringSeq $ref StringSequence description The value in stringsequence format. stringVal description The value in string format. Enum values are returned as strings. type string type description The type of the variable. enum TYPE_UNSPECIFIED MATCH OUTCOME enumDescriptions An unspecified variable type. A variable coming from the match conditions. A variable representing significant data that was found in the detection logic. type string uint64Seq $ref Uint64Sequence description The value in uint64sequence format. uint64Val description The value in uint64 format. format uint64 type string value description The value in string form. type string type object FollowUp description FollowUp can be used to store metadata required to send a follow up message by the UI. id FollowUp properties followUp description Output only. The text to use as input when generating the follow up message. readOnly True type string type object Ftp description FTP info. id Ftp properties command description The FTP command. type string type object FunctionResponse id FunctionResponse properties rows items $ref FunctionResponseRow type array tooManyRows type boolean type object FunctionResponseRow id FunctionResponseRow properties values items $ref UdmFieldValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description LINT.IfChange(stats_data) Stats results when the query is for statistics NEXT TAG = 6; id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats properties dataQueryExpression description Expression that represent the subset of the requested query used to filter data. The expression will be used to enable features such as drill-down from stats results to UDM events. In that case, the new query will be composed by this expression and the expression related to a stats result. type string results description Result rows that are queried. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData type array sortOrder description Indicates the columns used for sorting and the order in which they are sorted. If no ORDER section is specified in the query, this will be empty. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort type array tooManyResults description If true, there are too many results to return and some have been omitted. type boolean totalResults description The total number of results returned. format int32 type integer type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData description Represents a single column in the set of columns returned as the stats query result. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData properties column description Used to store column names. type string filterExpression description Expression used to compose a query for filtering/drill-downs related to the data in this column. type string filterable description To identify if the column can be used for filtering/drill-downs. type boolean values description To store store column data. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort description Contains the column name and which direction the column is sorted (ascending or descenging). id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort properties descending description Whether the column is sorted in descending order (ascending by default); type boolean name description Name of the column. type string type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType description Singular vs list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType properties list $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description List of values in a column e.g. IPs value $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Single value in a column. type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description Store list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList properties values description List of values in one cell of the column. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Value of the column based on data type id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue properties boolVal description Boolean value. type boolean bytesVal description Bytes value. format byte type string dateVal $ref Date description Date values. doubleVal description Double value. format double type number int64Val description Integer value (signed). format int64 type string nullVal description True if the value is NULL. type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any description For any proto values that are not any of the above. type object stringVal description String value. Enum values are returned as strings. type string timestampVal description Timestamp values. format google-datetime type string uint64Val description Un-signed integer value. format uint64 type string type object Group description Information about an organizational group. id Group properties attribute $ref Attribute description Generic entity metadata attributes of the group. creationTime deprecated True description Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata. format google-datetime type string emailAddresses description Email addresses of the group. items type string type array groupDisplayName description Group display name. e.g. "Finance". type string productObjectId description Product globally unique user object identifier, such as an LDAP Object Identifier. type string windowsSid description Microsoft Windows SID of the group. type string type object GroupAggregationByField id GroupAggregationByField properties baselineEventCount format int32 type integer eventCount format int32 type integer fieldName type string fieldValue $ref UdmFieldValue fields items $ref UdmFieldAggregation type array valueCount format int32 type integer type object Hardware description Hardware specification details for a resource, including both physical and virtual hardware. id Hardware properties cpuClockSpeed description Clock speed of the hardware CPU in MHz. format uint64 type string cpuMaxClockSpeed description Maximum possible clock speed of the hardware CPU in MHz. format uint64 type string cpuModel description Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5"). type string cpuNumberCores description Number of CPU cores. format uint64 type string cpuPlatform description Platform of the hardware CPU (e.g. "Intel Broadwell"). type string manufacturer description Hardware manufacturer. type string model description Hardware model. type string ram description Amount of the hardware ramdom access memory (RAM) in Mb. format uint64 type string serialNumber description Hardware serial number. type string type object Http description Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target". id Http properties method description The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE"). type string parsedUserAgent $ref UserAgentProto description The parsed user_agent string. referralUrl description The URL for the HTTP referer. type string responseCode description The response status code, for example 200, 302, 404, or 500. format int32 type integer userAgent description The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent. type string type object Id description Identifier to identify a UDM object like a UDM event, Entity, Collection. The full identifier for persistence is created by setting the 32 most significant bits as the Id.Namespace enum and the rest according to go/udm:ids. This is a convenience wrapper to define the id space enum values and provide an easy interface for RPCs, most persistence use cases should use a denormalized form. See go/udm:ids for background and details. id Id properties id description Full raw ID. format byte type string namespace description Namespace the id belongs to. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string stringId description Some ids are stored as strings that are not able to be translated to bytes, so store these separately. Ex. detection id of the form de_aaaaaaaa-aaaa... type string type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{location}/instances/{instance} readOnly True type string type object InstanceUdmSearchResponse id InstanceUdmSearchResponse properties baselineEventsCount format int32 type integer complete type boolean detections $ref Detections filteredEventsCount format int32 type integer instanceId type string prevalence $ref UdmPrevalenceResponse progress format double type number runtimeErrors $ref RuntimeError timeline $ref EventCountTimeline tooManyEvents type boolean type object Int64Sequence description Int64Sequence represents a sequence of int64s. id Int64Sequence properties int64Vals description int64 sequence. items format int64 type string type array type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object Investigation description Represents the aggregated state of an investigation such as categorization, severity, and status. Can be expanded to include analyst assignment details and more. id Investigation properties comments description Comment added by the Analyst. items type string type array priority description Priority of the Alert or Finding set by analyst. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string reason description Reason for closing the Case or Alert. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation description Describes whether a finding was useful or not-useful. enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore description Risk score for a finding set by an analyst. format uint32 type integer rootCause description Root cause of the Alert or Finding set by analyst. type string severityScore description Severity score for a finding set by an analyst. format uint32 type integer status description Describes the workflow status of a finding. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict description Describes reason a finding investigation was resolved. enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object IoCStats description Information about the threat intelligence source. These fields are used to model Mandiant sources. id IoCStats properties benignCount description Count of responses where the IoC was identified as benign. format int32 type integer firstLevelSource description Name of first level IoC source, for example Mandiant or a third-party. type string iocStatsType description Describes the source of the IoCStat. enum UNSPECIFIED_IOC_STATS_TYPE MANDIANT_SOURCES THIRD_PARTY_SOURCES THREAT_INTELLIGENCE_IOC_STATS enumDescriptions IoCStat source is unidentified. IoCStat is from a Mandiant Source. IoCStat is from a third-party source. IoCStat is from a threat intelligence feed. type string maliciousCount description Count of responses where the IoC was identified as malicious. format int32 type integer quality description Level of confidence in the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total number of response from the source. format int32 type integer secondLevelSource description Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph. type string sourceCount description Number of sources from which information was extracted. format int32 type integer type object Label description Key value labels. id Label properties key description The key. type string rbacEnabled description Indicates whether this label can be used for Data RBAC type boolean source description Where the label is derived from. type string value description The value. type string type object LatLng description An object that represents a latitude/longitude pair. This is expressed as a pair of doubles to represent degrees latitude and degrees longitude. Unless specified otherwise, this object must conform to the WGS84 standard. Values must be within normalized ranges. id LatLng properties latitude description The latitude in degrees. It must be in the range [-90.0, +90.0]. format double type number longitude description The longitude in degrees. It must be in the range [-180.0, +180.0]. format double type number type object LegacyFederatedUdmSearchViewResponse description Response to a Federated UDM Search query. This will be used by StreamSearchOperation RPC to return the results of a federated search operation. id LegacyFederatedUdmSearchViewResponse properties activityTimeline $ref EventCountTimeline description Timeline of event counts broken into hourly/daily buckets to identify activity. aiOverview $ref AIOverview description LINT.ThenChange( //depot/google3/google/cloud/chronicle/v1main/dashboard_query.proto:data_sources, //depot/google3/googlex/security/malachite/proto/udm_search.proto:data_sources ) AI generated overview for the search results. Only populated if the AI features are enabled for the customer and generate_ai_overview is set to true in the request. baselineEventsCount description The number of events in the baseline query. format int32 type integer complete description Streaming for this response is done. There will be no additional updates. type boolean dataSources description Datasource of the query and results in case of a statistics query items enum SEARCH_DATA_SOURCE_UNSPECIFIED SEARCH_UDM SEARCH_ENTITY SEARCH_RULE_DETECTIONS SEARCH_RULESETS enumDescriptions Unspecified data source. Events Entities To be used for detections data source. To be used for ruleset with detections datasource. type string type array detectionFieldAggregations $ref AlertFieldAggregations description List of detection fields with aggregated values. This enabled filtering in the Alerts panel for federated search. events $ref UdmEventList description List of UDM events. NOTE: After complete is set to true, the `UdmEventList` message will be omitted from the response. The latest message should be used as reference. If the `UdmEventList` message is returned again, then it should replace the previous value. fieldAggregations $ref UdmFieldAggregations description List of UDM fields with aggregated values. filteredEventsCount description The number of events in the snapshot that match the snapshot_query. This is <= `baseline_events_count`. If the snapshot query is empty this will be equivalent to `baseline_events_count`. format int32 type integer groupedFieldAggregations $ref UdmFieldAggregations description List of grouped fields with aggregated values. instanceAggregations $ref UdmFieldAggregations description Instance aggregations for the search results. Provides information on the number of events per instance for the aggregations panel in the UI. This allows users to easily drill-down into the individual instances. instanceUdmSearchResponses description All the instance specific UDM search responses. items $ref InstanceUdmSearchResponse type array operation description The name of the operation resource representing the UDM Search operation. This can be passed to `StreamSearchOperation` to fetch stored results or stream the results of an in-progress operation. The metadata type of the operation is `UdmSearchMetadata`. The response type is `LegacyFetchUdmSearchViewResponse`. Format: projects/{project}/locations/{location}/instances/{instance}/operations/{operation} type string progress description Progress of the query represented as a double between 0 and 1. format double type number queryValidationErrors description Parse error for the baseline_query and/or the snapshot_query. items $ref ErrorMessage type array runtimeErrors description Runtime errors. items $ref RuntimeError type array stats $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description Stats results when the query is for statistics statsFunctionParameterValidationErrorMessage description If the request's stats_function_parameter` is invalid, this field will contain the detailed error message. type string statsFunctionResponse $ref FunctionResponse description Result for statistical function. timeline $ref EventCountTimeline description Timeline of event counts broken into buckets. This populates the trend-over-time chart in the UI. tooLargeResponse description If true, the response to be returned to the UI is too large and some events have been omitted. type boolean tooManyEvents description If true, there are too many events to return and some have been omitted. type boolean validBaselineQuery description Indicates whether the request baseline_query is a valid structured query or not. If not, `query_validation_errors` will include the parse error. type boolean validSnapshotQuery description Indicates whether the request baseline and snapshot queries are valid. If not, `query_validation_errors` will include the parse error. type boolean type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Location description Information about a location. id Location properties city description The city. type string countryOrRegion description The country or region. type string deskName description Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D"). type string floorName description Floor name, number or a combination of the two for a building. (e.g. "1-A"). type string name description Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2"). type string regionCoordinates $ref LatLng description Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. regionLatitude deprecated True description Deprecated: use region_coordinates. format float type number regionLongitude deprecated True description Deprecated: use region_coordinates. format float type number state description The state. type string type object Manual description Entities are added manually. id Manual properties type object Measure description Describes the precomputed measure. id Measure properties aggregateFunction description Function used to calculate the aggregated measure. enum AGGREGATE_FUNCTION_UNSPECIFIED MIN MAX COUNT SUM AVG STDDEV enumDescriptions Default value. Minimum. Maximum. Count. Sum. Average. Standard Deviation. type string value description Value of the aggregated measure. format double type number type object Metadata description General information associated with a UDM event. id Metadata properties baseLabels $ref DataAccessLabels description Data access labels on the base event. collectedTimestamp description The GMT timestamp when the event was collected by the vendor's local collection infrastructure. format google-datetime type string description description A human-readable unparsable description of the event. type string enrichmentLabels $ref DataAccessLabels description Data access labels from all the contextual events used to enrich the base event. enrichmentState description The enrichment state. enum ENRICHMENT_STATE_UNSPECIFIED ENRICHED UNENRICHED enumDescriptions Unspecified. The event has been enriched by Chronicle. The event has not been enriched by Chronicle. type string eventTimestamp description The GMT timestamp when the event was generated. format google-datetime type string eventType description The event type. If an event has multiple possible types, this specifies the most specific type. enum EVENTTYPE_UNSPECIFIED PROCESS_UNCATEGORIZED PROCESS_LAUNCH PROCESS_INJECTION PROCESS_PRIVILEGE_ESCALATION PROCESS_TERMINATION PROCESS_OPEN PROCESS_MODULE_LOAD REGISTRY_UNCATEGORIZED REGISTRY_CREATION REGISTRY_MODIFICATION REGISTRY_DELETION SETTING_UNCATEGORIZED SETTING_CREATION SETTING_MODIFICATION SETTING_DELETION MUTEX_UNCATEGORIZED MUTEX_CREATION FILE_UNCATEGORIZED FILE_CREATION FILE_DELETION FILE_MODIFICATION FILE_READ FILE_COPY FILE_OPEN FILE_MOVE FILE_SYNC USER_UNCATEGORIZED USER_LOGIN USER_LOGOUT USER_CREATION USER_CHANGE_PASSWORD USER_CHANGE_PERMISSIONS USER_STATS USER_BADGE_IN USER_DELETION USER_RESOURCE_CREATION USER_RESOURCE_UPDATE_CONTENT USER_RESOURCE_UPDATE_PERMISSIONS USER_COMMUNICATION USER_RESOURCE_ACCESS USER_RESOURCE_DELETION GROUP_UNCATEGORIZED GROUP_CREATION GROUP_DELETION GROUP_MODIFICATION EMAIL_UNCATEGORIZED EMAIL_TRANSACTION EMAIL_URL_CLICK NETWORK_UNCATEGORIZED NETWORK_FLOW NETWORK_CONNECTION NETWORK_FTP NETWORK_DHCP NETWORK_DNS NETWORK_HTTP NETWORK_SMTP STATUS_UNCATEGORIZED STATUS_HEARTBEAT STATUS_STARTUP STATUS_SHUTDOWN STATUS_UPDATE SCAN_UNCATEGORIZED SCAN_FILE SCAN_PROCESS_BEHAVIORS SCAN_PROCESS SCAN_HOST SCAN_VULN_HOST SCAN_VULN_NETWORK SCAN_NETWORK SCHEDULED_TASK_UNCATEGORIZED SCHEDULED_TASK_CREATION SCHEDULED_TASK_DELETION SCHEDULED_TASK_ENABLE SCHEDULED_TASK_DISABLE SCHEDULED_TASK_MODIFICATION SYSTEM_AUDIT_LOG_UNCATEGORIZED SYSTEM_AUDIT_LOG_WIPE SERVICE_UNSPECIFIED SERVICE_CREATION SERVICE_DELETION SERVICE_START SERVICE_STOP SERVICE_MODIFICATION GENERIC_EVENT RESOURCE_CREATION RESOURCE_DELETION RESOURCE_PERMISSIONS_CHANGE RESOURCE_READ RESOURCE_WRITTEN DEVICE_FIRMWARE_UPDATE DEVICE_CONFIG_UPDATE DEVICE_PROGRAM_UPLOAD DEVICE_PROGRAM_DOWNLOAD ANALYST_UPDATE_VERDICT ANALYST_UPDATE_REPUTATION ANALYST_UPDATE_SEVERITY_SCORE ANALYST_UPDATE_STATUS ANALYST_ADD_COMMENT ANALYST_UPDATE_PRIORITY ANALYST_UPDATE_ROOT_CAUSE ANALYST_UPDATE_REASON ANALYST_UPDATE_RISK_SCORE ENTITY_RISK_CHANGE enumDeprecated False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False enumDescriptions Default event type Activity related to a process which does not match any other event types. Process launch. Process injecting into another process. Process privilege escalation. Process termination. Process being opened. Process loading a module. Registry event which does not match any of the other event types. Registry creation. Registry modification. Registry deletion. Settings-related event which does not match any of the other event types. Setting creation. Setting modification. Setting deletion. Any mutex event other than creation. Mutex creation. File event which does not match any of the other event types. File created. File deleted. File modified. File read. File copied. Used for file copies, for example, to a thumb drive. File opened. File moved or renamed. File synced (for example, Google Drive, Dropbox, backup). User activity which does not match any of the other event types. User login. User logout. User creation. User password change event. Change in user permissions. Deprecated. Used to update user info for an LDAP dump. User physically badging into a location. User deletion. User creating a virtual resource. This is equivalent to RESOURCE_CREATION. User updating content of a virtual resource. This is equivalent to RESOURCE_WRITTEN. User updating permissions of a virtual resource. This is equivalent to RESOURCE_PERMISSIONS_CHANGE. User initiating communication through a medium (for example, video). User accessing a virtual resource. This is equivalent to RESOURCE_READ. User deleting a virtual resource. This is equivalent to RESOURCE_DELETION. A group activity that does not fall into one of the other event types. A group creation. A group deletion. A group modification. Email messages An email transaction. Deprecated: use NETWORK_HTTP instead. An email URL click event. A network event that does not fit into one of the other event types. Aggregated flow stats like netflow. Network connection details like from a FW. FTP telemetry. DHCP payload. DNS payload. HTTP telemetry. SMTP telemetry. A status message that does not fit into one of the other event types. Heartbeat indicating product is alive. An agent startup. An agent shutdown. A software or fingerprint update. Scan item that does not fit into one of the other event types. A file scan. Scan process behaviors. Please use SCAN_PROCESS instead. Scan process. Scan results from scanning an entire host device for threats/sensitive documents. Vulnerability scan logs about host vulnerabilities (e.g., out of date software) and network vulnerabilities (e.g., unprotected service detected via a network scan). Vulnerability scan logs about network vulnerabilities. Scan network for suspicious activity Scheduled task event that does not fall into one of the other event types. Scheduled task creation. Scheduled task deletion. Scheduled task being enabled. Scheduled task being disabled. Scheduled task being modified. A system audit log event that is not a wipe. A system audit log wipe. Service event that does not fit into one of the other event types. A service creation. A service deletion. A service start. A service stop. A service modification. Operating system events that are not described by any of the other event types. Might include uncategorized Microsoft Windows event logs. The resource was created/provisioned. This is equivalent to USER_RESOURCE_CREATION. The resource was deleted/deprovisioned. This is equivalent to USER_RESOURCE_DELETION. The resource had it's permissions or ACLs updated. This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS. The resource was read. This is equivalent to USER_RESOURCE_ACCESS. The resource was written to. This is equivalent to USER_RESOURCE_UPDATE_CONTENT. Firmware update. Configuration update. A program or application uploaded to a device. A program or application downloaded to a device. Analyst update about the Verdict (such as true positive, false positive, or disregard) of a finding. Analyst update about the Reputation (such as useful or not useful) of a finding. Analyst update about the Severity score (0-100) of a finding. Analyst update about the finding status. Analyst addition of a comment for a finding. Analyst update about the priority (such as low, medium, or high) for a finding. Analyst update about the root cause for a finding. Analyst update about the reason (such as malicious or not malicious) for a finding. Analyst update about the risk score (0-100) of a finding. An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. type string id description ID of the UDM event. Can be used for raw and normalized event retrieval. format byte type string ingestedTimestamp description The GMT timestamp when the event was ingested (received) by Chronicle. format google-datetime type string ingestionLabels description User-configured ingestion metadata labels. items $ref Label type array logType description The string value of log type. type string productDeploymentId description The deployment identifier assigned by the vendor for a product deployment. type string productEventType description A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start"). type string productLogId description A vendor-specific event identifier to uniquely identify the event (e.g. a GUID). type string productName description The name of the product. type string productVersion description The version of the product. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Flattened fields extracted from the log. type object tags $ref Tags description Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser. urlBackToProduct description A URL that takes the user to the source product console for this event. type string vendorName description The name of the product vendor. type string type object Metric description Stores precomputed aggregated analytic data for an entity. id Metric properties dimensions description All group by clauses used to calculate the metric. items enum DIMENSION_UNSPECIFIED PRINCIPAL_DEVICE TARGET_USER TARGET_DEVICE PRINCIPAL_USER TARGET_IP PRINCIPAL_FILE_HASH PRINCIPAL_COUNTRY SECURITY_CATEGORY NETWORK_ASN CLIENT_CERTIFICATE_HASH DNS_QUERY_TYPE DNS_DOMAIN HTTP_USER_AGENT EVENT_TYPE PRODUCT_NAME PRODUCT_EVENT_TYPE PARENT_FOLDER_PATH TARGET_RESOURCE_NAME PRINCIPAL_APPLICATION TARGET_APPLICATION EMAIL_TO_ADDRESS EMAIL_FROM_ADDRESS MAIL_ID PRINCIPAL_IP SECURITY_ACTION SECURITY_RULE_ID TARGET_NETWORK_ORGANIZATION_NAME PRINCIPAL_NETWORK_ORGANIZATION_NAME PRINCIPAL_PROCESS_FILE_PATH PRINCIPAL_PROCESS_FILE_HASH SECURITY_RESULT_RULE_NAME TARGET_RESOURCE_LABEL_KEY VENDOR_NAME TARGET_RESOURCE_TYPE TARGET_LOCATION_NAME enumDescriptions Default Principal Device Target User Target Device Principal User Target IP Principal File Hash Principal Country Security Category Network ASN Client Certificate Hash DNS Query Type DNS Domain HTTP User Agent Event Type Product Name Product Event Type Parent Folder Path Target resource Name Principal Application. Target Application. Email To Address. Email From Address. Mail Id. Principal IP. Security Action. Security Rule Id. Target Network Organization name. Principal Network Organization name. Principal Process File Path. Principal Process File SHA256 Hash. Security Result rule name. Target Resource label key. Vendor name. Target Resource type. Target Location name. type string type array exportWindow description Export window for which the metric was exported. format int64 type string firstSeen description Timestamp of the first time the entity was seen in the environment. format google-datetime type string lastSeen description Time stamp of the last time last time the entity was seen in the environment. format google-datetime type string metricName description Name of the analytic. enum METRIC_NAME_UNSPECIFIED NETWORK_BYTES_INBOUND NETWORK_BYTES_OUTBOUND NETWORK_BYTES_TOTAL AUTH_ATTEMPTS_SUCCESS AUTH_ATTEMPTS_FAIL AUTH_ATTEMPTS_TOTAL DNS_BYTES_OUTBOUND NETWORK_FLOWS_INBOUND NETWORK_FLOWS_OUTBOUND NETWORK_FLOWS_TOTAL DNS_QUERIES_SUCCESS DNS_QUERIES_FAIL DNS_QUERIES_TOTAL FILE_EXECUTIONS_SUCCESS FILE_EXECUTIONS_FAIL FILE_EXECUTIONS_TOTAL HTTP_QUERIES_SUCCESS HTTP_QUERIES_FAIL HTTP_QUERIES_TOTAL WORKSPACE_EMAILS_SENT_TOTAL WORKSPACE_TOTAL_DOWNLOAD_ACTIONS WORKSPACE_TOTAL_CHANGE_ACTIONS WORKSPACE_AUTH_ATTEMPTS_TOTAL WORKSPACE_NETWORK_BYTES_OUTBOUND WORKSPACE_NETWORK_BYTES_TOTAL ALERT_EVENT_NAME_COUNT RESOURCE_CREATION_TOTAL RESOURCE_CREATION_SUCCESS RESOURCE_READ_SUCCESS RESOURCE_READ_FAIL RESOURCE_DELETION_SUCCESS enumDescriptions Default Total received network bytes. Total network sent bytes. Total network sent bytes and received bytes. Successful authentication attempts. Failed authentication attempts. Total authentication attempts. Total number of sent bytes for DNS events. Total number of events having non-null received bytes. Total number of events having non-null sent bytes. Total events having non-null sent or received bytes. DNS query success count - Number of events with response_code = 0. Number of events with response_code != 0. Total number of DNS queries made. Number of successfule file executions. Number of failed file executions. Total number file executions. Number of successful HTTP queries. Number of failed HTTP queries. Total number of HTTP queries. Total number of emails sent in Google Workspace. Total number of download actions in Google Workspace. Total number of change actions in Google Workspace. Total number of authentication attempts in Google Workspace. Number of outbound network bytes (total sent) in Google Workspace. Total number of network bytes (both sent and received) in Google Workspace. Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH. First-time analytic tracking successful resource creations. Volume-based analytic tracking successful resource creations. Volume-based analytic tracking successful resource reads. Volume-based analytic tracking failed resource reads. Volume-based analytic tracking successful resource deletions. type string sumMeasure $ref Measure description Sum of all precomputed measures for the given metric. totalEvents description Total number of events used to calculate the given precomputed metric. format int64 type string type object Navigation description Navigation can be used to store the metadata required to navigate the user to a new URL. id Navigation properties targetUri description Output only. The URI to redirect the user to. readOnly True type string type object Network description A network event. id Network properties applicationProtocol description The application protocol. enum UNKNOWN_APPLICATION_PROTOCOL AFP APPC AMQP ATOM BEEP BITCOIN BIT_TORRENT CFDP CIP COAP COTP DCERPC DDS DEVICE_NET DHCP DICOM DNP3 DNS E_DONKEY ENRP FAST_TRACK FINGER FREENET FTAM GOOSE GOPHER GRPC HL7 H323 HTTP HTTPS IEC104 IRCP KADEMLIA KRB5 LDAP LPD MIME MMS MODBUS MQTT NETCONF NFS NIS NNTP NTCIP NTP OSCAR PNRP PTP QUIC RDP RELP RIP RLOGIN RPC RTMP RTP RTPS RTSP SAP SDP SIP SLP SMB SMTP SNMP SNTP SSH SSMS STYX SV TCAP TDS TOR TSP VTP WHOIS WEB_DAV X400 X500 XMPP enumDescriptions The default application protocol. Apple Filing Protocol. Advanced Program-to-Program Communication. Advanced Message Queuing Protocol. Publishing Protocol. Block Extensible Exchange Protocol. Crypto currency protocol. Peer-to-peer file sharing. Coherent File Distribution Protocol. Common Industrial Protocol. Constrained Application Protocol. Connection Oriented Transport Protocol. DCE/RPC. Data Distribution Service. Automation industry protocol. DHCP. Digital Imaging and Communications in Medicine Protocol. Distributed Network Protocol 3 (DNP3) DNS. Classic file sharing protocol. Endpoint Handlespace Redundancy Protocol. Filesharing peer-to-peer protocol. User Information Protocol. Censorship resistant peer-to-peer network. File Transfer Access and Management. GOOSE Protocol. Gopher protocol. gRPC Remote Procedure Call. Health Level Seven. Packet-based multimedia communications system. HTTP. HTTPS. IEC 60870-5-104 (IEC 104) Protocol. Internet Relay Chat Protocol. Peer-to-peer hashtables. Kerberos 5. Lightweight Directory Access Protocol. Line Printer Daemon Protocol. Multipurpose Internet Mail Extensions and Secure MIME. Multimedia Messaging Service. Serial communications protocol. Message Queuing Telemetry Transport. Network Configuration. Network File System. Network Information Service. Network News Transfer Protocol. National Transportation Communications for Intelligent Transportation System. Network Time Protocol. AOL Instant Messenger Protocol. Peer Name Resolution Protocol. Precision Time Protocol. QUIC. Remote Desktop Protocol. Reliable Event Logging Protocol. Routing Information Protocol. Remote Login in UNIX Systems. Remote Procedure Call. Real Time Messaging Protocol. Real-time Transport Protocol. Real Time Publish Subscribe. Real Time Streaming Protocol. Session Announcement Protocol. Session Description Protocol. Session Initiation Protocol. Service Location Protocol. Server Message Block. Simple Mail Transfer Protocol. Simple Network Management Protocol. Simple Network Time Protocol. Secure Shell. Secure SMS Messaging Protocol. Styx/9P - Plan 9 from Bell Labs distributed file system protocol. Sampled Values Protocol. Transaction Capabilities Application Part. Tabular Data Stream. Anonymity network. Time Stamp Protocol. Virtual Terminal Protocol. Remote Directory Access Protocol. Web Distributed Authoring and Versioning. Message Handling Service Protocol. Directory Access Protocol (DAP). Extensible Messaging and Presence Protocol. type string applicationProtocolVersion description The version of the application protocol. e.g. "1.1, 2.0" type string asn description Autonomous system number. type string carrierName description Carrier identification. type string communityId description Community ID network flow value. type string dhcp $ref Dhcp description DHCP info. direction description The direction of network traffic. enum UNKNOWN_DIRECTION INBOUND OUTBOUND BROADCAST enumDescriptions The default direction. An inbound request. An outbound request. A broadcast. type string dns $ref Dns description DNS info. dnsDomain description DNS domain name. type string email $ref Email description Email info for the sender/recipient. ftp $ref Ftp description FTP info. http $ref Http description HTTP info. ipProtocol description The IP protocol. enum UNKNOWN_IP_PROTOCOL ICMP IGMP TCP UDP IP6IN4 GRE ESP ICMP6 EIGRP ETHERIP PIM VRRP SCTP enumDescriptions The default protocol. ICMP. IGMP TCP. UDP. IPv6 Encapsulation Generic Routing Encapsulation Encapsulating Security Payload ICMPv6 Enhanced Interior Gateway Routing Ethernet-within-IP Encapsulation Protocol Independent Multicast Virtual Router Redundancy Protocol Stream Control Transmission Protocol type string ipSubnetRange description Associated human-readable IP subnet range (e.g. 10.1.2.0/24). type string organizationName description Organization name (e.g Google). type string parentSessionId description The ID of the parent network session. type string receivedBytes description The number of bytes received. format uint64 type string receivedPackets description The number of packets received. format int64 type string sentBytes description The number of bytes sent. format uint64 type string sentPackets description The number of packets sent. format int64 type string sessionDuration description The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer. format google-duration type string sessionId description The ID of the network session. type string smtp $ref Smtp description SMTP info. Store fields specific to SMTP not covered by Email. tls $ref Tls description TLS info. type object Noun description The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event. id Noun properties administrativeDomain description Domain which the device belongs to (for example, the Microsoft Windows domain). type string application description The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle". type string artifact $ref Artifact description Information about an artifact. asset $ref Asset description Information about the asset. assetId description The asset ID. This field can be used as an entity indicator for asset entities. type string cloud $ref Cloud deprecated True description Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud). domain $ref Domain description Information about the domain. email description Email address. Only filled in for security_result.about type string file $ref BackstoryFile description Information about the file. group $ref Group description Information about the group. hostname description Client hostname or domain name field. Hostname also doubles as the domain for remote entities. This field can be used as an entity indicator for asset entities. type string investigation $ref Investigation description Analyst feedback/investigation for alerts. ip description A list of IP addresses associated with a network connection. This field can be used as an entity indicator for asset entities. items type string type array ipGeoArtifact description Enriched geographic information corresponding to an IP address. Specifically, location and network data. items $ref Artifact type array ipLocation deprecated True description Deprecated: use ip_geo_artifact.location instead. items $ref Location type array labels deprecated True description Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels). items $ref Label type array location $ref Location description Physical location. For cloud environments, set the region in location.name. mac description List of MAC addresses associated with a device. This field can be used as an entity indicator for asset entities. items type string type array namespace description Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition. This field can be used along with an asset indicator to identify an asset. type string natIp description A list of NAT translated IP addresses associated with a network connection. items type string type array natPort description NAT external network port number when a specific network connection is described within an event. format int32 type integer network $ref Network description Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). objectReference $ref Id description Finding to which the Analyst updated the feedback. platform description Platform. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description Platform patch level. For example, "Build 17134.48" type string platformVersion description Platform version. For example, "Microsoft Windows 1803". type string port description Source or destination network port number when a specific network connection is described within an event. format int32 type integer process $ref Process description Information about the process. processAncestors description Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery. items $ref Process type array registry $ref Registry description Registry information. resource $ref Resource description Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun. resourceAncestors description Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource). items $ref Resource type array securityResult description A list of security results. items $ref SecurityResult type array url description The URL. type string urlMetadata $ref Url description Information about the URL. user $ref User description Information about the user. userManagementChain description Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery. items $ref User type array type object NtfsFileMetadata description NTFS-specific file metadata. id NtfsFileMetadata properties changeTime description NTFS MFT entry changed timestamp. format google-datetime type string filenameAccessTime description NTFS $FILE_NAME attribute accessed timestamp. format google-datetime type string filenameChangeTime description NTFS $FILE_NAME attribute changed timestamp. format google-datetime type string filenameCreateTime description NTFS $FILE_NAME attribute created timestamp. format google-datetime type string filenameModifyTime description NTFS $FILE_NAME attribute modified timestamp. format google-datetime type string type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object Option description DHCP options. id Option properties code description Code. See RFC1533. format uint32 type integer data description Data. format byte type string type object PDFInfo description Information about the PDF file structure. See https://developers.virustotal.com/reference/pdf_info id PDFInfo properties acroform description Number of /AcroForm tags found in the PDF. format int64 type string autoaction description Number of /AA tags found in the PDF. format int64 type string embeddedFile description Number of /EmbeddedFile tags found in the PDF. format int64 type string encrypted description Whether the document is encrypted or not. This is defined by the /Encrypt tag. format int64 type string endobjCount description Number of object definitions (endobj keyword). format int64 type string endstreamCount description Number of defined stream objects (stream keyword). format int64 type string flash description Number of /RichMedia tags found in the PDF. format int64 type string header description PDF version. type string javascript description Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios. format int64 type string jbig2Compression description Number of /JBIG2Decode tags found in the PDF. format int64 type string js description Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios. format int64 type string launchActionCount description Number of /Launch tags found in the PDF file. format int64 type string objCount description Number of objects definitions (obj keyword). format int64 type string objectStreamCount description Number of object streams. format int64 type string openaction description Number of /OpenAction tags found in the PDF. format int64 type string pageCount description Number of pages in the PDF. format int64 type string startxref description Number of startxref keywords in the PDF. format int64 type string streamCount description Number of defined stream objects (stream keyword). format int64 type string suspiciousColors description Number of colors expressed with more than 3 bytes (CVE-2009-3459). format int64 type string trailer description Number of trailer keywords in the PDF. format int64 type string xfa description Number of \XFA tags found in the PDF. format int64 type string xref description Number of xref keywords in the PDF. format int64 type string type object PeFileMetadata description Metadata about a Microsoft Windows Portable Executable. id PeFileMetadata properties importHash description Hash of PE imports. type string type object Permission description System permission for resource access and modification. id Permission properties description description Description of the permission (e.g. 'Ability to update detect rules'). type string name description Name of the permission (e.g. chronicle.analyst.updateRule). type string type description Type of the permission. enum UNKNOWN_PERMISSION_TYPE ADMIN_WRITE ADMIN_READ DATA_WRITE DATA_READ enumDescriptions Default permission type. Administrator write permission. Administrator read permission. Data resource access write permission. Data resource access read permission. type string type object PlatformSoftware description Platform software information about an operating system. id PlatformSoftware properties platform description The platform operating system. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description The platform software patch level ( e.g. "Build 17134.48", "SP1"). type string platformVersion description The platform software version ( e.g. "Microsoft Windows 1803"). type string type object PopularityRank description Domain's position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo. id PopularityRank properties giver description Name of the rank serial number hexdump. type string ingestionTime description Timestamp when the rank was ingested. format google-datetime type string rank description Rank position. format int64 type string type object Prevalence description The prevalence of a resource within the customer's environment. This measures how common it is for assets to access the resource. id Prevalence properties dayCount description The number of days over which rolling_max is calculated. format int32 type integer dayMax description The max prevalence score in a day interval window. format int32 type integer dayMaxSubDomains description The max prevalence score in a day interval window across sub-domains. This field is only valid for domains. format int32 type integer rollingMax description The maximum number of assets per day accessing the resource over the trailing day_count days. format int32 type integer rollingMaxSubDomains description The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains. format int32 type integer type object Process description Information about a process. id Process properties accessMask description A bit mask representing the level of access. format uint64 type string commandLine description The command line command that created the process. This field can be used as an entity indicator for process entities. type string commandLineHistory description The command line history of the process. items type string type array egid description The effective group ID of the process. type string euid description The effective user ID of the process. type string file $ref BackstoryFile description Information about the file in use by the process. integrityLevelRid description The Microsoft Windows integrity level relative ID (RID) of the process. format uint64 type string parentPid deprecated True description The ID of the parent process. Deprecated: use parent_process.pid instead. type string parentProcess $ref Process description Information about the parent process. pgid description The identifier that points to the process group ID leader. type string pid description The process ID. This field can be used as an entity indicator for process entities. type string productSpecificParentProcessId deprecated True description A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. type string productSpecificProcessId description A product specific process id. type string rgid description The real group ID of the process. type string ruid description The real user ID of the process. type string sessionLeaderPid description The process ID of the session leader process. type string tokenElevationType description The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled. enum UNKNOWN TYPE_1 TYPE_2 TYPE_3 enumDescriptions An undetermined token type. A full token with no privileges removed or groups disabled. An elevated token with no privileges removed or groups disabled. Used when running as administrator. A limited token with administrative privileges removed and administrative groups disabled. type string tty description The teletype terminal which the command was executed within. type string type object ProviderMLVerdict description Deprecated. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. id ProviderMLVerdict properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer confidenceScore description Confidence score of the verdict. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer mandiantSources description List of mandiant sources from which the verdict was generated. items $ref Source type array sourceProvider description Source provider giving the ML verdict. type string thirdPartySources description List of third-party sources from which the verdict was generated. items $ref Source type array type object PublicKey description Subject public key info. id PublicKey properties algorithm description Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the certificate. type string rsa $ref RSA description RSA public key information. type object Question description DNS Questions. See RFC1035, section 4.1.2. id Question properties class description The code specifying the class of the query. format uint32 type integer name description The domain name. type string prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. type description The code specifying the type of the query. format uint32 type integer type object RSA description RSA public key information. id RSA properties exponent description Key exponent hexdump. type string keySize description Key size. format int64 type string modulus description Key modulus hexdump. type string type object Reference description Reference to model primatives including event and entity. As support is added for fast retrieval of objects by identifiers, this will be expanded to include ID references rather than full object copies. BEGIN GOOGLE-INTERNAL See go/udm:ids for additional details. END GOOGLE-INTERNAL id Reference properties entity $ref BackstoryEntity description Entity being referenced. End one-of event $ref UDM description Only one of event or entity will be populated for a single reference. Start one-of Event being referenced. id $ref Id description Id being referenced. This field will also be populated for both event and entity with the event id. For detections, only this field will be populated. type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Registry description Information about a registry key or value. id Registry properties registryKey description Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...). type string registryValueData description Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp). type string registryValueName description Name of the registry value associated with an application or system component (e.g. TEMP). type string registryValueType description Type of the registry value. enum TYPE_UNSPECIFIED NONE SZ EXPAND_SZ BINARY DWORD DWORD_LITTLE_ENDIAN DWORD_BIG_ENDIAN LINK MULTI_SZ RESOURCE_LIST QWORD QWORD_LITTLE_ENDIAN enumDescriptions Default registry value type used when the type is unknown. The registry value is not set and only the key exists. A null-terminated string. A null-terminated string that contains unexpanded references to environment variables Binary data in any form. A 32-bit number. A 32-bit number in little-endian format. A 32-bit number in big-endian format. A null-terminated Unicode string that contains the target path of a symbolic link. A sequence of null-terminated strings, terminated by an empty string A device driver resource list. A 64-bit number. A 64-bit number in little-endian format. type string type object Relation description Defines the relationship between the entity (a) and another entity (b). id Relation properties direction description Directionality of relationship between primary entity (a) and the related entity (b). enum DIRECTIONALITY_UNSPECIFIED BIDIRECTIONAL UNIDIRECTIONAL enumDescriptions Default value. Modeled in both directions. Primary entity (a) to related entity (b) and related entity (b) to primary entity (a). Modeled in a single direction. Primary entity (a) to related entity (b). type string entity $ref Noun description Entity (b) that the primary entity (a) is related to. entityLabel description Label to identify the Noun of the relation. enum ENTITY_LABEL_UNSPECIFIED PRINCIPAL TARGET OBSERVER SRC NETWORK SECURITY_RESULT INTERMEDIARY enumDescriptions Default value. The Noun represents a principal type object. The Noun represents a target type object. The Noun represents an observer type object. The Noun represents src type object. The Noun represents a network type object. The Noun represents a SecurityResult object. The Noun represents an intermediary type object. type string entityType description Type of the related entity (b) in this relationship. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string relationship description Type of relationship. enum RELATIONSHIP_UNSPECIFIED OWNS ADMINISTERS MEMBER EXECUTES DOWNLOADED_FROM CONTACTS enumDescriptions Default value Related entity is owned by the primary entity (e.g. user owns device asset). Related entity is administered by the primary entity (e.g. user administers a group). Primary entity is a member of the related entity (e.g. user is a member of a group). Primary entity may have executed the related entity. Primary entity may have been downloaded from the related entity. Primary entity contacts the related entity. type string uid description UID of the relationship. format byte type string type object Resource description Information about a resource such as a task, Cloud Storage bucket, database, disk, logical policy, or something similar. id Resource properties attribute $ref Attribute description Generic entity metadata attributes of the resource. id deprecated True description Deprecated: Use resource.name or resource.product_object_id. type string name description The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. type string parent deprecated True description The parent of the resource. For a database table, the parent is the database. For a storage object, the bucket name. Deprecated: use resource_ancestors.name. type string productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) This field can be used as an entity indicator for a Resource entity. type string resourceSubtype description Resource sub-type (e.g. "BigQuery", "Bigtable"). type string resourceType description Resource type. enum UNSPECIFIED MUTEX TASK PIPE DEVICE FIREWALL_RULE MAILBOX_FOLDER VPC_NETWORK VIRTUAL_MACHINE STORAGE_BUCKET STORAGE_OBJECT DATABASE TABLE CLOUD_PROJECT CLOUD_ORGANIZATION SERVICE_ACCOUNT ACCESS_POLICY CLUSTER SETTING DATASET BACKEND_SERVICE POD CONTAINER FUNCTION RUNTIME IP_ADDRESS DISK VOLUME IMAGE SNAPSHOT REPOSITORY CREDENTIAL LOAD_BALANCER GATEWAY SUBNET USER enumDescriptions Default type. Mutex. Task. Named pipe. Device. Firewall rule. Mailbox folder. VPC Network. Virtual machine. Storage bucket. Storage object. Database. Data table. Cloud project. Cloud organization. Service account. Access policy. Cluster. Settings. Dataset. Endpoint that receive traffic from a load balancer or proxy. Pod, which is a collection of containers. Often used in Kubernetes. Container. Cloud function. Runtime. IP address. Disk. Volume. Machine image. Snapshot. Repository. Credential, e.g. access keys, ssh keys, tokens, certificates. Load balancer. Gateway. Subnet. User. type string type deprecated True description Deprecated: use resource_type instead. type string type object ResourceRecord description DNS Resource Records. See RFC1035, section 4.1.3. id ResourceRecord properties binaryData description The raw bytes of any non-UTF8 strings that might be included as part of a DNS response. format byte type string class description The code specifying the class of the resource record. format uint32 type integer data description The payload or response to the DNS question for all responses encoded in UTF-8 format type string name description The name of the owner of the resource record. type string ttl description The time interval for which the resource record can be cached before the source of the information should again be queried. format uint32 type integer type description The code specifying the type of the resource record. format uint32 type integer type object ResponsePlatformInfo description Related info of an Alert in customer's SOAR platform. id ResponsePlatformInfo properties alertId description Id of the alert in SOAR product. type string responsePlatformType description Type of SOAR product. enum RESPONSE_PLATFORM_TYPE_UNSPECIFIED RESPONSE_PLATFORM_TYPE_SIEMPLIFY enumDescriptions Response platform not specified. Siemplify type string type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object RiskDelta description Describes the difference in risk score between two points in time. id RiskDelta properties previousRangeEndTime description End time of the previous time window. format google-datetime type string previousRiskScore description Risk score from previous risk window format int32 type integer riskScoreDelta description Difference in the normalized risk score from the previous recorded value. format int32 type integer riskScoreNumericDelta description Numeric change between current and previous risk score format int32 type integer type object Role description System role for resource access and modification. id Role properties description description System role description for user. type string name description System role name for user. type string type description System role type for well known roles. enum TYPE_UNSPECIFIED ADMINISTRATOR SERVICE_ACCOUNT enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object RuntimeError id RuntimeError properties errorText type string timeRange $ref Interval type object SSLCertificate description SSL certificate. id SSLCertificate properties certExtensions additionalProperties description Properties of the object. type any description Certificate's extensions. type object certSignature $ref CertSignature description Certificate's signature and algorithm. ec $ref EC description EC public key information. extension $ref Extension deprecated True description (DEPRECATED) certificate's extension. firstSeenTime description Date the certificate was first retrieved by VirusTotal. format google-datetime type string issuer $ref Subject description Certificate's issuer data. publicKey $ref PublicKey description Public key information. serialNumber description Certificate's serial number hexdump. type string signatureAlgorithm description Algorithm used for the signature (for example, "sha1RSA"). type string size description Certificate content length. format int64 type string subject $ref Subject description Certificate's subject data. thumbprint description Certificate's content SHA1 hash. type string thumbprintSha256 description Certificate's content SHA256 hash. type string validity $ref Validity description Certificate's validity period. version description Certificate version (typically "V1", "V2" or "V3"). type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object SearchDataTableColumnInfo id SearchDataTableColumnInfo properties isDefault type boolean originalColumn type string type object SearchDataTableInfo id SearchDataTableInfo properties columnInfo items $ref SearchDataTableColumnInfo type array dataTable type string type object SearchDataTableRow id SearchDataTableRow properties column type string value type string type object SearchDataTableRowInfo id SearchDataTableRowInfo properties dataTable type string rows items $ref SearchDataTableRow type array type object SecurityResult description Security related metadata for the event. A security result might be something like "virus detected and quarantined," "malicious connection blocked," or "sensitive data included in document foo.doc." Each security result, of which there may be more than one, may either pertain to the whole event, or to a specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (such as process, user, IP, domain, URL, IP, or email address) in the about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty. id SecurityResult properties about $ref Noun description If the security result is about a specific entity (Noun), add it here. This field is not populated when the SecurityResult appears in a finding (a detection or alert). action description Actions taken for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_ACTION ALLOW BLOCK ALLOW_WITH_MODIFICATION QUARANTINE FAIL CHALLENGE enumDescriptions The default action. Allowed. Blocked. Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded). Put somewhere for later analysis (does NOT imply block). Failed (e.g. the event was allowed but failed). Challenged (e.g. the user was challenged by a Captcha, 2FA). type string type array actionDetails description The detail of the action taken as provided by the vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string alertState description The alerting types of this security result. This is primarily set for rule-generated detections and alerts. enum UNSPECIFIED NOT_ALERTING ALERTING enumDescriptions The security result type is not known. The security result is not an alert. The security result is an alert. type string analyticsMetadata description Stores metadata about each risk analytic metric the rule uses. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref AnalyticsMetadata type array associations description Associations related to the threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref Association type array attackDetails $ref AttackDetails description MITRE ATT&CK details. This field is not populated when the SecurityResult appears in a finding (a detection or alert). campaigns description Campaigns using this IOC threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array category description The security category. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_CATEGORY SOFTWARE_MALICIOUS SOFTWARE_SUSPICIOUS SOFTWARE_PUA NETWORK_MALICIOUS NETWORK_SUSPICIOUS NETWORK_CATEGORIZED_CONTENT NETWORK_DENIAL_OF_SERVICE NETWORK_RECON NETWORK_COMMAND_AND_CONTROL ACL_VIOLATION AUTH_VIOLATION EXPLOIT DATA_EXFILTRATION DATA_AT_REST DATA_DESTRUCTION TOR_EXIT_NODE MAIL_SPAM MAIL_PHISHING MAIL_SPOOFING POLICY_VIOLATION SOCIAL_ENGINEERING PHISHING enumDescriptions The default category. Malware, spyware, rootkit. Below the conviction threshold; probably bad. Potentially Unwanted App (such as adware). Includes C&C or network exploit. Suspicious activity, such as potential reverse tunnel. Non-security related: URL has category like gambling or porn. DoS, DDoS. Port scan detected by an IDS, probing of web app. If we know this is a C&C channel. Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc. Authentication failed (e.g. bad password or bad 2-factor authentication). Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits. DLP: Sensitive data transmission, copy to thumb drive. DLP: Sensitive data found at rest in a scan. Attempt to destroy/delete data. TOR Exit Nodes. Spam email, message, etc. Phishing email, chat messages, etc. Spoofed source email address, etc. Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action). Threats which manipulate to break normal security procedures. Phishing pages, pops, https phishing etc. type string type array categoryDetails description For vendor-specific categories. For web categorization, put type in here such as "gambling" or "porn". This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array confidence description The confidence level of the result as estimated by the product. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string confidenceDetails description Additional detail with regards to the confidence of a security event as estimated by the product vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string confidenceScore description The confidence score of the security result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format float type number description description A human-readable description (e.g. "user password was wrong"). This can be more detailed than the summary. type string detectionDepth description The depth of the detection chain. Applies only to composite detections. format int64 type string detectionFields description An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (the security result matched variables). This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array firstDiscoveredTime description First time the IoC threat was discovered in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastDiscoveredTime description Last time the IoC was seen in the provider data. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastUpdatedTime description Last time the IoC threat was updated in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string outcomes description A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to a stringified version of their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array priority description The priority of the result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_PRIORITY LOW_PRIORITY MEDIUM_PRIORITY HIGH_PRIORITY enumDescriptions Default priority level. Low priority. Medium priority. High priority. type string priorityDetails description Vendor-specific information about the security result priority. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string reports description Reports that reference this IOC threat. These are the report IDs. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array riskScore description The risk score of the security result. format float type number ruleAuthor description Author of the security rule. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string ruleId description A vendor-specific ID for a rule, varying by observer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe"). type string ruleLabels description A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John"). This is primarily set in rule-generated detections and alerts. items $ref Label type array ruleName description Name of the security rule (e.g. "BlockInboundToOracle"). type string ruleSet description The curated detection's rule set identifier. (for example, "windows-threats") This is primarily set in rule-generated detections and alerts. type string ruleSetDisplayName description The curated detections rule set display name. This is primarily set in rule-generated detections and alerts. type string ruleType description The type of security rule. type string ruleVersion description Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed. type string rulesetCategoryDisplayName description The curated detection rule set category display name. (for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration", the rule_set_category is "Cloud Threats"). This is primarily set in rule-generated detections and alerts. type string severity description The severity of the result. enum UNKNOWN_SEVERITY INFORMATIONAL ERROR NONE LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Info severity. An error. No malicious result. Low-severity malicious result. Medium-severity malicious result. High-severity malicious result. Critical-severity malicious result. type string severityDetails description Vendor-specific severity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string summary description A short human-readable summary (e.g. "failed login occurred") type string threatFeedName description Vendor feed name for a threat indicator feed. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatId description Vendor-specific ID for a threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatIdNamespace description The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string threatName description A vendor-assigned classification common across multiple customers (for example, "W32/File-A", "Slammer"). This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatStatus description Current status of the threat This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_STATUS_UNSPECIFIED ACTIVE CLEARED FALSE_POSITIVE enumDescriptions Default threat status Active threat. Cleared threat. False positive. type string threatVerdict description GCTI threat verdict on the security result entity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_VERDICT_UNSPECIFIED UNDETECTED SUSPICIOUS MALICIOUS enumDescriptions Unspecified threat verdict level. Undetected threat verdict level. Suspicious threat verdict level. Malicious threat verdict level. type string urlBackToProduct description URL that takes the user to the source product console for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string variables additionalProperties $ref FindingVariable description A list of outcomes and match variables that represent the results of this security finding. This list represents a mapping of names of the requested outcomes or match variables, to their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). type object verdict $ref Verdict deprecated True description Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead. verdictInfo description Verdict information about the IoC from the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref VerdictInfo type array type object Server description Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash). id Server properties certificate $ref Certificate description Server certificate. ja3s description JA3 hash from the TLS ServerHello, as a hex-encoded string. type string type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object SignatureInfo description File signature information extracted from different tools. id SignatureInfo properties codesign $ref FileMetadataCodesign description Signature information extracted from the codesign utility. sigcheck $ref FileMetadataSignatureInfo description Signature information extracted from the sigcheck tool. type object SignerInfo description File metadata related to the signer information. id SignerInfo properties certIssuer description Company that issued the certificate. type string name description Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority. type string status description It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid."). type string validUsage description Indicates which situations the certificate is valid for (e.g. "Code Signing"). type string type object Smtp description SMTP info. See RFC 2821. id Smtp properties helo description The client's 'HELO'/'EHLO' string. type string isTls description If the connection switched to TLS. type boolean isWebmail description If the message was sent via a webmail client. type boolean mailFrom description The client's 'MAIL FROM' string. type string messagePath description The message's path (extracted from the headers). type string rcptTo description The client's 'RCPT TO' string(s). items type string type array serverResponse description The server's response(s) to the client. items type string type array type object SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems. id SoarAlertMetadata properties alertId description Alert ID in the source SIEM system. type string product description Name of the product the alert is coming from. type string sourceRule description Name of the rule triggering the alert in the source SIEM. type string sourceSystem description Name of the Source SIEM system. type string sourceSystemTicketId description Ticket id for the alert in the source system. type string sourceSystemUri description Url to the source SIEM system. type string vendor description Name of the vendor. type string type object Software description Information about a software package or application. id Software properties description description The description of the software. type string name description The name of the software. type string permissions description System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE" items $ref Permission type array vendorName description The name of the software vendor. type string version description The version of the software. type string type object Source description Deprecated. Information about the threat intelligence source. These fields are used to model Mandiant sources. id Source properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer name description Name of the IoC source. type string quality description Quality of the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total response count from this source. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer threatIntelligenceSources description Different threat intelligence sources from which IoC info was extracted. items $ref Source type array type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object StringSequence description StringSequence represents a sequence of string. id StringSequence properties stringVals description string sequence. items type string type array type object StringToInt64MapEntry id StringToInt64MapEntry properties key description Key field. type string value description Value field. format int64 type string type object StringValue id StringValue properties displayValue type string rawValue type string type object StringValues id StringValues properties values items $ref StringValue type array type object Subject description Subject data. id Subject properties commonName description CN: CommonName. type string countryName description C: Country name. type string locality description L: Locality. type string organization description O: Organization. type string organizationalUnit description OU: OrganizationalUnit. type string stateOrProvinceName description ST: StateOrProvinceName. type string type object Tactic description Tactic information related to an attack or threat. id Tactic properties id description Tactic ID (e.g. "TA0043"). type string name description Tactic Name (e.g. "Reconnaissance") type string type object Tags description Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenant_id based on certain customer-defined parameters. id Tags properties dataTapConfigName description A list of sink name values defined in DataTap configurations. items type string type array tenantId description A list of subtenant ids that this event belongs to. items format byte type string type array type object Technique description Technique information related to an attack or threat. id Technique properties id description Technique ID (e.g. "T1595"). type string name description Technique Name (e.g. "Active Scanning"). type string subtechniqueId description Subtechnique ID (e.g. "T1595.001"). type string subtechniqueName description Subtechnique Name (e.g. "Scanning IP Blocks"). type string type object TimeOff description System record for leave/time-off from a Human Capital Management (HCM) system. id TimeOff properties description description Description of the leave if available (e.g. 'Vacation'). type string interval $ref Interval description Interval duration of the leave. type object Tls description Transport Layer Security (TLS) information. id Tls properties cipher description Cipher used during the connection. type string client $ref Client description Certificate information for the client certificate. curve description Elliptical curve used for a given cipher. type string established description Indicates whether the TLS negotiation was successful. type boolean nextProtocol description Protocol to be used for tunnel. type string resumed description Indicates whether the TLS connection was resumed from a previous TLS negotiation. type boolean server $ref Server description Certificate information for the server certificate. version description TLS version. type string versionProtocol description Protocol. type string type object Tracker description URL Tracker. id Tracker properties id description Tracker ID, if available. type string timestamp description Tracker ingestion date. format google-datetime type string tracker description Tracker name. type string url description Tracker script URL. type string type object Tunnels description VPN tunnels. id Tunnels properties provider description The provider of the VPN tunnels being used. type string type description The type of the VPN tunnels. type string type object UDM description A Unified Data Model event. id UDM properties about description Represents entities referenced by the event that are not otherwise described in principal, src, target, intermediary or observer. For example, it could be used to track email file attachments, domains/URLs/IPs embedded within an email body, and DLLs that are loaded during a PROCESS_LAUNCH event. items $ref Noun type array additional additionalProperties description Properties of the object. type any description Any important vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model. type object extensions $ref Extensions description All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object intermediary description Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a proxy server or SMTP relay server. If an active event (that has a principal and possibly target) passes through any intermediaries, they're added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that 'principal', 'target', and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C). items $ref Noun type array metadata $ref Metadata description Event metadata such as timestamp, source product, etc. network $ref Network description All network details go here, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). observer $ref Noun description Represents an observer entity (for example, a packet sniffer or network-based vulnerability scanner), which is not a direct intermediary, but which observes and reports on the event in question. principal $ref Noun description Represents the acting entity that originates the activity described in the event. The principal must include at least one machine detail (hostname, MACs, IPs, port, product-specific identifiers like an EDR asset ID) or user detail (for example, username), and optionally include process details. It must NOT include any of the following fields: email, files, registry keys or values. securityResult description A list of security results. items $ref SecurityResult type array src $ref Noun description Represents a source entity being acted upon by the participant along with the device or process context for the source object (the machine where the source object resides). For example, if user U copies file A on machine X to file B on machine Y, both file A and machine X would be specified in the src portion of the UDM event. target $ref Noun description Represents a target entity being referenced by the event or an object on the target entity. For example, in a firewall connection from device A to device B, A is described as the principal and B is described as the target. For a process injection by process C into target process D, process C is described as the principal and process D is described as the target. type object UdmColumnList id UdmColumnList properties values items $ref UdmColumnValue type array type object UdmColumnType id UdmColumnType properties list $ref UdmColumnList value $ref UdmColumnValue type object UdmColumnValue id UdmColumnValue properties boolVal type boolean bytesVal format byte type string dateVal $ref Date doubleVal format double type number int64Val format int64 type string nullVal type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any type object stringVal type string timestampVal format google-datetime type string uint64Val format uint64 type string type object UdmEventInfo id UdmEventInfo properties alertNumber format int32 type integer annotations items enum ANNOTATION_UNSPECIFIED ANNOTATION_ALERT enumDescriptions type string type array chip $ref Chip deprecated True connectedComponentLabel description Optional. format byte type string datatableRowInfo items $ref SearchDataTableRowInfo type array detections items $ref Collection type array displayName deprecated True type string entity $ref BackstoryEntity event $ref UDM eventLogToken type string filterProperties $ref FilterProperties deprecated True outcomes items $ref UdmColumnType type array tenantId description Optional. type string uid format byte type string type object UdmEventList id UdmEventList properties columnNames $ref ColumnNames complete type boolean datatableInfo items $ref SearchDataTableInfo type array events items $ref UdmEventInfo type array progress format double type number tooManyEvents type boolean type object UdmFieldAggregation id UdmFieldAggregation properties aggregationType enum UNSPECIFIED_FIELD_AGGREGATION_TYPE UDM_FIELD_AGGREGATION_TYPE ENTITY_FIELD_AGGREGATION_TYPE enumDescriptions type string allValues items $ref UdmValueCount type array baselineEventCount format int32 type integer bottomValues items $ref UdmValueCount type array eventCount format int32 type integer fieldName type string tooManyValues type boolean topValues items $ref UdmValueCount type array valueCount format int32 type integer type object UdmFieldAggregations id UdmFieldAggregations properties complete type boolean fields items $ref UdmFieldAggregation type array groupByFields items $ref GroupAggregationByField type array type object UdmFieldValue id UdmFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string isNull type boolean stringValue type string timestampValue format google-datetime type string uint32Value format uint32 type integer uint64Value format uint64 type string type object UdmPrevalence id UdmPrevalence properties artifacts items $ref FieldAndValue type array prevalence format int32 type integer type object UdmPrevalenceBucket id UdmPrevalenceBucket properties prevalence items $ref UdmPrevalence type array type object UdmPrevalenceResponse id UdmPrevalenceResponse properties buckets items $ref UdmPrevalenceBucket type array partialPrevalence type boolean type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UdmValueCount id UdmValueCount properties baselineEventCount format int32 type integer eventCount format int32 type integer value $ref UdmFieldValue type object Uint64Sequence description Uint64Sequence represents a sequence of uint64s. id Uint64Sequence properties uint64Vals description uint64 sequence. items format uint64 type string type array type object Url description Url. id Url properties categories description Categorisation done by VirusTotal partners. items type string type array favicon $ref Favicon description Difference hash and MD5 hash of the URL's. htmlMeta additionalProperties description Properties of the object. type any description Meta tags (only for URLs downloading HTML). type object lastFinalUrl description If the original URL redirects, where does it end. type string lastHttpResponseCode description HTTP response code of the last response. format int32 type integer lastHttpResponseContentLength description Length in bytes of the content received. format int64 type string lastHttpResponseContentSha256 description URL response body's SHA256 hash. type string lastHttpResponseCookies additionalProperties description Properties of the object. type any description Website's cookies. type object lastHttpResponseHeaders additionalProperties description Properties of the object. type any description Headers and values of the last HTTP response. type object tags description Tags. items type string type array title description Webpage title. type string trackers description Trackers found in the URL in a historical manner. items $ref Tracker type array url description URL. type string type object User description Information about a user. id User properties accountExpirationTime description User account expiration timestamp. format google-datetime type string accountLockoutTime description User account lockout timestamp. format google-datetime type string accountType description Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/ enum ACCOUNT_TYPE_UNSPECIFIED DOMAIN_ACCOUNT_TYPE LOCAL_ACCOUNT_TYPE CLOUD_ACCOUNT_TYPE SERVICE_ACCOUNT_TYPE DEFAULT_ACCOUNT_TYPE enumDescriptions Default user account type. A human account part of some domain in directory services. A local machine account. A SaaS service account type (such as Slack or GitHub). A non-human account for data access. A system built in default account. type string attribute $ref Attribute description Generic entity metadata attributes of the user. companyName description User job company name. type string department description User job department items type string type array emailAddresses description Email addresses of the user. This field can be used as an entity indicator for user entities. items type string type array employeeId description Human capital management identifier. This field can be used as an entity indicator for user entities. type string firstName description First name of the user (e.g. "John"). type string firstSeenTime description The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string groupIdentifiers description Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar). items type string type array groupid deprecated True description The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. type string hireDate description User job employment hire date. format google-datetime type string lastBadPasswordAttemptTime description User last bad password attempt timestamp. format google-datetime type string lastLoginTime description User last login timestamp. format google-datetime type string lastName description Last name of the user (e.g. "Locke"). type string lastPasswordChangeTime description User last password change timestamp. format google-datetime type string managers description User job manager(s). items $ref User type array middleName description Middle name of the user. type string officeAddress $ref Location description User job office location. passwordExpirationTime description User password expiration timestamp. format google-datetime type string personalAddress $ref Location description Personal address of the user. phoneNumbers description Phone numbers for the user. items type string type array productObjectId description A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar). This field can be used as an entity indicator for user entities. type string roleDescription deprecated True description System role description for user. Deprecated: use attribute.roles. type string roleName deprecated True description System role name for user. Deprecated: use attribute.roles. type string terminationDate description User job employment termination date. format google-datetime type string timeOff description User time off leaves from active work. items $ref TimeOff type array title description User job title. type string userAuthenticationStatus description System authentication status for user. enum UNKNOWN_AUTHENTICATION_STATUS ACTIVE SUSPENDED NO_ACTIVE_CREDENTIALS DELETED enumDescriptions The default authentication status. The authentication method is in active state. The authentication method is in suspended/disabled state. The authentication method has no active credentials. The authentication method has been deleted. type string userDisplayName description The display name of the user (e.g. "John Locke"). type string userRole deprecated True description System role for user. Deprecated: use attribute.roles. enum UNKNOWN_ROLE ADMINISTRATOR SERVICE_ACCOUNT enumDeprecated False False True enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. Deprecated: not a role, instead set User.account_type. type string userid description The ID of the user. This field can be used as an entity indicator for user entities. type string windowsSid description The Microsoft Windows SID of the user. This field can be used as an entity indicator for user entities. type string type object UserAgentProto id UserAgentProto properties annotation items $ref Annotation type array browser description Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents. type string browserEngineVersion description Version of the rendering engine e.g. "8.01" for "Opera/8.01" type string browserVersion description Minor and lower versions unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string carrier description Mobile specific: name of mobile carrier type string device description (Usually) Mobile specific: name of hardware device, may or may not contain the full model name. e.g. iPhone, Palm750, SPH-M800. Reduced to "K" for Android devices with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string deviceVersion description (Usually) Mobile specific: version of hardware device Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string family description User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.. enum USER_DEFINED MSIE GECKO APPLEWEBKIT OPERA KHTML OTHER APPLE BLACKBERRY DOCOMO GOOGLE OPENWAVE POLARIS OBIGO TELECA MICROSOFT NOKIA NETFRONT SEMC SMIT KOREAN CLIENT_HINTS enumDescriptions Used to represent new families supported by user-defined parsers Desktop user agent families WebKit based browsers e.g. Safari e.g. Konqueror Mobile and non-browser user agent families UA's w/o enough data to fit into a family Apple apps e.g. YouTube on iPhone Google Earth, Sketchup, UpdateChecker etc... UP.Browser Windows Media Player, RSS platform etc... Sony Ericsson Mobile Communications SKT, LGT Constructed from UA-CH instead of UserAgent string. type string googleToolbarVersion description Version number of GoogleToolbar, if installed. Applies only to MSIE and Firefox at this time. type string javaConfiguration description Mobile specific: e.g. Configuration/CLDC-1.1 type string javaConfigurationVersion type string javaProfile description Mobile specific: e.g. Profile/MIDP-2.0 type string javaProfileVersion type string locale description Locale in which the browser is running as country code and optionally language pair. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string messaging description Mobile specific: e.g. MMP/2.0 type string messagingVersion type string os description Full name of the operating system e.g. "Darwin/9.7.0", "Android 1.5", "Windows 98" Version is reduced, and other data might also be missing, for reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string osVariant description Extra qualifier for the OS e.g. "(i386)", "Build/CUPCAKE", "PalmSource/Palm-D061" Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string platform description The platform describes the environment in which the browser or app runs. For desktop user agents, Platform is a string describing the OS family e.g. Windows, Macintosh, Linux. For mobile user agents, Platform either describes the OS family (if available) or the hardware maker. e.g. Linux, or HTC, LG, Palm. type string security description Security level reported by user agent, either U, I or N. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string subFamily description Sub-family identifies individual regexps when a family has more than 1. This is used to generate the right UA string from a protobuf. Examples in the AppleWebKit family: Chrome and Safari. Can also be an arbitrary identifier. type string type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Validity description Defines certificate's validity period. id Validity properties expiryTime description Expiry date. format google-datetime type string issueTime description Issue date. format google-datetime type string type object Verdict description Deprecated. Encapsulates the threat verdict provided by human analysts and ML models. These fields are used to model Mandiant sources. id Verdict properties analystVerdict $ref AnalystVerdict description Human analyst verdict provided by sources like Mandiant. neighbourInfluence description Describes the neighbour influence of the verdict. type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer verdict $ref ProviderMLVerdict description ML Verdict provided by sources like Mandiant. type object VerdictInfo description Describes the threat verdict provided by human analysts and machine learning models. These fields are used to model Mandiant sources. id VerdictInfo properties benignCount description Count of responses where this IoC was marked as benign. format int32 type integer categoryDetails description Tags related to the verdict. type string confidenceScore description Confidence score of the verdict. format int32 type integer globalCustomerCount description Global customer count over the last 30 days format int32 type integer globalHitsCount description Global hit count over the last 30 days. format int32 type integer iocStats description List of IoCStats from which the verdict was generated. items $ref IoCStats type array maliciousCount description Count of responses where this IoC was marked as malicious. format int32 type integer neighbourInfluence description Describes the near neighbor influence of the verdict. type string pwn description Whether one or more Mandiant incident response customers had this indicator in their environment. type boolean pwnFirstTaggedTime description The timestamp of the first time a pwn was associated to this entity. format google-datetime type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer sourceProvider description Source provider giving the machine learning verdict. type string verdictResponse description Details about the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp when the verdict was generated. format google-datetime type string verdictType description Type of verdict. enum VERDICT_TYPE_UNSPECIFIED PROVIDER_ML_VERDICT ANALYST_VERDICT enumDescriptions Verdict category not specified. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. Verdict provided by the human analyst. These fields are used to model Mandiant sources. type string type object Vulnerabilities description The Vulnerabilities extension captures details on observed/detected vulnerabilities. id Vulnerabilities properties vulnerabilities description A list of vulnerabilities. items $ref Vulnerability type array type object Vulnerability description A vulnerability. id Vulnerability properties about $ref Noun description If the vulnerability is about a specific noun (e.g. executable), then add it here. cveDescription description Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record type string cveId description Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id type string cvssBaseScore description CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting. format float type number cvssVector description Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator type string cvssVersion description Version of CVSS Vector/Score. type string description description Description of the vulnerability. type string firstFound description Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset. format google-datetime type string lastFound description Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset. format google-datetime type string name description Name of the vulnerability (e.g. "Unsupported OS Version detected"). type string scanEndTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable. format google-datetime type string scanStartTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable. format google-datetime type string severity description The severity of the vulnerability. enum UNKNOWN_SEVERITY LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Low severity. Medium severity. High severity. Critical severity. type string severityDetails description Vendor-specific severity type string vendor description Vendor of scan that discovered vulnerability. type string vendorKnowledgeBaseArticleId description Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase type string vendorVulnerabilityId description Vendor specific vulnerability id (e.g. Microsoft security bulletin id). type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object X509 description File certificate. id X509 properties algorithm description Certificate algorithm. type string certIssuer description Issuer of the certificate. type string name description Certificate name. type string serialNumber description Certificate serial number. type string thumbprint description Certificate thumbprint. type string type object old_value CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{region}/instances/{instance} readOnly True type string type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Manual description Entities are added manually. id Manual properties type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object
prod/eu-rbmopenmaap-	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/eu-rbmopenmaap-v1	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/eu-taskassist-pa-	dictionary_item_added root['schemas']['SourceId']['properties']['threadLocator'] values_changed root['revision'] new_value 20250310 old_value 20250303
prod/eu-taskassist-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/eu-taskassist-pa-v2	dictionary_item_added root['schemas']['SourceId']['properties']['threadLocator'] values_changed root['revision'] new_value 20250310 old_value 20250303
prod/europe-west1-connectgateway-	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/europe-west1-connectgateway-v1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/europe-west1-connectgateway-v1beta1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/europe-west1-containerfilesystem-	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/europe-west1-containerfilesystem-v1	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/europe-west2-chronicle-	values_changed root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['get']['parameters']['name']['description'] new_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{region}/instances/{instance} root['revision'] new_value 20250310 old_value 20250227 root['schemas'] new_value AIOverview description AI generated overview for the search results. id AIOverview properties aiSummary description AI summary for the search results. Markdown formatted. type string complete description Whether AI overview generation is complete. type boolean suggestions description Suggested actions to continue the investigation in chat. items $ref Action type array type object Action description Action represents an action that can be performed in the host UI. id Action properties actionType description Output only. Type of action. enum ACTION_TYPE_UNSPECIFIED FOLLOW_UP NAVIGATION EXECUTION enumDescriptions The action type is unspecified. The action is a follow up action. The action is a navigation action. The action is an execution action. readOnly True type string displayText description Output only. The text that'll be displayed to the user if this is rendered in the UI as a suggested action. readOnly True type string execution $ref Execution description Metadata for execution action. followUp $ref FollowUp description Metadata for follow up action. navigation $ref Navigation description Metadata for navigation action. useCaseId description Output only. The use case ID of the action. It's used internally to identify in which context the action is used. readOnly True type string type object AlertFieldAggregation id AlertFieldAggregation properties alertCount format int32 type integer allValues items $ref AlertFieldValueCount type array baselineAlertCount format int32 type integer bottomValues items $ref AlertFieldValueCount type array fieldName type string tooManyValues type boolean topValues items $ref AlertFieldValueCount type array valueCount format int32 type integer type object AlertFieldAggregations id AlertFieldAggregations properties fields items $ref AlertFieldAggregation type array type object AlertFieldValue id AlertFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string stringValue type string uint32Value format uint32 type integer uint64Value format uint64 type string type object AlertFieldValueCount id AlertFieldValueCount properties alertCount format int32 type integer baselineAlertCount format int32 type integer value $ref AlertFieldValue type object AnalystVerdict description Verdict provided by the human analyst. These fields are used to model Mandiant sources. id AnalystVerdict properties confidenceScore description Confidence score of the verdict. format int32 type integer verdictResponse description Details of the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp at which the verdict was generated. format google-datetime type string type object AnalyticsMetadata description Stores information about an analytics metric used in a rule. id AnalyticsMetadata properties analytic description Name of the analytic. type string type object Annotation description Extra parameters that don't fit anywhere else, captured as key/value. For example "VendorID/42" in BlackBerry user agents. The following keys are modified with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference): * "Chrome" (see `browser_version`) * "ChromiumBrowser" (unavailable) * "ChromeWebview" (unavailable) * "OS_VERSION" (see `os`) * "Rest" (unavailable) * "misc" (see `device`) id Annotation properties key type string value type string type object Artifact description Information about an artifact. The artifact can only be an IP. id Artifact properties anonymous description Whether the VPN tunnels are configured for anonymous browsing or not. type boolean artifactClient $ref ArtifactClient description Entity or software accessing or utilizing network resources. asOwner description Owner of the Autonomous System to which the IP address belongs. type string asn description Autonomous System Number to which the IP address belongs. format int64 type string firstSeenTime description First seen timestamp of the IP in the customer's environment. format google-datetime type string ip description IP address of the artifact. This field can be used as an entity indicator for an external destination IP entity. type string jarm description The JARM hash for the IP address. (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a). type string lastHttpsCertificate $ref SSLCertificate description SSL certificate information about the IP address. lastHttpsCertificateDate description Most recent date for the certificate in VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the IP address in the customer's environment. format google-datetime type string location $ref Location description Location of the Artifact's IP address. network $ref Network description Network information related to the Artifact's IP address. prevalence $ref Prevalence description The prevalence of the artifact within the customer's environment. regionalInternetRegistry description RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC). type string risks description This field lists potential risks associated with the network activity. items type string type array tags description Identification attributes items type string type array tunnels description VPN tunnels. items $ref Tunnels type array whois description WHOIS information as returned from the pertinent WHOIS server. type string whoisDate description Date of the last update of the WHOIS record in VirusTotal. format google-datetime type string type object ArtifactClient description Entity or software accessing or utilizing network resources. id ArtifactClient properties behaviors description The behaviors of the client accessing the network. items type string type array proxies description The type of proxies used by the client. items type string type array type object Asset description Information about a compute asset such as a workstation, laptop, phone, virtual desktop, or VM. id Asset properties assetId description The asset ID. Value must contain the ':' character. For example, cs:abcdd23434. This field can be used as an entity indicator for asset entities. type string attribute $ref Attribute description Generic entity metadata attributes of the asset. category description The category of the asset (e.g. "End User Asset", "Workstation", "Server"). type string creationTime deprecated True description Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. format google-datetime type string deploymentStatus description The deployment status of the asset for device lifecycle purposes. enum DEPLOYMENT_STATUS_UNSPECIFIED ACTIVE PENDING_DECOMISSION DECOMISSIONED enumDescriptions Unspecified deployment status. Asset is active, functional and deployed. Asset is pending decommission and no longer deployed. Asset is decommissioned. type string firstDiscoverTime description Time the asset was first discovered (by asset management/discoverability software). format google-datetime type string firstSeenTime description The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string hardware description The asset hardware specifications. items $ref Hardware type array hostname description Asset hostname or domain name field. This field can be used as an entity indicator for asset entities. type string ip description A list of IP addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array labels deprecated True description Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata. items $ref Label type array lastBootTime description Time the asset was last boot started. format google-datetime type string lastDiscoverTime description Time the asset was last discovered (by asset management/discoverability software). format google-datetime type string location $ref Location description Location of the asset. mac description List of MAC addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array natIp description List of NAT IP addresses associated with an asset. items type string type array networkDomain description The network domain of the asset (e.g. "corp.acme.com") type string platformSoftware $ref PlatformSoftware description The asset operating system platform software. productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID or similar). This field can be used as an entity indicator for asset entities. type string software description The asset software details. items $ref Software type array systemLastUpdateTime description Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a VM), use Attribute.last_update_time. format google-datetime type string type description The type of the asset (e.g. workstation or laptop or server). enum ROLE_UNSPECIFIED WORKSTATION LAPTOP IOT NETWORK_ATTACHED_STORAGE PRINTER SCANNER SERVER TAPE_LIBRARY MOBILE enumDescriptions Unspecified asset role. A workstation or desktop. A laptop computer. An IOT asset. A network attached storage device. A printer. A scanner. A server. A tape library device. A mobile device such as a mobile phone or PDA. type string vulnerabilities description Vulnerabilities discovered on asset. items $ref Vulnerability type array type object Association description Associations represents different metadata about malware and threat actors involved with an IoC. id Association properties alias description Different aliases of the threat actor given by different sources. items $ref AssociationAlias type array associatedActors description List of associated threat actors for a malware. Not applicable for threat actors. items $ref Association type array countryCode description Country from which the threat actor/ malware is originated. items type string type array description description Human readable description about the association. type string firstReferenceTime description First time the threat actor was referenced or seen. format google-datetime type string id description Unique association id generated by mandiant. type string industriesAffected description List of industries the threat actor affects. items type string type array lastReferenceTime description Last time the threat actor was referenced or seen. format google-datetime type string name description Name of the threat actor/malware. type string regionCode $ref Location description Name of the country, the threat is originating from. role description Role of the malware. Not applicable for threat actor. type string sourceCountry deprecated True description Name of the country the threat originated from. type string sponsorRegion $ref Location description Sponsor region of the threat actor. tags description Tags. items type string type array targetedRegions description Targeted regions. items $ref Location type array type description Signifies the type of association. enum ASSOCIATION_TYPE_UNSPECIFIED THREAT_ACTOR MALWARE enumDescriptions The default Association Type. Association type Threat actor. Association type Malware. type string type object AssociationAlias description Association Alias used to represent Mandiant Threat Intelligence. id AssociationAlias properties company description Name of the provider who gave the association's name. type string name description Name of the alias. type string type object AttackDetails description MITRE ATT&CK details. id AttackDetails properties tactics description Tactics employed. items $ref Tactic type array techniques description Techniques employed. items $ref Technique type array version description ATT&CK version (e.g. 12.1). type string type object Attribute description Attribute is a container for generic entity attributes including common attributes across core entities (such as, user or asset). For example, Cloud is a generic entity attribute since it can apply to an asset (for example, a VM) or a user (for example, an identity service account). id Attribute properties cloud $ref Cloud description Cloud metadata attributes such as project ID, account ID, or organizational hierarchy. creationTime description Time the resource or entity was created or provisioned. format google-datetime type string labels description Set of labels for the entity. Should only be used for product labels (for example, Google Cloud resource labels or Azure AD sensitivity labels. Should not be used for arbitrary key-value mappings. items $ref Label type array lastUpdateTime description Time the resource or entity was last updated. format google-datetime type string permissions description System permissions for IAM entity (human principal, service account, group). items $ref Permission type array roles description System IAM roles to be assumed by resources to use the role's permissions for access control. items $ref Role type array type object Authentication description The Authentication extension captures details specific to authentication events. General guidelines for authentication events: * Details about the source of the authentication event (for example, client IP or hostname), should be captured in principal. The principal may be empty if we have no details about the source of the login. * Details about the target of the authentication event (for example, details about the machine that is being logged into or logged out of) should be captured in target. * Some authentication events may involve a third-party. For example, a user logs into a cloud service (for example, Chronicle) via their company's SSO (the event is logged by their SSO solution). In this case, the principal captures information about the user's device, the target captures details about the cloud service they logged into, and the intermediary captures details about the SSO solution. id Authentication properties authDetails description The vendor defined details of the authentication. type string mechanism description The authentication mechanism. items enum MECHANISM_UNSPECIFIED USERNAME_PASSWORD OTP HARDWARE_KEY LOCAL REMOTE REMOTE_INTERACTIVE MECHANISM_OTHER BADGE_READER NETWORK BATCH SERVICE UNLOCK NETWORK_CLEAR_TEXT NEW_CREDENTIALS INTERACTIVE CACHED_INTERACTIVE CACHED_REMOTE_INTERACTIVE CACHED_UNLOCK BIOMETRIC WEARABLE enumDescriptions The default mechanism. Username + password authentication. OTP authentication. Hardware key authentication. Local authentication. Remote authentication. RDP, Terminal Services, or VNC. Some other mechanism that is not defined here. Badge reader authentication Network authentication. Batch authentication. Service authentication Direct human-interactive unlock authentication. Network clear text authentication. Authentication with new credentials. Interactive authentication. Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Biometric device such as a fingerprint reader. Wearable such as an Apple Watch. type string type array type description The type of authentication. enum AUTHTYPE_UNSPECIFIED MACHINE SSO VPN PHYSICAL TACACS enumDescriptions The default type. A machine authentication. An SSO authentication. A VPN authentication. A Physical authentication (e.g. "Badge reader"). A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+). type string type object AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. id AuthorityKeyId properties keyid description Key hexdump. type string serialNumber description Serial number hexdump. type string type object BackstoryEntity description An Entity provides additional context about an item in a UDM event. For example, a PROCESS_LAUNCH event describes that user 'abc@example.corp' launched process 'shady.exe'. The event does not include information that user 'abc@example.com' is a recently terminated employee who administers a server storing finance data. Information stored in one or more Entities can add this additional context. id BackstoryEntity properties additional additionalProperties description Properties of the object. type any description Important entity data that cannot be adequately represented within the formal sections of the Entity. type object entity $ref Noun description Noun in the UDM event that this entity represents. metadata $ref EntityMetadata description Entity metadata such as timestamp, product, etc. metric $ref Metric description Stores statistical metrics about the entity. Used if metadata.entity_type is METRIC. relations description One or more relationships between the entity (a) and other entities, including the relationship type and related entity. items $ref Relation type array riskScore $ref EntityRisk description Stores information related to the entity's risk score. type object BackstoryFile description Information about a file. id BackstoryFile properties ahash deprecated True description Deprecated. Use authentihash instead. type string authentihash description Authentihash of the file. type string capabilitiesTags description Capabilities tags. items type string type array createTime description Timestamp when the file was created. format google-datetime type string embeddedDomains description Embedded domains found in the file. items type string type array embeddedIps description Embedded IP addresses found in the file. items type string type array embeddedUrls description Embedded urls found in the file. items type string type array exifInfo $ref ExifInfo description Exif metadata from different file formats extracted by exiftool. fileMetadata $ref FileMetadata deprecated True description Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File. fileType description FileType field. enum FILE_TYPE_UNSPECIFIED FILE_TYPE_PE_EXE FILE_TYPE_PE_DLL FILE_TYPE_MSI FILE_TYPE_NE_EXE FILE_TYPE_NE_DLL FILE_TYPE_DOS_EXE FILE_TYPE_DOS_COM FILE_TYPE_COFF FILE_TYPE_ELF FILE_TYPE_LINUX_KERNEL FILE_TYPE_RPM FILE_TYPE_LINUX FILE_TYPE_MACH_O FILE_TYPE_JAVA_BYTECODE FILE_TYPE_DMG FILE_TYPE_DEB FILE_TYPE_PKG FILE_TYPE_PYC FILE_TYPE_LNK FILE_TYPE_DESKTOP_ENTRY FILE_TYPE_JPEG FILE_TYPE_TIFF FILE_TYPE_GIF FILE_TYPE_PNG FILE_TYPE_BMP FILE_TYPE_GIMP FILE_TYPE_IN_DESIGN FILE_TYPE_PSD FILE_TYPE_TARGA FILE_TYPE_XWD FILE_TYPE_DIB FILE_TYPE_JNG FILE_TYPE_ICO FILE_TYPE_FPX FILE_TYPE_EPS FILE_TYPE_SVG FILE_TYPE_EMF FILE_TYPE_WEBP FILE_TYPE_DWG FILE_TYPE_DXF FILE_TYPE_THREEDS FILE_TYPE_OGG FILE_TYPE_FLC FILE_TYPE_FLI FILE_TYPE_MP3 FILE_TYPE_FLAC FILE_TYPE_WAV FILE_TYPE_MIDI FILE_TYPE_AVI FILE_TYPE_MPEG FILE_TYPE_QUICKTIME FILE_TYPE_ASF FILE_TYPE_DIVX FILE_TYPE_FLV FILE_TYPE_WMA FILE_TYPE_WMV FILE_TYPE_RM FILE_TYPE_MOV FILE_TYPE_MP4 FILE_TYPE_T3GP FILE_TYPE_WEBM FILE_TYPE_MKV FILE_TYPE_PDF FILE_TYPE_PS FILE_TYPE_DOC FILE_TYPE_DOCX FILE_TYPE_PPT FILE_TYPE_PPTX FILE_TYPE_XLS FILE_TYPE_XLSX FILE_TYPE_RTF FILE_TYPE_PPSX FILE_TYPE_ODP FILE_TYPE_ODS FILE_TYPE_ODT FILE_TYPE_HWP FILE_TYPE_GUL FILE_TYPE_ODF FILE_TYPE_ODG FILE_TYPE_ONE_NOTE FILE_TYPE_OOXML FILE_TYPE_SLK FILE_TYPE_EBOOK FILE_TYPE_LATEX FILE_TYPE_TTF FILE_TYPE_EOT FILE_TYPE_WOFF FILE_TYPE_CHM FILE_TYPE_ZIP FILE_TYPE_GZIP FILE_TYPE_BZIP FILE_TYPE_RZIP FILE_TYPE_DZIP FILE_TYPE_SEVENZIP FILE_TYPE_CAB FILE_TYPE_JAR FILE_TYPE_RAR FILE_TYPE_MSCOMPRESS FILE_TYPE_ACE FILE_TYPE_ARC FILE_TYPE_ARJ FILE_TYPE_ASD FILE_TYPE_BLACKHOLE FILE_TYPE_KGB FILE_TYPE_ZLIB FILE_TYPE_TAR FILE_TYPE_ZST FILE_TYPE_LZFSE FILE_TYPE_PYTHON_WHL FILE_TYPE_PYTHON_PKG FILE_TYPE_MSIX FILE_TYPE_TEXT FILE_TYPE_SCRIPT FILE_TYPE_PHP FILE_TYPE_PYTHON FILE_TYPE_PERL FILE_TYPE_RUBY FILE_TYPE_C FILE_TYPE_CPP FILE_TYPE_JAVA FILE_TYPE_SHELLSCRIPT FILE_TYPE_PASCAL FILE_TYPE_AWK FILE_TYPE_DYALOG FILE_TYPE_FORTRAN FILE_TYPE_JAVASCRIPT FILE_TYPE_POWERSHELL FILE_TYPE_VBA FILE_TYPE_M4 FILE_TYPE_OBJETIVEC FILE_TYPE_JMOD FILE_TYPE_MAKEFILE FILE_TYPE_INI FILE_TYPE_CLJ FILE_TYPE_PDB FILE_TYPE_SQL FILE_TYPE_NEKO FILE_TYPE_WER FILE_TYPE_GOLANG FILE_TYPE_M3U FILE_TYPE_BAT FILE_TYPE_MSC FILE_TYPE_RDP FILE_TYPE_SYMBIAN FILE_TYPE_PALMOS FILE_TYPE_WINCE FILE_TYPE_ANDROID FILE_TYPE_IPHONE FILE_TYPE_HTML FILE_TYPE_XML FILE_TYPE_SWF FILE_TYPE_FLA FILE_TYPE_COOKIE FILE_TYPE_TORRENT FILE_TYPE_EMAIL_TYPE FILE_TYPE_OUTLOOK FILE_TYPE_SGML FILE_TYPE_JSON FILE_TYPE_CSV FILE_TYPE_HTA FILE_TYPE_INTERNET_SHORTCUT FILE_TYPE_CAP FILE_TYPE_ISOIMAGE FILE_TYPE_SQUASHFS FILE_TYPE_VHD FILE_TYPE_APPLE FILE_TYPE_MACINTOSH FILE_TYPE_APPLESINGLE FILE_TYPE_APPLEDOUBLE FILE_TYPE_MACINTOSH_HFS FILE_TYPE_APPLE_PLIST FILE_TYPE_MACINTOSH_LIB FILE_TYPE_APPLESCRIPT FILE_TYPE_APPLESCRIPT_COMPILED FILE_TYPE_CRX FILE_TYPE_XPI FILE_TYPE_ROM FILE_TYPE_IPS FILE_TYPE_PEM FILE_TYPE_PGP FILE_TYPE_CRT enumDescriptions File type is UNSPECIFIED. File type is PE_EXE. Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL. File type is MSI. File type is NE_EXE. File type is NE_DLL. File type is DOS_EXE. File type is DOS_COM. File type is COFF. File type is ELF. File type is LINUX_KERNEL. File type is RPM. File type is LINUX. File type is MACH_O. File type is JAVA_BYTECODE. File type is DMG. File type is DEB. File type is PKG. File type is PYC. File type is LNK. File type is DESKTOP_ENTRY. File type is JPEG. File type is TIFF. File type is GIF. File type is PNG. File type is BMP. File type is GIMP. File type is Adobe InDesign. File type is PSD. Adobe Photoshop. File type is TARGA. File type is XWD. File type is DIB. File type is JNG. File type is ICO. File type is FPX. File type is EPS. File type is SVG. File type is EMF. File type is WEBP. File type is DWG. File type is DXF. File type is 3DS. File type is OGG. File type is FLC. File type is FLI. File type is MP3. File type is FLAC. File type is WAV. File type is MIDI. File type is AVI. File type is MPEG. File type is QUICKTIME. File type is ASF. File type is DIVX. File type is FLV. File type is WMA. File type is WMV. File type is RM. RealMedia type. File type is MOV. File type is MP4. File type is T3GP. File type is WEBM. File type is MKV. File type is PDF. File type is PS. File type is DOC. File type is DOCX. File type is PPT. File type is PPTX. File type is XLS. File type is XLSX. File type is RTF. File type is PPSX. File type is ODP. File type is ODS. File type is ODT. File type is HWP. File type is GUL. File type is ODF. File type is ODG. File type is ONE_NOTE. File type is OOXML. File type is SLK. File type is EBOOK. File type is LATEX. File type is TTF. File type is EOT. File type is WOFF. File type is CHM. File type is ZIP. File type is GZIP. File type is BZIP. File type is RZIP. File type is DZIP. File type is SEVENZIP. File type is CAB. File type is JAR. File type is RAR. File type is MSCOMPRESS. File type is ACE. File type is ARC. File type is ARJ. File type is ASD. File type is BLACKHOLE. File type is KGB. File type is ZLIB. File type is TAR. File type is ZST. File type is LZFSE. File type is PYTHON_WHL. File type is PYTHON_PKG. File type is MSIX, new Windows app package format. File type is TEXT. File type is SCRIPT. File type is PHP. File type is PYTHON. File type is PERL. File type is RUBY. File type is C. File type is CPP. File type is JAVA. File type is SHELLSCRIPT. File type is PASCAL. File type is AWK. File type is DYALOG. File type is FORTRAN. File type is JAVASCRIPT. File type is POWERSHELL. File type is VBA. File type is M4. File type is OBJETIVEC. File type is JMOD. File type is MAKEFILE. File type is INI. File type is CLJ. File type is PDB. File type is SQL. File type is NEKO. File type is WER. File type is GOLANG. File type is M3U. File type is BAT, Windows .bat/.cmd (old files are tagged as SHELLSCRIPT). File type is MSC, Microsoft Management Console (MMC). File type is RDP, Microsoft Remote Desktop Protocol (RDP) file. File type is SYMBIAN. File type is PALMOS. File type is WINCE. File type is ANDROID. File type is IPHONE. File type is HTML. File type is XML. File type is SWF. File type is FLA. File type is COOKIE. File type is TORRENT. File type is EMAIL_TYPE. File type is OUTLOOK. File type is SGML. File type is JSON. File type is CSV. File type is HTA (HTML Application). File type is MSHTML .url. File type is CAP. File type is ISOIMAGE. File type is SQUASHFS. File type is VHD. File type is APPLE. File type is MACINTOSH. File type is APPLESINGLE. File type is APPLEDOUBLE. File type is MACINTOSH_HFS. File type is APPLE_PLIST. File type is MACINTOSH_LIB. File type is APPLESCRIPT. File type is APPLESCRIPT_COMPILED . File type is CRX. File type is XPI. File type is ROM. File type is IPS. File type is PEM. File type is PGP. File type is CRT. type string firstSeenTime description Timestamp the file was first seen in the customer's environment. format google-datetime type string firstSubmissionTime description First submission time of the file. format google-datetime type string fullPath description The full path identifying the location of the file on the system. This field can be used as an entity indicator for file entities. type string lastAccessTime description Timestamp when the file was accessed. format google-datetime type string lastAnalysisTime description Timestamp the file was last analysed. format google-datetime type string lastModificationTime description Timestamp when the file was last updated. format google-datetime type string lastSeenTime description Timestamp the file was last seen in the customer's environment. format google-datetime type string lastSubmissionTime description Last submission time of the file. format google-datetime type string mainIcon $ref Favicon description Icon's relevant hashes. md5 description The MD5 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string mimeType description The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script". type string names description Names fields. items type string type array ntfs $ref NtfsFileMetadata description NTFS metadata. pdfInfo $ref PDFInfo description Information about the PDF file structure. peFile $ref FileMetadataPE description Metadata about the Portable Executable (PE) file. prevalence $ref Prevalence description Prevalence of the file hash in the customer's environment. securityResult $ref SecurityResult description Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata. sha1 description The SHA1 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string sha256 description The SHA256 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string signatureInfo $ref SignatureInfo description File signature information extracted from different tools. size description The size of the file in bytes. format uint64 type string ssdeep description Ssdeep of the file type string statDev description The file system identifier to which the object belongs. format uint64 type string statFlags description User defined flags for file. format uint32 type integer statInode description The file identifier. Unique identifier of object within a file system. format uint64 type string statMode description The mode of the file. A bit string indicating the permissions and privileges of the file. format uint64 type string statNlink description Number of links to file. format uint64 type string symhash description SymHash of the file. Used for Mach-O (e.g. MacOS) binaries, to identify similar files based on their symbol table. type string tags description Tags for the file. items type string type array vhash description Vhash of the file. type string type object BoolSequence description BoolSequence represents a sequence of bools. id BoolSequence properties boolVals description bool sequence. items type boolean type array type object BytesSequence description BytesSequence represents a sequence of bytes. id BytesSequence properties bytesVals description bytes sequence. items format byte type string type array type object CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CertSignature description Certificate's signature and algorithm. id CertSignature properties signature description Signature. type string signatureAlgorithm description Algorithm. type string type object Certificate description Certificate information id Certificate properties issuer description Issuer of the certificate. type string md5 description The MD5 hash of the certificate, as a hex-encoded string. type string notAfter description Indicates when the certificate is no longer valid. format google-datetime type string notBefore description Indicates when the certificate is first valid. format google-datetime type string serial description Certificate serial number. type string sha1 description The SHA1 hash of the certificate, as a hex-encoded string. type string sha256 description The SHA256 hash of the certificate, as a hex-encoded string. type string subject description Subject of the certificate. type string version description Certificate version. type string type object Chip id Chip properties text type string type enum UNSPECIFIED ALERT NETWORK_CONNECTION EDR UNPARSED_RAW_LOG LOGIN_EVENT EMAIL_EVENT GENERIC TELEMETRY enumDescriptions type string type object Client description Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash). id Client properties certificate $ref Certificate description Client certificate. ja3 description JA3 hash from the TLS ClientHello, as a hex-encoded string. type string serverName description Host name of the server, that the client is connecting to. type string supportedCiphers description Ciphers supported by the client during client hello. items type string type array type object Cloud description Metadata related to the cloud environment. id Cloud properties availabilityZone description The cloud environment availability zone (different from region which is location.name). type string environment description The Cloud environment. enum UNSPECIFIED_CLOUD_ENVIRONMENT GOOGLE_CLOUD_PLATFORM AMAZON_WEB_SERVICES MICROSOFT_AZURE enumDescriptions Default. Google Cloud Platform. Amazon Web Services. Microsoft Azure. type string project $ref Resource deprecated True description The cloud environment project information. Deprecated: Use Resource.resource_ancestors vpc $ref Resource deprecated True description The cloud environment VPC. Deprecated. type object Collection description Collection represents a container of objects (such as events, entity context metadata, detection finding metadata) and state (such as investigation details). BEGIN GOOGLE-INTERNAL See go/udm:collections for additional details. END GOOGLE-INTERNAL An example use case for Collection is to model a detection and investigation from detection finding metadata to investigative state collected in the course of the investigation. For more complex investigation and response workflows a Collection could represent an incident consisting of multiple child findings or incidents. This can be expanded on to model remediation elements of a full detection and response workflow. NEXT TAG: 20 id Collection properties caseName description The resource name of the Case that this collection belongs to. Example: projects/{project id}/locations/{region}/chronicle/cases/{internal_case_id} type string collectionElements description Constituent elements of the collection. Each element shares an association that groups it together and is a component of the overall collection. For example, a detection collection may have several constituent elements that each share a correlation association that together represent a particular pattern or behavior. items $ref Element type array createdTime description Time the collection was created. format google-datetime type string dataAccessScope description The resource name of the DataAccessScope of this collection. BEGIN GOOGLE-INTERNAL We may change this name based on the final resource design of the scope. END GOOGLE-INTERNAL type string detection description Detection metadata for findings that represent detections, can include rule details, machine learning model metadata, and indicators implicated in the detection (using the .about field). items $ref SecurityResult type array detectionTime description Timestamp within the time_window related to the time of the collection_elements. For Rule Detections, this timestamp is the end of the the time_window for multi-event rules or the time of the event for single event rules. For late-arriving events that trigger new alerts, the detection_time will be the event time of the event. format google-datetime type string feedbackHistory description The history of feedback submitted by analysts for this finding, in descending order by timestamp. This field is limited to the most recent 1000 feedback events. The primary feedback will also be included in this list. items $ref Feedback type array feedbackSummary $ref Feedback description The current primary analyst feedback. This does not include the history of feedback given, which may be supplied in `feedback`. id description Unique ID for the collection. The ID is specific to the type of collection. For example, with rule detections this is the detection ID. type string idNamespace description The ID namespace used for the Collection. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string investigation $ref Investigation description Consolidated investigation details (categorization, status, etc) typically for collections that begin as detection findings and then evolve with analyst action and feedback into investigations around the detection output. lastUpdatedTime description Time the collection was last updated. format google-datetime type string responsePlatformInfo $ref ResponsePlatformInfo description Alert related info of this same alert in customer's SOAR platform. soarAlert description A boolean field indicating that the alert is present in SOAR. type boolean soarAlertMetadata $ref SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems via SOAR. tags description Tags set by UC/DSML/RE for the Finding during creation. items type string type array timeWindow $ref Interval description Time interval that the collection represents. type description What the collection represents. enum COLLECTION_TYPE_UNSPECIFIED TELEMETRY_ALERT GCTI_FINDING UPPERCASE_ALERT RULE_DETECTION MACHINE_INTELLIGENCE_ALERT SOAR_ALERT enumDescriptions An unspecified collection type. An alert reported in customer telemetry. A finding from the Uppercase team. A detection found by applying a rule. An alert generated by Chronicle machine learning models. An alert coming from other SIEMs via Chronicle SOAR. type string type object ColumnNames id ColumnNames properties names items type string type array type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DNSRecord description DNS record. id DNSRecord properties expire description Expire. format google-duration type string minimum description Minimum. format google-duration type string priority description Priority. format int64 type string refresh description Refresh. format google-duration type string retry description Retry. format int64 type string rname description Rname. type string serial description Serial. format int64 type string ttl description Time to live. format google-duration type string type description Type. type string value description Value. type string type object DataAccessIngestionLabel id DataAccessIngestionLabel properties key description The key. type string value description The value. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessLabels id DataAccessLabels properties allowScopedAccess description Are the labels ready for scoped access type boolean customLabels description All the complex labels (UDM search syntax based). items type string type array ingestionKvLabels description All the ingestion labels (key/value pairs). items $ref DataAccessIngestionLabel type array ingestionLabels deprecated True description All the ingestion labels. items type string type array logTypes description All the LogType labels. items type string type array namespaces description All the namespaces. items type string type array type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Date description Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values. * A month and day, with a zero year (for example, an anniversary). * A year on its own, with a zero month and a zero day. * A year and month, with a zero day (for example, a credit card expiration date). Related types: * google.type.TimeOfDay * google.type.DateTime * google.protobuf.Timestamp id Date properties day description Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. format int32 type integer month description Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. format int32 type integer year description Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. format int32 type integer type object Detections id Detections properties baselineAlertsCount format int32 type integer complete type boolean detectionFieldAggregations $ref AlertFieldAggregations detections items $ref Collection type array filteredAlertsCount format int32 type integer tooManyDetections type boolean validSnapshotQuery type boolean type object Dhcp description DHCP information. id Dhcp properties chaddr description Client hardware address (chaddr). type string ciaddr description Client IP address (ciaddr). type string clientHostname description Client hostname. See RFC2132, section 3.14. type string clientIdentifier description Client identifier. See RFC2132, section 9.14. Note: Make sure to update the client_identifier_string field as well if you update this field. format byte type string clientIdentifierString description Client identifier as string. See RFC2132, section 9.14. This field holds the string value of the client_identifier. type string file description Boot image filename. type string flags description Flags. format uint32 type integer giaddr description Relay agent IP address (giaddr). type string hlen description Hardware address length. format uint32 type integer hops description Hardware ops. format uint32 type integer htype description Hardware address type. format uint32 type integer leaseTimeSeconds description Lease time in seconds. See RFC2132, section 9.2. format uint32 type integer opcode description The BOOTP op code. enum UNKNOWN_OPCODE BOOTREQUEST BOOTREPLY enumDescriptions Default opcode. Request. Reply. type string options description List of DHCP options. items $ref Option type array requestedAddress description Requested IP address. See RFC2132, section 9.1. type string seconds description Seconds elapsed since client began address acquisition/renewal process. format uint32 type integer siaddr description IP address of the next bootstrap server. type string sname description Server name that the client wishes to boot from. type string transactionId description Transaction ID. format uint32 type integer type description DHCP message type. enum UNKNOWN_MESSAGE_TYPE DISCOVER OFFER REQUEST DECLINE ACK NAK RELEASE INFORM WIN_DELETED WIN_EXPIRED enumDescriptions Default message type. DHCPDISCOVER. DHCPOFFER. DHCPREQUEST. DHCPDECLINE. DHCPACK. DHCPNAK. DHCPRELEASE. DHCPINFORM. Microsoft Windows DHCP "lease deleted". Microsoft Windows DHCP "lease expired". type string yiaddr description Your IP address (yiaddr). type string type object Dns description DNS information. id Dns properties additional description A list of additional domain name servers that can be used to verify the answer to the domain. items $ref ResourceRecord type array answers description A list of answers to the domain name query. items $ref ResourceRecord type array authoritative description Other DNS header flags. See RFC1035, section 4.1.1. type boolean authority description A list of domain name servers which verified the answers to the domain name queries. items $ref ResourceRecord type array id description DNS query id. format uint32 type integer opcode description The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS). format uint32 type integer questions description A list of domain protocol message questions. items $ref Question type array recursionAvailable description Whether a recursive DNS lookup is available. type boolean recursionDesired description Whether a recursive DNS lookup is desired. type boolean response description Set to true if the event is a DNS response. See QR field from RFC1035. type boolean responseCode description Response code. See RCODE from RFC1035. format uint32 type integer truncated description Whether the DNS response was truncated. type boolean type object Domain description Information about a domain. id Domain properties admin $ref User description Parsed contact information for the administrative contact for the domain. auditUpdateTime description Audit updated time. format google-datetime type string billing $ref User description Parsed contact information for the billing contact of the domain. categories description Categories assign to the domain as retrieved from VirusTotal. items type string type array contactEmail description Contact email address. type string creationTime description Domain creation time. format google-datetime type string expirationTime description Expiration time. format google-datetime type string favicon $ref Favicon description Includes difference hash and MD5 hash of the domain's favicon. firstSeenTime description First seen timestamp of the domain in the customer's environment. format google-datetime type string ianaRegistrarId description IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml format int32 type integer jarm description Domain's JARM hash. type string lastDnsRecords description Domain's DNS records from the last scan. items $ref DNSRecord type array lastDnsRecordsTime description Date when the DNS records list was retrieved by VirusTotal. format google-datetime type string lastHttpsCertificate $ref SSLCertificate description SSL certificate object retrieved last time the domain was analyzed. lastHttpsCertificateTime description When the certificate was retrieved by VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the domain in the customer's environment. format google-datetime type string name description The domain name. This field can be used as an entity indicator for Domain entities. type string nameServer description Repeated list of name servers. items type string type array popularityRanks description Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc items $ref PopularityRank type array prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. privateRegistration description Indicates whether the domain appears to be using a private registration service to mask the owner's contact information. type boolean registrant $ref User description Parsed contact information for the registrant of the domain. registrar description Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM". type string registryDataRawText description Registry Data raw text. format byte type string status description Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values type string tags description List of representative attributes. items type string type array tech $ref User description Parsed contact information for the technical contact for the domain updateTime description Last updated time. format google-datetime type string whoisRecordRawText description WHOIS raw text. format byte type string whoisServer description Whois server name. type string whoisTime description Date of the last update of the WHOIS record. format google-datetime type string zone $ref User description Parsed contact information for the zone. type object DoubleSequence description DoubleSequence represents a sequence of doubles. id DoubleSequence properties doubleVals description double sequence. items format double type number type array type object EC description EC public key information. id EC properties oid description Curve name. type string pub description Public key hexdump. type string type object Element description NEXT TAG: 5 id Element properties association $ref SecurityResult description Metadata that provides the relevant association for the references in the element. For a detection, this can be the correlated aspect of the references that contributed to the overall detection. For example, may include sub-rule condition, machine learning model metadata, and/or indicators implicated in this component of the detection (using the .about field). label description A name that labels the entire references group. type string references description References to model primatives including events and entities that share a common association. Even though a reference can have both UDM and entity, a collection of references (of a single element) will only have one type of message in it (either UDM / Entity). items $ref Reference type array referencesSampled description Copied from the detection event_sample.too_many_event_samples field. If true, the number of references will be capped at the sample limit (set at rule service). This is applicable to both UDM references and Entity references. type boolean type object Email description Email info. id Email properties bcc description A list of 'bcc' addresses. items type string type array bounceAddress description The envelope from address. https://en.wikipedia.org/wiki/Bounce_address type string cc description A list of 'cc' addresses. items type string type array from description The 'from' address. type string mailId description The mail (or message) ID. type string replyTo description The 'reply to' address. type string subject description The subject line(s) of the email. items type string type array to description A list of 'to' addresses. items type string type array type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityChangedCountTimelineBucket id EntityChangedCountTimelineBucket properties entityChangedInfo items $ref EntityChangedInfo type array totalChangedEntitiesCount format int32 type integer type object EntityChangedInfo id EntityChangedInfo properties artifacts $ref FieldAndValue entityCount format int32 type integer type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityMetadata description Information about the Entity and the product where the entity was created. Next Tag: 17 id EntityMetadata properties collectedTimestamp description GMT timestamp when the entity information was collected by the vendor's local collection infrastructure. format google-datetime type string creationTimestamp description GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected. format google-datetime type string description description Human-readable description of the entity. type string entityType description Entity type. If an entity has multiple possible types, this specifies the most specific type. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string eventMetadata $ref Metadata description Metadata field from the event. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object feed description Vendor feed name for a threat indicator feed. type string interval $ref Interval description Valid existence time range for the version of the entity represented by this entity data. productEntityId description A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar). type string productName description Product name that produced the entity information. type string productVersion description Version of the product that produced the entity information. type string sourceLabels description Entity source metadata labels. items $ref Label type array sourceType description The source of the entity. enum SOURCE_TYPE_UNSPECIFIED ENTITY_CONTEXT DERIVED_CONTEXT GLOBAL_CONTEXT enumDescriptions Default source type Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT) Entities derived from customer data such as prevalence, artifact first/last seen, or asset/user first seen stats. Global contextual entities such as WHOIS or Safe Browsing. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Structured fields extracted from the log. type object threat description Metadata provided by a threat intelligence feed that identified the entity as malicious. items $ref SecurityResult type array vendorName description Vendor name of the product that produced the entity information. type string type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object EntityRisk description Stores information related to the risk score of an entity. Next ID: 15 id EntityRisk properties DEPRECATEDRiskScore deprecated True description Deprecated risk score. format int32 type integer detailUri description Link to the Google Security Operations UI with information about the entity risk score. If the SecOps instance has multiple frontend paths configured, this will be a relative path that can be used to construct the full URL. type string detectionsCount description Number of detections that make up the risk score within the time window. format int32 type integer firstDetectionTime description Timestamp of the first detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastDetectionTime description Timestamp of the last detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastResetTime description Timestamp for UEBA risk score reset based deduplication. Used specifically for risk based meta rules. format google-datetime type string normalizedRiskScore description Normalized risk score for the entity. This value is between 0-1000. format int32 type integer rawRiskDelta $ref RiskDelta description Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window. riskDelta $ref RiskDelta description Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window. riskScore description Raw risk score for the entity. format float type number riskVersion description Version of the risk score calculation algorithm. type string riskWindow $ref Interval description Time window used when computing the risk score for an entity, for example 24 hours or 7 days. riskWindowHasNewDetections description Whether there are new detections for the risk window. type boolean riskWindowSize description Risk window duration for the entity. format google-duration type string type object ErrorMessage id ErrorMessage properties errorText type string type enum UNDEFINED_ERROR_TYPE INVALID_QUERY_TYPE INVALID_FIELD_PATH_TYPE UNCLOSED_BRACKET_TYPE BACKEND_ERROR_TYPE UNCLOSED_QUOTES_TYPE QUERY_TOO_LARGE_TYPE enumDescriptions type string type object EventCountTimeline id EventCountTimeline properties buckets items $ref EventCountTimelineBucket type array sizeOfBucketMs format int64 type string type object EventCountTimelineBucket id EventCountTimelineBucket properties alertCount format int32 type integer baselineAlertCount format int32 type integer baselineEventCount format int32 type integer baselineTimedEntityCount format int32 type integer entityChangedCount $ref EntityChangedCountTimelineBucket eventCount format int32 type integer filteredTimedEntityCount format int32 type integer type object Execution description Execution can be used to store metadata required for what action the UI should execute. id Execution properties metadata additionalProperties type string description Output only. The payload to use when executing the action. readOnly True type object type object ExifInfo description Exif information. id ExifInfo properties company description company name. type string compilationTime description Compilation time. format google-datetime type string entryPoint description entry point. format int64 type string fileDescription description description of a file. type string originalFile description original file name. type string product description product name. type string type object Extension description Certificate's extensions. id Extension properties authorityKeyId $ref AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. ca description Whether the subject acts as a certificate authority (CA) or not. type boolean caInfoAccess description Authority information access locations are URLs that are added to a certificate in its authority information access extension. type string certTemplateNameDc description BMP data value "DomainController". See MS Q291010. type string certificatePolicies description Different certificate policies will relate to different applications which may use the certified key. type string crlDistributionPoints description CRL distribution points to which a certificate user should refer to ascertain if the certificate has been revoked. type string extendedKeyUsage description One or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field. type string keyUsage description The purpose for which the certified public key is used. type string netscapeCertComment description Used to include free-form text comments inside certificates. type string netscapeCertificate description Identify whether the certificate subject is an SSL client, an SSL server, or a CA. type boolean oldAuthorityKeyId description Whether the certificate has an old authority key identifier extension. type boolean peLogotype description Whether the certificate includes a logotype. type boolean subjectAlternativeName description Contains one or more alternative names, using any of a variety of name forms, for the entity that is bound by the CA to the certified public key. type string subjectKeyId description Identifies the public key being certified. type string type object Extensions description Extensions to a UDM event. id Extensions properties auth $ref Authentication description An authentication extension. entityRisk $ref EntityRisk description An entity risk change extension. vulns $ref Vulnerabilities description A vulnerability extension. type object Favicon description Difference hash and MD5 hash of the domain's favicon. id Favicon properties dhash description Difference hash. type string rawMd5 description Favicon's MD5 hash. type string type object Feedback id Feedback properties comment description Optional. type string confidenceScore format int32 type integer createdTime format google-datetime type string disregarded type boolean idpUserId type string priority description Optional. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string priorityDisplay description Optional. type string reason description Optional. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore format int32 type integer rootCause description Optional. type string severity format int32 type integer severityDisplay description Optional. type string status description Optional. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object FieldAndValue id FieldAndValue properties entityNamespace type string fieldPath type string kvalueType enum UNKNOWN COLLECTOR_ID EVENT_SHARD ASSET_IP_ADDRESS MAC HOSTNAME PRODUCT_SPECIFIC_ID NAMESPACE DOMAIN_NAME RESOLVED_IP_ADDRESS STEMMED_DOMAIN_NAME PROCESS_ID FULL_COMMAND_LINE FILE_NAME FILE_PATH HASH_MD5 HASH_SHA256 HASH_SHA1 RAW_PID PARENT_PROCESS_ID EMAIL USERNAME WINDOWS_SID EMPLOYEE_ID PRODUCT_OBJECT_ID USER_DISPLAY_NAME CLOUD_RESOURCE_NAME REGISTRY_KEY REGISTRY_VALUE_DATA REGISTRY_VALUE_NAME enumDescriptions type string value type string type object FileMetadata description Metadata about a file. Place metadata about different file types here, for example data from the Microsoft Windows VersionInfo block or digital signer details. Use a different sub-message per file type. id FileMetadata properties pe $ref PeFileMetadata deprecated True description Metadata for Microsoft Windows PE files. Deprecate PeFileMetadata in favor of single File proto. type object FileMetadataCodesign description File metadata from the codesign utility. id FileMetadataCodesign properties compilationTime description Code sign timestamp format google-datetime type string format description Code sign format. type string id description Code sign identifier. type string teamId description The assigned team identifier of the developer who signed the application. type string type object FileMetadataImports description File metadata imports. id FileMetadataImports properties functions description Function field. items type string type array library description Library field. type string type object FileMetadataPE description Metadata about the Portable Executable (PE) file. id FileMetadataPE properties compilationExiftoolTime description info.exiftool.TimeStamp. format google-datetime type string compilationTime description info.pe-timestamp. format google-datetime type string entryPoint description info.pe-entry-point. format int64 type string entryPointExiftool description info.exiftool.EntryPoint. format int64 type string imphash description Imphash of the file. type string imports description FilemetadataImports fields. items $ref FileMetadataImports type array resource description FilemetadataPeResourceInfo fields. items $ref FileMetadataPeResourceInfo type array resourcesLanguageCount deprecated True description Deprecated: use resources_language_count_str. items $ref StringToInt64MapEntry type array resourcesLanguageCountStr description Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10 items $ref Label type array resourcesTypeCount deprecated True description Deprecated: use resources_type_count_str. items $ref StringToInt64MapEntry type array resourcesTypeCountStr description Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5 items $ref Label type array section description FilemetadataSection fields. items $ref FileMetadataSection type array signatureInfo $ref FileMetadataSignatureInfo deprecated True description FilemetadataSignatureInfo field. deprecated, user File.signature_info instead. type object FileMetadataPeResourceInfo description File metadata for PE resource. id FileMetadataPeResourceInfo properties entropy description Entropy of the resource. format double type number fileType description File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum. type string filetypeMagic description Type of resource content, as identified by the magic Python module. type string languageCode description Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US | type string sha256Hex description SHA256_hex field.. type string type object FileMetadataSection description File metadata section. id FileMetadataSection properties entropy description Entropy of the section. format double type number md5Hex description MD5 hex of the file. type string name description Name of the section. type string rawSizeBytes description Raw file size in bytes. format int64 type string virtualSizeBytes description Virtual file size in bytes. format int64 type string type object FileMetadataSignatureInfo description Signature information. id FileMetadataSignatureInfo properties signer deprecated True description Deprecated: use signers field. items type string type array signers description File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority. items $ref SignerInfo type array verificationMessage description Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found. type string verified description True if verification_message == "Signed" type boolean x509 description List of certificates. items $ref X509 type array type object FilterProperties id FilterProperties properties hidden type boolean stringProperties additionalProperties $ref StringValues type object type object FindingVariable description A structure that holds the value and associated metadata for values extracted while producing a Finding. id FindingVariable properties boolSeq $ref BoolSequence description The value in boolsequence format. boolVal description The value in boolean format. type boolean bytesSeq $ref BytesSequence description The value in bytessequence format. bytesVal description The value in bytes format. format byte type string doubleSeq $ref DoubleSequence description The value in doublesequence format. doubleVal description The value in double format. format double type number int64Seq $ref Int64Sequence description The value in int64sequence format. int64Val description The value in int64 format. format int64 type string nullVal description Whether the value is null. type boolean sourcePath description The UDM field path for the field which this value was derived from. Example: `principal.user.username` type string stringSeq $ref StringSequence description The value in stringsequence format. stringVal description The value in string format. Enum values are returned as strings. type string type description The type of the variable. enum TYPE_UNSPECIFIED MATCH OUTCOME enumDescriptions An unspecified variable type. A variable coming from the match conditions. A variable representing significant data that was found in the detection logic. type string uint64Seq $ref Uint64Sequence description The value in uint64sequence format. uint64Val description The value in uint64 format. format uint64 type string value description The value in string form. type string type object FollowUp description FollowUp can be used to store metadata required to send a follow up message by the UI. id FollowUp properties followUp description Output only. The text to use as input when generating the follow up message. readOnly True type string type object Ftp description FTP info. id Ftp properties command description The FTP command. type string type object FunctionResponse id FunctionResponse properties rows items $ref FunctionResponseRow type array tooManyRows type boolean type object FunctionResponseRow id FunctionResponseRow properties values items $ref UdmFieldValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description LINT.IfChange(stats_data) Stats results when the query is for statistics NEXT TAG = 6; id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats properties dataQueryExpression description Expression that represent the subset of the requested query used to filter data. The expression will be used to enable features such as drill-down from stats results to UDM events. In that case, the new query will be composed by this expression and the expression related to a stats result. type string results description Result rows that are queried. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData type array sortOrder description Indicates the columns used for sorting and the order in which they are sorted. If no ORDER section is specified in the query, this will be empty. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort type array tooManyResults description If true, there are too many results to return and some have been omitted. type boolean totalResults description The total number of results returned. format int32 type integer type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData description Represents a single column in the set of columns returned as the stats query result. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData properties column description Used to store column names. type string filterExpression description Expression used to compose a query for filtering/drill-downs related to the data in this column. type string filterable description To identify if the column can be used for filtering/drill-downs. type boolean values description To store store column data. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort description Contains the column name and which direction the column is sorted (ascending or descenging). id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort properties descending description Whether the column is sorted in descending order (ascending by default); type boolean name description Name of the column. type string type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType description Singular vs list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType properties list $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description List of values in a column e.g. IPs value $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Single value in a column. type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description Store list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList properties values description List of values in one cell of the column. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Value of the column based on data type id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue properties boolVal description Boolean value. type boolean bytesVal description Bytes value. format byte type string dateVal $ref Date description Date values. doubleVal description Double value. format double type number int64Val description Integer value (signed). format int64 type string nullVal description True if the value is NULL. type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any description For any proto values that are not any of the above. type object stringVal description String value. Enum values are returned as strings. type string timestampVal description Timestamp values. format google-datetime type string uint64Val description Un-signed integer value. format uint64 type string type object Group description Information about an organizational group. id Group properties attribute $ref Attribute description Generic entity metadata attributes of the group. creationTime deprecated True description Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata. format google-datetime type string emailAddresses description Email addresses of the group. items type string type array groupDisplayName description Group display name. e.g. "Finance". type string productObjectId description Product globally unique user object identifier, such as an LDAP Object Identifier. type string windowsSid description Microsoft Windows SID of the group. type string type object GroupAggregationByField id GroupAggregationByField properties baselineEventCount format int32 type integer eventCount format int32 type integer fieldName type string fieldValue $ref UdmFieldValue fields items $ref UdmFieldAggregation type array valueCount format int32 type integer type object Hardware description Hardware specification details for a resource, including both physical and virtual hardware. id Hardware properties cpuClockSpeed description Clock speed of the hardware CPU in MHz. format uint64 type string cpuMaxClockSpeed description Maximum possible clock speed of the hardware CPU in MHz. format uint64 type string cpuModel description Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5"). type string cpuNumberCores description Number of CPU cores. format uint64 type string cpuPlatform description Platform of the hardware CPU (e.g. "Intel Broadwell"). type string manufacturer description Hardware manufacturer. type string model description Hardware model. type string ram description Amount of the hardware ramdom access memory (RAM) in Mb. format uint64 type string serialNumber description Hardware serial number. type string type object Http description Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target". id Http properties method description The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE"). type string parsedUserAgent $ref UserAgentProto description The parsed user_agent string. referralUrl description The URL for the HTTP referer. type string responseCode description The response status code, for example 200, 302, 404, or 500. format int32 type integer userAgent description The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent. type string type object Id description Identifier to identify a UDM object like a UDM event, Entity, Collection. The full identifier for persistence is created by setting the 32 most significant bits as the Id.Namespace enum and the rest according to go/udm:ids. This is a convenience wrapper to define the id space enum values and provide an easy interface for RPCs, most persistence use cases should use a denormalized form. See go/udm:ids for background and details. id Id properties id description Full raw ID. format byte type string namespace description Namespace the id belongs to. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string stringId description Some ids are stored as strings that are not able to be translated to bytes, so store these separately. Ex. detection id of the form de_aaaaaaaa-aaaa... type string type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{location}/instances/{instance} readOnly True type string type object InstanceUdmSearchResponse id InstanceUdmSearchResponse properties baselineEventsCount format int32 type integer complete type boolean detections $ref Detections filteredEventsCount format int32 type integer instanceId type string prevalence $ref UdmPrevalenceResponse progress format double type number runtimeErrors $ref RuntimeError timeline $ref EventCountTimeline tooManyEvents type boolean type object Int64Sequence description Int64Sequence represents a sequence of int64s. id Int64Sequence properties int64Vals description int64 sequence. items format int64 type string type array type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object Investigation description Represents the aggregated state of an investigation such as categorization, severity, and status. Can be expanded to include analyst assignment details and more. id Investigation properties comments description Comment added by the Analyst. items type string type array priority description Priority of the Alert or Finding set by analyst. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string reason description Reason for closing the Case or Alert. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation description Describes whether a finding was useful or not-useful. enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore description Risk score for a finding set by an analyst. format uint32 type integer rootCause description Root cause of the Alert or Finding set by analyst. type string severityScore description Severity score for a finding set by an analyst. format uint32 type integer status description Describes the workflow status of a finding. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict description Describes reason a finding investigation was resolved. enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object IoCStats description Information about the threat intelligence source. These fields are used to model Mandiant sources. id IoCStats properties benignCount description Count of responses where the IoC was identified as benign. format int32 type integer firstLevelSource description Name of first level IoC source, for example Mandiant or a third-party. type string iocStatsType description Describes the source of the IoCStat. enum UNSPECIFIED_IOC_STATS_TYPE MANDIANT_SOURCES THIRD_PARTY_SOURCES THREAT_INTELLIGENCE_IOC_STATS enumDescriptions IoCStat source is unidentified. IoCStat is from a Mandiant Source. IoCStat is from a third-party source. IoCStat is from a threat intelligence feed. type string maliciousCount description Count of responses where the IoC was identified as malicious. format int32 type integer quality description Level of confidence in the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total number of response from the source. format int32 type integer secondLevelSource description Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph. type string sourceCount description Number of sources from which information was extracted. format int32 type integer type object Label description Key value labels. id Label properties key description The key. type string rbacEnabled description Indicates whether this label can be used for Data RBAC type boolean source description Where the label is derived from. type string value description The value. type string type object LatLng description An object that represents a latitude/longitude pair. This is expressed as a pair of doubles to represent degrees latitude and degrees longitude. Unless specified otherwise, this object must conform to the WGS84 standard. Values must be within normalized ranges. id LatLng properties latitude description The latitude in degrees. It must be in the range [-90.0, +90.0]. format double type number longitude description The longitude in degrees. It must be in the range [-180.0, +180.0]. format double type number type object LegacyFederatedUdmSearchViewResponse description Response to a Federated UDM Search query. This will be used by StreamSearchOperation RPC to return the results of a federated search operation. id LegacyFederatedUdmSearchViewResponse properties activityTimeline $ref EventCountTimeline description Timeline of event counts broken into hourly/daily buckets to identify activity. aiOverview $ref AIOverview description LINT.ThenChange( //depot/google3/google/cloud/chronicle/v1main/dashboard_query.proto:data_sources, //depot/google3/googlex/security/malachite/proto/udm_search.proto:data_sources ) AI generated overview for the search results. Only populated if the AI features are enabled for the customer and generate_ai_overview is set to true in the request. baselineEventsCount description The number of events in the baseline query. format int32 type integer complete description Streaming for this response is done. There will be no additional updates. type boolean dataSources description Datasource of the query and results in case of a statistics query items enum SEARCH_DATA_SOURCE_UNSPECIFIED SEARCH_UDM SEARCH_ENTITY SEARCH_RULE_DETECTIONS SEARCH_RULESETS enumDescriptions Unspecified data source. Events Entities To be used for detections data source. To be used for ruleset with detections datasource. type string type array detectionFieldAggregations $ref AlertFieldAggregations description List of detection fields with aggregated values. This enabled filtering in the Alerts panel for federated search. events $ref UdmEventList description List of UDM events. NOTE: After complete is set to true, the `UdmEventList` message will be omitted from the response. The latest message should be used as reference. If the `UdmEventList` message is returned again, then it should replace the previous value. fieldAggregations $ref UdmFieldAggregations description List of UDM fields with aggregated values. filteredEventsCount description The number of events in the snapshot that match the snapshot_query. This is <= `baseline_events_count`. If the snapshot query is empty this will be equivalent to `baseline_events_count`. format int32 type integer groupedFieldAggregations $ref UdmFieldAggregations description List of grouped fields with aggregated values. instanceAggregations $ref UdmFieldAggregations description Instance aggregations for the search results. Provides information on the number of events per instance for the aggregations panel in the UI. This allows users to easily drill-down into the individual instances. instanceUdmSearchResponses description All the instance specific UDM search responses. items $ref InstanceUdmSearchResponse type array operation description The name of the operation resource representing the UDM Search operation. This can be passed to `StreamSearchOperation` to fetch stored results or stream the results of an in-progress operation. The metadata type of the operation is `UdmSearchMetadata`. The response type is `LegacyFetchUdmSearchViewResponse`. Format: projects/{project}/locations/{location}/instances/{instance}/operations/{operation} type string progress description Progress of the query represented as a double between 0 and 1. format double type number queryValidationErrors description Parse error for the baseline_query and/or the snapshot_query. items $ref ErrorMessage type array runtimeErrors description Runtime errors. items $ref RuntimeError type array stats $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description Stats results when the query is for statistics statsFunctionParameterValidationErrorMessage description If the request's stats_function_parameter` is invalid, this field will contain the detailed error message. type string statsFunctionResponse $ref FunctionResponse description Result for statistical function. timeline $ref EventCountTimeline description Timeline of event counts broken into buckets. This populates the trend-over-time chart in the UI. tooLargeResponse description If true, the response to be returned to the UI is too large and some events have been omitted. type boolean tooManyEvents description If true, there are too many events to return and some have been omitted. type boolean validBaselineQuery description Indicates whether the request baseline_query is a valid structured query or not. If not, `query_validation_errors` will include the parse error. type boolean validSnapshotQuery description Indicates whether the request baseline and snapshot queries are valid. If not, `query_validation_errors` will include the parse error. type boolean type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Location description Information about a location. id Location properties city description The city. type string countryOrRegion description The country or region. type string deskName description Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D"). type string floorName description Floor name, number or a combination of the two for a building. (e.g. "1-A"). type string name description Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2"). type string regionCoordinates $ref LatLng description Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. regionLatitude deprecated True description Deprecated: use region_coordinates. format float type number regionLongitude deprecated True description Deprecated: use region_coordinates. format float type number state description The state. type string type object Manual description Entities are added manually. id Manual properties type object Measure description Describes the precomputed measure. id Measure properties aggregateFunction description Function used to calculate the aggregated measure. enum AGGREGATE_FUNCTION_UNSPECIFIED MIN MAX COUNT SUM AVG STDDEV enumDescriptions Default value. Minimum. Maximum. Count. Sum. Average. Standard Deviation. type string value description Value of the aggregated measure. format double type number type object Metadata description General information associated with a UDM event. id Metadata properties baseLabels $ref DataAccessLabels description Data access labels on the base event. collectedTimestamp description The GMT timestamp when the event was collected by the vendor's local collection infrastructure. format google-datetime type string description description A human-readable unparsable description of the event. type string enrichmentLabels $ref DataAccessLabels description Data access labels from all the contextual events used to enrich the base event. enrichmentState description The enrichment state. enum ENRICHMENT_STATE_UNSPECIFIED ENRICHED UNENRICHED enumDescriptions Unspecified. The event has been enriched by Chronicle. The event has not been enriched by Chronicle. type string eventTimestamp description The GMT timestamp when the event was generated. format google-datetime type string eventType description The event type. If an event has multiple possible types, this specifies the most specific type. enum EVENTTYPE_UNSPECIFIED PROCESS_UNCATEGORIZED PROCESS_LAUNCH PROCESS_INJECTION PROCESS_PRIVILEGE_ESCALATION PROCESS_TERMINATION PROCESS_OPEN PROCESS_MODULE_LOAD REGISTRY_UNCATEGORIZED REGISTRY_CREATION REGISTRY_MODIFICATION REGISTRY_DELETION SETTING_UNCATEGORIZED SETTING_CREATION SETTING_MODIFICATION SETTING_DELETION MUTEX_UNCATEGORIZED MUTEX_CREATION FILE_UNCATEGORIZED FILE_CREATION FILE_DELETION FILE_MODIFICATION FILE_READ FILE_COPY FILE_OPEN FILE_MOVE FILE_SYNC USER_UNCATEGORIZED USER_LOGIN USER_LOGOUT USER_CREATION USER_CHANGE_PASSWORD USER_CHANGE_PERMISSIONS USER_STATS USER_BADGE_IN USER_DELETION USER_RESOURCE_CREATION USER_RESOURCE_UPDATE_CONTENT USER_RESOURCE_UPDATE_PERMISSIONS USER_COMMUNICATION USER_RESOURCE_ACCESS USER_RESOURCE_DELETION GROUP_UNCATEGORIZED GROUP_CREATION GROUP_DELETION GROUP_MODIFICATION EMAIL_UNCATEGORIZED EMAIL_TRANSACTION EMAIL_URL_CLICK NETWORK_UNCATEGORIZED NETWORK_FLOW NETWORK_CONNECTION NETWORK_FTP NETWORK_DHCP NETWORK_DNS NETWORK_HTTP NETWORK_SMTP STATUS_UNCATEGORIZED STATUS_HEARTBEAT STATUS_STARTUP STATUS_SHUTDOWN STATUS_UPDATE SCAN_UNCATEGORIZED SCAN_FILE SCAN_PROCESS_BEHAVIORS SCAN_PROCESS SCAN_HOST SCAN_VULN_HOST SCAN_VULN_NETWORK SCAN_NETWORK SCHEDULED_TASK_UNCATEGORIZED SCHEDULED_TASK_CREATION SCHEDULED_TASK_DELETION SCHEDULED_TASK_ENABLE SCHEDULED_TASK_DISABLE SCHEDULED_TASK_MODIFICATION SYSTEM_AUDIT_LOG_UNCATEGORIZED SYSTEM_AUDIT_LOG_WIPE SERVICE_UNSPECIFIED SERVICE_CREATION SERVICE_DELETION SERVICE_START SERVICE_STOP SERVICE_MODIFICATION GENERIC_EVENT RESOURCE_CREATION RESOURCE_DELETION RESOURCE_PERMISSIONS_CHANGE RESOURCE_READ RESOURCE_WRITTEN DEVICE_FIRMWARE_UPDATE DEVICE_CONFIG_UPDATE DEVICE_PROGRAM_UPLOAD DEVICE_PROGRAM_DOWNLOAD ANALYST_UPDATE_VERDICT ANALYST_UPDATE_REPUTATION ANALYST_UPDATE_SEVERITY_SCORE ANALYST_UPDATE_STATUS ANALYST_ADD_COMMENT ANALYST_UPDATE_PRIORITY ANALYST_UPDATE_ROOT_CAUSE ANALYST_UPDATE_REASON ANALYST_UPDATE_RISK_SCORE ENTITY_RISK_CHANGE enumDeprecated False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False enumDescriptions Default event type Activity related to a process which does not match any other event types. Process launch. Process injecting into another process. Process privilege escalation. Process termination. Process being opened. Process loading a module. Registry event which does not match any of the other event types. Registry creation. Registry modification. Registry deletion. Settings-related event which does not match any of the other event types. Setting creation. Setting modification. Setting deletion. Any mutex event other than creation. Mutex creation. File event which does not match any of the other event types. File created. File deleted. File modified. File read. File copied. Used for file copies, for example, to a thumb drive. File opened. File moved or renamed. File synced (for example, Google Drive, Dropbox, backup). User activity which does not match any of the other event types. User login. User logout. User creation. User password change event. Change in user permissions. Deprecated. Used to update user info for an LDAP dump. User physically badging into a location. User deletion. User creating a virtual resource. This is equivalent to RESOURCE_CREATION. User updating content of a virtual resource. This is equivalent to RESOURCE_WRITTEN. User updating permissions of a virtual resource. This is equivalent to RESOURCE_PERMISSIONS_CHANGE. User initiating communication through a medium (for example, video). User accessing a virtual resource. This is equivalent to RESOURCE_READ. User deleting a virtual resource. This is equivalent to RESOURCE_DELETION. A group activity that does not fall into one of the other event types. A group creation. A group deletion. A group modification. Email messages An email transaction. Deprecated: use NETWORK_HTTP instead. An email URL click event. A network event that does not fit into one of the other event types. Aggregated flow stats like netflow. Network connection details like from a FW. FTP telemetry. DHCP payload. DNS payload. HTTP telemetry. SMTP telemetry. A status message that does not fit into one of the other event types. Heartbeat indicating product is alive. An agent startup. An agent shutdown. A software or fingerprint update. Scan item that does not fit into one of the other event types. A file scan. Scan process behaviors. Please use SCAN_PROCESS instead. Scan process. Scan results from scanning an entire host device for threats/sensitive documents. Vulnerability scan logs about host vulnerabilities (e.g., out of date software) and network vulnerabilities (e.g., unprotected service detected via a network scan). Vulnerability scan logs about network vulnerabilities. Scan network for suspicious activity Scheduled task event that does not fall into one of the other event types. Scheduled task creation. Scheduled task deletion. Scheduled task being enabled. Scheduled task being disabled. Scheduled task being modified. A system audit log event that is not a wipe. A system audit log wipe. Service event that does not fit into one of the other event types. A service creation. A service deletion. A service start. A service stop. A service modification. Operating system events that are not described by any of the other event types. Might include uncategorized Microsoft Windows event logs. The resource was created/provisioned. This is equivalent to USER_RESOURCE_CREATION. The resource was deleted/deprovisioned. This is equivalent to USER_RESOURCE_DELETION. The resource had it's permissions or ACLs updated. This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS. The resource was read. This is equivalent to USER_RESOURCE_ACCESS. The resource was written to. This is equivalent to USER_RESOURCE_UPDATE_CONTENT. Firmware update. Configuration update. A program or application uploaded to a device. A program or application downloaded to a device. Analyst update about the Verdict (such as true positive, false positive, or disregard) of a finding. Analyst update about the Reputation (such as useful or not useful) of a finding. Analyst update about the Severity score (0-100) of a finding. Analyst update about the finding status. Analyst addition of a comment for a finding. Analyst update about the priority (such as low, medium, or high) for a finding. Analyst update about the root cause for a finding. Analyst update about the reason (such as malicious or not malicious) for a finding. Analyst update about the risk score (0-100) of a finding. An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. type string id description ID of the UDM event. Can be used for raw and normalized event retrieval. format byte type string ingestedTimestamp description The GMT timestamp when the event was ingested (received) by Chronicle. format google-datetime type string ingestionLabels description User-configured ingestion metadata labels. items $ref Label type array logType description The string value of log type. type string productDeploymentId description The deployment identifier assigned by the vendor for a product deployment. type string productEventType description A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start"). type string productLogId description A vendor-specific event identifier to uniquely identify the event (e.g. a GUID). type string productName description The name of the product. type string productVersion description The version of the product. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Flattened fields extracted from the log. type object tags $ref Tags description Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser. urlBackToProduct description A URL that takes the user to the source product console for this event. type string vendorName description The name of the product vendor. type string type object Metric description Stores precomputed aggregated analytic data for an entity. id Metric properties dimensions description All group by clauses used to calculate the metric. items enum DIMENSION_UNSPECIFIED PRINCIPAL_DEVICE TARGET_USER TARGET_DEVICE PRINCIPAL_USER TARGET_IP PRINCIPAL_FILE_HASH PRINCIPAL_COUNTRY SECURITY_CATEGORY NETWORK_ASN CLIENT_CERTIFICATE_HASH DNS_QUERY_TYPE DNS_DOMAIN HTTP_USER_AGENT EVENT_TYPE PRODUCT_NAME PRODUCT_EVENT_TYPE PARENT_FOLDER_PATH TARGET_RESOURCE_NAME PRINCIPAL_APPLICATION TARGET_APPLICATION EMAIL_TO_ADDRESS EMAIL_FROM_ADDRESS MAIL_ID PRINCIPAL_IP SECURITY_ACTION SECURITY_RULE_ID TARGET_NETWORK_ORGANIZATION_NAME PRINCIPAL_NETWORK_ORGANIZATION_NAME PRINCIPAL_PROCESS_FILE_PATH PRINCIPAL_PROCESS_FILE_HASH SECURITY_RESULT_RULE_NAME TARGET_RESOURCE_LABEL_KEY VENDOR_NAME TARGET_RESOURCE_TYPE TARGET_LOCATION_NAME enumDescriptions Default Principal Device Target User Target Device Principal User Target IP Principal File Hash Principal Country Security Category Network ASN Client Certificate Hash DNS Query Type DNS Domain HTTP User Agent Event Type Product Name Product Event Type Parent Folder Path Target resource Name Principal Application. Target Application. Email To Address. Email From Address. Mail Id. Principal IP. Security Action. Security Rule Id. Target Network Organization name. Principal Network Organization name. Principal Process File Path. Principal Process File SHA256 Hash. Security Result rule name. Target Resource label key. Vendor name. Target Resource type. Target Location name. type string type array exportWindow description Export window for which the metric was exported. format int64 type string firstSeen description Timestamp of the first time the entity was seen in the environment. format google-datetime type string lastSeen description Time stamp of the last time last time the entity was seen in the environment. format google-datetime type string metricName description Name of the analytic. enum METRIC_NAME_UNSPECIFIED NETWORK_BYTES_INBOUND NETWORK_BYTES_OUTBOUND NETWORK_BYTES_TOTAL AUTH_ATTEMPTS_SUCCESS AUTH_ATTEMPTS_FAIL AUTH_ATTEMPTS_TOTAL DNS_BYTES_OUTBOUND NETWORK_FLOWS_INBOUND NETWORK_FLOWS_OUTBOUND NETWORK_FLOWS_TOTAL DNS_QUERIES_SUCCESS DNS_QUERIES_FAIL DNS_QUERIES_TOTAL FILE_EXECUTIONS_SUCCESS FILE_EXECUTIONS_FAIL FILE_EXECUTIONS_TOTAL HTTP_QUERIES_SUCCESS HTTP_QUERIES_FAIL HTTP_QUERIES_TOTAL WORKSPACE_EMAILS_SENT_TOTAL WORKSPACE_TOTAL_DOWNLOAD_ACTIONS WORKSPACE_TOTAL_CHANGE_ACTIONS WORKSPACE_AUTH_ATTEMPTS_TOTAL WORKSPACE_NETWORK_BYTES_OUTBOUND WORKSPACE_NETWORK_BYTES_TOTAL ALERT_EVENT_NAME_COUNT RESOURCE_CREATION_TOTAL RESOURCE_CREATION_SUCCESS RESOURCE_READ_SUCCESS RESOURCE_READ_FAIL RESOURCE_DELETION_SUCCESS enumDescriptions Default Total received network bytes. Total network sent bytes. Total network sent bytes and received bytes. Successful authentication attempts. Failed authentication attempts. Total authentication attempts. Total number of sent bytes for DNS events. Total number of events having non-null received bytes. Total number of events having non-null sent bytes. Total events having non-null sent or received bytes. DNS query success count - Number of events with response_code = 0. Number of events with response_code != 0. Total number of DNS queries made. Number of successfule file executions. Number of failed file executions. Total number file executions. Number of successful HTTP queries. Number of failed HTTP queries. Total number of HTTP queries. Total number of emails sent in Google Workspace. Total number of download actions in Google Workspace. Total number of change actions in Google Workspace. Total number of authentication attempts in Google Workspace. Number of outbound network bytes (total sent) in Google Workspace. Total number of network bytes (both sent and received) in Google Workspace. Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH. First-time analytic tracking successful resource creations. Volume-based analytic tracking successful resource creations. Volume-based analytic tracking successful resource reads. Volume-based analytic tracking failed resource reads. Volume-based analytic tracking successful resource deletions. type string sumMeasure $ref Measure description Sum of all precomputed measures for the given metric. totalEvents description Total number of events used to calculate the given precomputed metric. format int64 type string type object Navigation description Navigation can be used to store the metadata required to navigate the user to a new URL. id Navigation properties targetUri description Output only. The URI to redirect the user to. readOnly True type string type object Network description A network event. id Network properties applicationProtocol description The application protocol. enum UNKNOWN_APPLICATION_PROTOCOL AFP APPC AMQP ATOM BEEP BITCOIN BIT_TORRENT CFDP CIP COAP COTP DCERPC DDS DEVICE_NET DHCP DICOM DNP3 DNS E_DONKEY ENRP FAST_TRACK FINGER FREENET FTAM GOOSE GOPHER GRPC HL7 H323 HTTP HTTPS IEC104 IRCP KADEMLIA KRB5 LDAP LPD MIME MMS MODBUS MQTT NETCONF NFS NIS NNTP NTCIP NTP OSCAR PNRP PTP QUIC RDP RELP RIP RLOGIN RPC RTMP RTP RTPS RTSP SAP SDP SIP SLP SMB SMTP SNMP SNTP SSH SSMS STYX SV TCAP TDS TOR TSP VTP WHOIS WEB_DAV X400 X500 XMPP enumDescriptions The default application protocol. Apple Filing Protocol. Advanced Program-to-Program Communication. Advanced Message Queuing Protocol. Publishing Protocol. Block Extensible Exchange Protocol. Crypto currency protocol. Peer-to-peer file sharing. Coherent File Distribution Protocol. Common Industrial Protocol. Constrained Application Protocol. Connection Oriented Transport Protocol. DCE/RPC. Data Distribution Service. Automation industry protocol. DHCP. Digital Imaging and Communications in Medicine Protocol. Distributed Network Protocol 3 (DNP3) DNS. Classic file sharing protocol. Endpoint Handlespace Redundancy Protocol. Filesharing peer-to-peer protocol. User Information Protocol. Censorship resistant peer-to-peer network. File Transfer Access and Management. GOOSE Protocol. Gopher protocol. gRPC Remote Procedure Call. Health Level Seven. Packet-based multimedia communications system. HTTP. HTTPS. IEC 60870-5-104 (IEC 104) Protocol. Internet Relay Chat Protocol. Peer-to-peer hashtables. Kerberos 5. Lightweight Directory Access Protocol. Line Printer Daemon Protocol. Multipurpose Internet Mail Extensions and Secure MIME. Multimedia Messaging Service. Serial communications protocol. Message Queuing Telemetry Transport. Network Configuration. Network File System. Network Information Service. Network News Transfer Protocol. National Transportation Communications for Intelligent Transportation System. Network Time Protocol. AOL Instant Messenger Protocol. Peer Name Resolution Protocol. Precision Time Protocol. QUIC. Remote Desktop Protocol. Reliable Event Logging Protocol. Routing Information Protocol. Remote Login in UNIX Systems. Remote Procedure Call. Real Time Messaging Protocol. Real-time Transport Protocol. Real Time Publish Subscribe. Real Time Streaming Protocol. Session Announcement Protocol. Session Description Protocol. Session Initiation Protocol. Service Location Protocol. Server Message Block. Simple Mail Transfer Protocol. Simple Network Management Protocol. Simple Network Time Protocol. Secure Shell. Secure SMS Messaging Protocol. Styx/9P - Plan 9 from Bell Labs distributed file system protocol. Sampled Values Protocol. Transaction Capabilities Application Part. Tabular Data Stream. Anonymity network. Time Stamp Protocol. Virtual Terminal Protocol. Remote Directory Access Protocol. Web Distributed Authoring and Versioning. Message Handling Service Protocol. Directory Access Protocol (DAP). Extensible Messaging and Presence Protocol. type string applicationProtocolVersion description The version of the application protocol. e.g. "1.1, 2.0" type string asn description Autonomous system number. type string carrierName description Carrier identification. type string communityId description Community ID network flow value. type string dhcp $ref Dhcp description DHCP info. direction description The direction of network traffic. enum UNKNOWN_DIRECTION INBOUND OUTBOUND BROADCAST enumDescriptions The default direction. An inbound request. An outbound request. A broadcast. type string dns $ref Dns description DNS info. dnsDomain description DNS domain name. type string email $ref Email description Email info for the sender/recipient. ftp $ref Ftp description FTP info. http $ref Http description HTTP info. ipProtocol description The IP protocol. enum UNKNOWN_IP_PROTOCOL ICMP IGMP TCP UDP IP6IN4 GRE ESP ICMP6 EIGRP ETHERIP PIM VRRP SCTP enumDescriptions The default protocol. ICMP. IGMP TCP. UDP. IPv6 Encapsulation Generic Routing Encapsulation Encapsulating Security Payload ICMPv6 Enhanced Interior Gateway Routing Ethernet-within-IP Encapsulation Protocol Independent Multicast Virtual Router Redundancy Protocol Stream Control Transmission Protocol type string ipSubnetRange description Associated human-readable IP subnet range (e.g. 10.1.2.0/24). type string organizationName description Organization name (e.g Google). type string parentSessionId description The ID of the parent network session. type string receivedBytes description The number of bytes received. format uint64 type string receivedPackets description The number of packets received. format int64 type string sentBytes description The number of bytes sent. format uint64 type string sentPackets description The number of packets sent. format int64 type string sessionDuration description The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer. format google-duration type string sessionId description The ID of the network session. type string smtp $ref Smtp description SMTP info. Store fields specific to SMTP not covered by Email. tls $ref Tls description TLS info. type object Noun description The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event. id Noun properties administrativeDomain description Domain which the device belongs to (for example, the Microsoft Windows domain). type string application description The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle". type string artifact $ref Artifact description Information about an artifact. asset $ref Asset description Information about the asset. assetId description The asset ID. This field can be used as an entity indicator for asset entities. type string cloud $ref Cloud deprecated True description Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud). domain $ref Domain description Information about the domain. email description Email address. Only filled in for security_result.about type string file $ref BackstoryFile description Information about the file. group $ref Group description Information about the group. hostname description Client hostname or domain name field. Hostname also doubles as the domain for remote entities. This field can be used as an entity indicator for asset entities. type string investigation $ref Investigation description Analyst feedback/investigation for alerts. ip description A list of IP addresses associated with a network connection. This field can be used as an entity indicator for asset entities. items type string type array ipGeoArtifact description Enriched geographic information corresponding to an IP address. Specifically, location and network data. items $ref Artifact type array ipLocation deprecated True description Deprecated: use ip_geo_artifact.location instead. items $ref Location type array labels deprecated True description Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels). items $ref Label type array location $ref Location description Physical location. For cloud environments, set the region in location.name. mac description List of MAC addresses associated with a device. This field can be used as an entity indicator for asset entities. items type string type array namespace description Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition. This field can be used along with an asset indicator to identify an asset. type string natIp description A list of NAT translated IP addresses associated with a network connection. items type string type array natPort description NAT external network port number when a specific network connection is described within an event. format int32 type integer network $ref Network description Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). objectReference $ref Id description Finding to which the Analyst updated the feedback. platform description Platform. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description Platform patch level. For example, "Build 17134.48" type string platformVersion description Platform version. For example, "Microsoft Windows 1803". type string port description Source or destination network port number when a specific network connection is described within an event. format int32 type integer process $ref Process description Information about the process. processAncestors description Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery. items $ref Process type array registry $ref Registry description Registry information. resource $ref Resource description Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun. resourceAncestors description Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource). items $ref Resource type array securityResult description A list of security results. items $ref SecurityResult type array url description The URL. type string urlMetadata $ref Url description Information about the URL. user $ref User description Information about the user. userManagementChain description Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery. items $ref User type array type object NtfsFileMetadata description NTFS-specific file metadata. id NtfsFileMetadata properties changeTime description NTFS MFT entry changed timestamp. format google-datetime type string filenameAccessTime description NTFS $FILE_NAME attribute accessed timestamp. format google-datetime type string filenameChangeTime description NTFS $FILE_NAME attribute changed timestamp. format google-datetime type string filenameCreateTime description NTFS $FILE_NAME attribute created timestamp. format google-datetime type string filenameModifyTime description NTFS $FILE_NAME attribute modified timestamp. format google-datetime type string type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object Option description DHCP options. id Option properties code description Code. See RFC1533. format uint32 type integer data description Data. format byte type string type object PDFInfo description Information about the PDF file structure. See https://developers.virustotal.com/reference/pdf_info id PDFInfo properties acroform description Number of /AcroForm tags found in the PDF. format int64 type string autoaction description Number of /AA tags found in the PDF. format int64 type string embeddedFile description Number of /EmbeddedFile tags found in the PDF. format int64 type string encrypted description Whether the document is encrypted or not. This is defined by the /Encrypt tag. format int64 type string endobjCount description Number of object definitions (endobj keyword). format int64 type string endstreamCount description Number of defined stream objects (stream keyword). format int64 type string flash description Number of /RichMedia tags found in the PDF. format int64 type string header description PDF version. type string javascript description Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios. format int64 type string jbig2Compression description Number of /JBIG2Decode tags found in the PDF. format int64 type string js description Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios. format int64 type string launchActionCount description Number of /Launch tags found in the PDF file. format int64 type string objCount description Number of objects definitions (obj keyword). format int64 type string objectStreamCount description Number of object streams. format int64 type string openaction description Number of /OpenAction tags found in the PDF. format int64 type string pageCount description Number of pages in the PDF. format int64 type string startxref description Number of startxref keywords in the PDF. format int64 type string streamCount description Number of defined stream objects (stream keyword). format int64 type string suspiciousColors description Number of colors expressed with more than 3 bytes (CVE-2009-3459). format int64 type string trailer description Number of trailer keywords in the PDF. format int64 type string xfa description Number of \XFA tags found in the PDF. format int64 type string xref description Number of xref keywords in the PDF. format int64 type string type object PeFileMetadata description Metadata about a Microsoft Windows Portable Executable. id PeFileMetadata properties importHash description Hash of PE imports. type string type object Permission description System permission for resource access and modification. id Permission properties description description Description of the permission (e.g. 'Ability to update detect rules'). type string name description Name of the permission (e.g. chronicle.analyst.updateRule). type string type description Type of the permission. enum UNKNOWN_PERMISSION_TYPE ADMIN_WRITE ADMIN_READ DATA_WRITE DATA_READ enumDescriptions Default permission type. Administrator write permission. Administrator read permission. Data resource access write permission. Data resource access read permission. type string type object PlatformSoftware description Platform software information about an operating system. id PlatformSoftware properties platform description The platform operating system. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description The platform software patch level ( e.g. "Build 17134.48", "SP1"). type string platformVersion description The platform software version ( e.g. "Microsoft Windows 1803"). type string type object PopularityRank description Domain's position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo. id PopularityRank properties giver description Name of the rank serial number hexdump. type string ingestionTime description Timestamp when the rank was ingested. format google-datetime type string rank description Rank position. format int64 type string type object Prevalence description The prevalence of a resource within the customer's environment. This measures how common it is for assets to access the resource. id Prevalence properties dayCount description The number of days over which rolling_max is calculated. format int32 type integer dayMax description The max prevalence score in a day interval window. format int32 type integer dayMaxSubDomains description The max prevalence score in a day interval window across sub-domains. This field is only valid for domains. format int32 type integer rollingMax description The maximum number of assets per day accessing the resource over the trailing day_count days. format int32 type integer rollingMaxSubDomains description The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains. format int32 type integer type object Process description Information about a process. id Process properties accessMask description A bit mask representing the level of access. format uint64 type string commandLine description The command line command that created the process. This field can be used as an entity indicator for process entities. type string commandLineHistory description The command line history of the process. items type string type array egid description The effective group ID of the process. type string euid description The effective user ID of the process. type string file $ref BackstoryFile description Information about the file in use by the process. integrityLevelRid description The Microsoft Windows integrity level relative ID (RID) of the process. format uint64 type string parentPid deprecated True description The ID of the parent process. Deprecated: use parent_process.pid instead. type string parentProcess $ref Process description Information about the parent process. pgid description The identifier that points to the process group ID leader. type string pid description The process ID. This field can be used as an entity indicator for process entities. type string productSpecificParentProcessId deprecated True description A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. type string productSpecificProcessId description A product specific process id. type string rgid description The real group ID of the process. type string ruid description The real user ID of the process. type string sessionLeaderPid description The process ID of the session leader process. type string tokenElevationType description The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled. enum UNKNOWN TYPE_1 TYPE_2 TYPE_3 enumDescriptions An undetermined token type. A full token with no privileges removed or groups disabled. An elevated token with no privileges removed or groups disabled. Used when running as administrator. A limited token with administrative privileges removed and administrative groups disabled. type string tty description The teletype terminal which the command was executed within. type string type object ProviderMLVerdict description Deprecated. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. id ProviderMLVerdict properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer confidenceScore description Confidence score of the verdict. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer mandiantSources description List of mandiant sources from which the verdict was generated. items $ref Source type array sourceProvider description Source provider giving the ML verdict. type string thirdPartySources description List of third-party sources from which the verdict was generated. items $ref Source type array type object PublicKey description Subject public key info. id PublicKey properties algorithm description Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the certificate. type string rsa $ref RSA description RSA public key information. type object Question description DNS Questions. See RFC1035, section 4.1.2. id Question properties class description The code specifying the class of the query. format uint32 type integer name description The domain name. type string prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. type description The code specifying the type of the query. format uint32 type integer type object RSA description RSA public key information. id RSA properties exponent description Key exponent hexdump. type string keySize description Key size. format int64 type string modulus description Key modulus hexdump. type string type object Reference description Reference to model primatives including event and entity. As support is added for fast retrieval of objects by identifiers, this will be expanded to include ID references rather than full object copies. BEGIN GOOGLE-INTERNAL See go/udm:ids for additional details. END GOOGLE-INTERNAL id Reference properties entity $ref BackstoryEntity description Entity being referenced. End one-of event $ref UDM description Only one of event or entity will be populated for a single reference. Start one-of Event being referenced. id $ref Id description Id being referenced. This field will also be populated for both event and entity with the event id. For detections, only this field will be populated. type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Registry description Information about a registry key or value. id Registry properties registryKey description Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...). type string registryValueData description Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp). type string registryValueName description Name of the registry value associated with an application or system component (e.g. TEMP). type string registryValueType description Type of the registry value. enum TYPE_UNSPECIFIED NONE SZ EXPAND_SZ BINARY DWORD DWORD_LITTLE_ENDIAN DWORD_BIG_ENDIAN LINK MULTI_SZ RESOURCE_LIST QWORD QWORD_LITTLE_ENDIAN enumDescriptions Default registry value type used when the type is unknown. The registry value is not set and only the key exists. A null-terminated string. A null-terminated string that contains unexpanded references to environment variables Binary data in any form. A 32-bit number. A 32-bit number in little-endian format. A 32-bit number in big-endian format. A null-terminated Unicode string that contains the target path of a symbolic link. A sequence of null-terminated strings, terminated by an empty string A device driver resource list. A 64-bit number. A 64-bit number in little-endian format. type string type object Relation description Defines the relationship between the entity (a) and another entity (b). id Relation properties direction description Directionality of relationship between primary entity (a) and the related entity (b). enum DIRECTIONALITY_UNSPECIFIED BIDIRECTIONAL UNIDIRECTIONAL enumDescriptions Default value. Modeled in both directions. Primary entity (a) to related entity (b) and related entity (b) to primary entity (a). Modeled in a single direction. Primary entity (a) to related entity (b). type string entity $ref Noun description Entity (b) that the primary entity (a) is related to. entityLabel description Label to identify the Noun of the relation. enum ENTITY_LABEL_UNSPECIFIED PRINCIPAL TARGET OBSERVER SRC NETWORK SECURITY_RESULT INTERMEDIARY enumDescriptions Default value. The Noun represents a principal type object. The Noun represents a target type object. The Noun represents an observer type object. The Noun represents src type object. The Noun represents a network type object. The Noun represents a SecurityResult object. The Noun represents an intermediary type object. type string entityType description Type of the related entity (b) in this relationship. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string relationship description Type of relationship. enum RELATIONSHIP_UNSPECIFIED OWNS ADMINISTERS MEMBER EXECUTES DOWNLOADED_FROM CONTACTS enumDescriptions Default value Related entity is owned by the primary entity (e.g. user owns device asset). Related entity is administered by the primary entity (e.g. user administers a group). Primary entity is a member of the related entity (e.g. user is a member of a group). Primary entity may have executed the related entity. Primary entity may have been downloaded from the related entity. Primary entity contacts the related entity. type string uid description UID of the relationship. format byte type string type object Resource description Information about a resource such as a task, Cloud Storage bucket, database, disk, logical policy, or something similar. id Resource properties attribute $ref Attribute description Generic entity metadata attributes of the resource. id deprecated True description Deprecated: Use resource.name or resource.product_object_id. type string name description The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. type string parent deprecated True description The parent of the resource. For a database table, the parent is the database. For a storage object, the bucket name. Deprecated: use resource_ancestors.name. type string productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) This field can be used as an entity indicator for a Resource entity. type string resourceSubtype description Resource sub-type (e.g. "BigQuery", "Bigtable"). type string resourceType description Resource type. enum UNSPECIFIED MUTEX TASK PIPE DEVICE FIREWALL_RULE MAILBOX_FOLDER VPC_NETWORK VIRTUAL_MACHINE STORAGE_BUCKET STORAGE_OBJECT DATABASE TABLE CLOUD_PROJECT CLOUD_ORGANIZATION SERVICE_ACCOUNT ACCESS_POLICY CLUSTER SETTING DATASET BACKEND_SERVICE POD CONTAINER FUNCTION RUNTIME IP_ADDRESS DISK VOLUME IMAGE SNAPSHOT REPOSITORY CREDENTIAL LOAD_BALANCER GATEWAY SUBNET USER enumDescriptions Default type. Mutex. Task. Named pipe. Device. Firewall rule. Mailbox folder. VPC Network. Virtual machine. Storage bucket. Storage object. Database. Data table. Cloud project. Cloud organization. Service account. Access policy. Cluster. Settings. Dataset. Endpoint that receive traffic from a load balancer or proxy. Pod, which is a collection of containers. Often used in Kubernetes. Container. Cloud function. Runtime. IP address. Disk. Volume. Machine image. Snapshot. Repository. Credential, e.g. access keys, ssh keys, tokens, certificates. Load balancer. Gateway. Subnet. User. type string type deprecated True description Deprecated: use resource_type instead. type string type object ResourceRecord description DNS Resource Records. See RFC1035, section 4.1.3. id ResourceRecord properties binaryData description The raw bytes of any non-UTF8 strings that might be included as part of a DNS response. format byte type string class description The code specifying the class of the resource record. format uint32 type integer data description The payload or response to the DNS question for all responses encoded in UTF-8 format type string name description The name of the owner of the resource record. type string ttl description The time interval for which the resource record can be cached before the source of the information should again be queried. format uint32 type integer type description The code specifying the type of the resource record. format uint32 type integer type object ResponsePlatformInfo description Related info of an Alert in customer's SOAR platform. id ResponsePlatformInfo properties alertId description Id of the alert in SOAR product. type string responsePlatformType description Type of SOAR product. enum RESPONSE_PLATFORM_TYPE_UNSPECIFIED RESPONSE_PLATFORM_TYPE_SIEMPLIFY enumDescriptions Response platform not specified. Siemplify type string type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object RiskDelta description Describes the difference in risk score between two points in time. id RiskDelta properties previousRangeEndTime description End time of the previous time window. format google-datetime type string previousRiskScore description Risk score from previous risk window format int32 type integer riskScoreDelta description Difference in the normalized risk score from the previous recorded value. format int32 type integer riskScoreNumericDelta description Numeric change between current and previous risk score format int32 type integer type object Role description System role for resource access and modification. id Role properties description description System role description for user. type string name description System role name for user. type string type description System role type for well known roles. enum TYPE_UNSPECIFIED ADMINISTRATOR SERVICE_ACCOUNT enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object RuntimeError id RuntimeError properties errorText type string timeRange $ref Interval type object SSLCertificate description SSL certificate. id SSLCertificate properties certExtensions additionalProperties description Properties of the object. type any description Certificate's extensions. type object certSignature $ref CertSignature description Certificate's signature and algorithm. ec $ref EC description EC public key information. extension $ref Extension deprecated True description (DEPRECATED) certificate's extension. firstSeenTime description Date the certificate was first retrieved by VirusTotal. format google-datetime type string issuer $ref Subject description Certificate's issuer data. publicKey $ref PublicKey description Public key information. serialNumber description Certificate's serial number hexdump. type string signatureAlgorithm description Algorithm used for the signature (for example, "sha1RSA"). type string size description Certificate content length. format int64 type string subject $ref Subject description Certificate's subject data. thumbprint description Certificate's content SHA1 hash. type string thumbprintSha256 description Certificate's content SHA256 hash. type string validity $ref Validity description Certificate's validity period. version description Certificate version (typically "V1", "V2" or "V3"). type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object SearchDataTableColumnInfo id SearchDataTableColumnInfo properties isDefault type boolean originalColumn type string type object SearchDataTableInfo id SearchDataTableInfo properties columnInfo items $ref SearchDataTableColumnInfo type array dataTable type string type object SearchDataTableRow id SearchDataTableRow properties column type string value type string type object SearchDataTableRowInfo id SearchDataTableRowInfo properties dataTable type string rows items $ref SearchDataTableRow type array type object SecurityResult description Security related metadata for the event. A security result might be something like "virus detected and quarantined," "malicious connection blocked," or "sensitive data included in document foo.doc." Each security result, of which there may be more than one, may either pertain to the whole event, or to a specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (such as process, user, IP, domain, URL, IP, or email address) in the about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty. id SecurityResult properties about $ref Noun description If the security result is about a specific entity (Noun), add it here. This field is not populated when the SecurityResult appears in a finding (a detection or alert). action description Actions taken for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_ACTION ALLOW BLOCK ALLOW_WITH_MODIFICATION QUARANTINE FAIL CHALLENGE enumDescriptions The default action. Allowed. Blocked. Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded). Put somewhere for later analysis (does NOT imply block). Failed (e.g. the event was allowed but failed). Challenged (e.g. the user was challenged by a Captcha, 2FA). type string type array actionDetails description The detail of the action taken as provided by the vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string alertState description The alerting types of this security result. This is primarily set for rule-generated detections and alerts. enum UNSPECIFIED NOT_ALERTING ALERTING enumDescriptions The security result type is not known. The security result is not an alert. The security result is an alert. type string analyticsMetadata description Stores metadata about each risk analytic metric the rule uses. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref AnalyticsMetadata type array associations description Associations related to the threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref Association type array attackDetails $ref AttackDetails description MITRE ATT&CK details. This field is not populated when the SecurityResult appears in a finding (a detection or alert). campaigns description Campaigns using this IOC threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array category description The security category. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_CATEGORY SOFTWARE_MALICIOUS SOFTWARE_SUSPICIOUS SOFTWARE_PUA NETWORK_MALICIOUS NETWORK_SUSPICIOUS NETWORK_CATEGORIZED_CONTENT NETWORK_DENIAL_OF_SERVICE NETWORK_RECON NETWORK_COMMAND_AND_CONTROL ACL_VIOLATION AUTH_VIOLATION EXPLOIT DATA_EXFILTRATION DATA_AT_REST DATA_DESTRUCTION TOR_EXIT_NODE MAIL_SPAM MAIL_PHISHING MAIL_SPOOFING POLICY_VIOLATION SOCIAL_ENGINEERING PHISHING enumDescriptions The default category. Malware, spyware, rootkit. Below the conviction threshold; probably bad. Potentially Unwanted App (such as adware). Includes C&C or network exploit. Suspicious activity, such as potential reverse tunnel. Non-security related: URL has category like gambling or porn. DoS, DDoS. Port scan detected by an IDS, probing of web app. If we know this is a C&C channel. Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc. Authentication failed (e.g. bad password or bad 2-factor authentication). Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits. DLP: Sensitive data transmission, copy to thumb drive. DLP: Sensitive data found at rest in a scan. Attempt to destroy/delete data. TOR Exit Nodes. Spam email, message, etc. Phishing email, chat messages, etc. Spoofed source email address, etc. Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action). Threats which manipulate to break normal security procedures. Phishing pages, pops, https phishing etc. type string type array categoryDetails description For vendor-specific categories. For web categorization, put type in here such as "gambling" or "porn". This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array confidence description The confidence level of the result as estimated by the product. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string confidenceDetails description Additional detail with regards to the confidence of a security event as estimated by the product vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string confidenceScore description The confidence score of the security result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format float type number description description A human-readable description (e.g. "user password was wrong"). This can be more detailed than the summary. type string detectionDepth description The depth of the detection chain. Applies only to composite detections. format int64 type string detectionFields description An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (the security result matched variables). This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array firstDiscoveredTime description First time the IoC threat was discovered in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastDiscoveredTime description Last time the IoC was seen in the provider data. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastUpdatedTime description Last time the IoC threat was updated in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string outcomes description A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to a stringified version of their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array priority description The priority of the result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_PRIORITY LOW_PRIORITY MEDIUM_PRIORITY HIGH_PRIORITY enumDescriptions Default priority level. Low priority. Medium priority. High priority. type string priorityDetails description Vendor-specific information about the security result priority. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string reports description Reports that reference this IOC threat. These are the report IDs. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array riskScore description The risk score of the security result. format float type number ruleAuthor description Author of the security rule. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string ruleId description A vendor-specific ID for a rule, varying by observer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe"). type string ruleLabels description A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John"). This is primarily set in rule-generated detections and alerts. items $ref Label type array ruleName description Name of the security rule (e.g. "BlockInboundToOracle"). type string ruleSet description The curated detection's rule set identifier. (for example, "windows-threats") This is primarily set in rule-generated detections and alerts. type string ruleSetDisplayName description The curated detections rule set display name. This is primarily set in rule-generated detections and alerts. type string ruleType description The type of security rule. type string ruleVersion description Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed. type string rulesetCategoryDisplayName description The curated detection rule set category display name. (for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration", the rule_set_category is "Cloud Threats"). This is primarily set in rule-generated detections and alerts. type string severity description The severity of the result. enum UNKNOWN_SEVERITY INFORMATIONAL ERROR NONE LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Info severity. An error. No malicious result. Low-severity malicious result. Medium-severity malicious result. High-severity malicious result. Critical-severity malicious result. type string severityDetails description Vendor-specific severity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string summary description A short human-readable summary (e.g. "failed login occurred") type string threatFeedName description Vendor feed name for a threat indicator feed. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatId description Vendor-specific ID for a threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatIdNamespace description The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string threatName description A vendor-assigned classification common across multiple customers (for example, "W32/File-A", "Slammer"). This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatStatus description Current status of the threat This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_STATUS_UNSPECIFIED ACTIVE CLEARED FALSE_POSITIVE enumDescriptions Default threat status Active threat. Cleared threat. False positive. type string threatVerdict description GCTI threat verdict on the security result entity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_VERDICT_UNSPECIFIED UNDETECTED SUSPICIOUS MALICIOUS enumDescriptions Unspecified threat verdict level. Undetected threat verdict level. Suspicious threat verdict level. Malicious threat verdict level. type string urlBackToProduct description URL that takes the user to the source product console for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string variables additionalProperties $ref FindingVariable description A list of outcomes and match variables that represent the results of this security finding. This list represents a mapping of names of the requested outcomes or match variables, to their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). type object verdict $ref Verdict deprecated True description Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead. verdictInfo description Verdict information about the IoC from the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref VerdictInfo type array type object Server description Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash). id Server properties certificate $ref Certificate description Server certificate. ja3s description JA3 hash from the TLS ServerHello, as a hex-encoded string. type string type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object SignatureInfo description File signature information extracted from different tools. id SignatureInfo properties codesign $ref FileMetadataCodesign description Signature information extracted from the codesign utility. sigcheck $ref FileMetadataSignatureInfo description Signature information extracted from the sigcheck tool. type object SignerInfo description File metadata related to the signer information. id SignerInfo properties certIssuer description Company that issued the certificate. type string name description Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority. type string status description It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid."). type string validUsage description Indicates which situations the certificate is valid for (e.g. "Code Signing"). type string type object Smtp description SMTP info. See RFC 2821. id Smtp properties helo description The client's 'HELO'/'EHLO' string. type string isTls description If the connection switched to TLS. type boolean isWebmail description If the message was sent via a webmail client. type boolean mailFrom description The client's 'MAIL FROM' string. type string messagePath description The message's path (extracted from the headers). type string rcptTo description The client's 'RCPT TO' string(s). items type string type array serverResponse description The server's response(s) to the client. items type string type array type object SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems. id SoarAlertMetadata properties alertId description Alert ID in the source SIEM system. type string product description Name of the product the alert is coming from. type string sourceRule description Name of the rule triggering the alert in the source SIEM. type string sourceSystem description Name of the Source SIEM system. type string sourceSystemTicketId description Ticket id for the alert in the source system. type string sourceSystemUri description Url to the source SIEM system. type string vendor description Name of the vendor. type string type object Software description Information about a software package or application. id Software properties description description The description of the software. type string name description The name of the software. type string permissions description System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE" items $ref Permission type array vendorName description The name of the software vendor. type string version description The version of the software. type string type object Source description Deprecated. Information about the threat intelligence source. These fields are used to model Mandiant sources. id Source properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer name description Name of the IoC source. type string quality description Quality of the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total response count from this source. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer threatIntelligenceSources description Different threat intelligence sources from which IoC info was extracted. items $ref Source type array type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object StringSequence description StringSequence represents a sequence of string. id StringSequence properties stringVals description string sequence. items type string type array type object StringToInt64MapEntry id StringToInt64MapEntry properties key description Key field. type string value description Value field. format int64 type string type object StringValue id StringValue properties displayValue type string rawValue type string type object StringValues id StringValues properties values items $ref StringValue type array type object Subject description Subject data. id Subject properties commonName description CN: CommonName. type string countryName description C: Country name. type string locality description L: Locality. type string organization description O: Organization. type string organizationalUnit description OU: OrganizationalUnit. type string stateOrProvinceName description ST: StateOrProvinceName. type string type object Tactic description Tactic information related to an attack or threat. id Tactic properties id description Tactic ID (e.g. "TA0043"). type string name description Tactic Name (e.g. "Reconnaissance") type string type object Tags description Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenant_id based on certain customer-defined parameters. id Tags properties dataTapConfigName description A list of sink name values defined in DataTap configurations. items type string type array tenantId description A list of subtenant ids that this event belongs to. items format byte type string type array type object Technique description Technique information related to an attack or threat. id Technique properties id description Technique ID (e.g. "T1595"). type string name description Technique Name (e.g. "Active Scanning"). type string subtechniqueId description Subtechnique ID (e.g. "T1595.001"). type string subtechniqueName description Subtechnique Name (e.g. "Scanning IP Blocks"). type string type object TimeOff description System record for leave/time-off from a Human Capital Management (HCM) system. id TimeOff properties description description Description of the leave if available (e.g. 'Vacation'). type string interval $ref Interval description Interval duration of the leave. type object Tls description Transport Layer Security (TLS) information. id Tls properties cipher description Cipher used during the connection. type string client $ref Client description Certificate information for the client certificate. curve description Elliptical curve used for a given cipher. type string established description Indicates whether the TLS negotiation was successful. type boolean nextProtocol description Protocol to be used for tunnel. type string resumed description Indicates whether the TLS connection was resumed from a previous TLS negotiation. type boolean server $ref Server description Certificate information for the server certificate. version description TLS version. type string versionProtocol description Protocol. type string type object Tracker description URL Tracker. id Tracker properties id description Tracker ID, if available. type string timestamp description Tracker ingestion date. format google-datetime type string tracker description Tracker name. type string url description Tracker script URL. type string type object Tunnels description VPN tunnels. id Tunnels properties provider description The provider of the VPN tunnels being used. type string type description The type of the VPN tunnels. type string type object UDM description A Unified Data Model event. id UDM properties about description Represents entities referenced by the event that are not otherwise described in principal, src, target, intermediary or observer. For example, it could be used to track email file attachments, domains/URLs/IPs embedded within an email body, and DLLs that are loaded during a PROCESS_LAUNCH event. items $ref Noun type array additional additionalProperties description Properties of the object. type any description Any important vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model. type object extensions $ref Extensions description All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object intermediary description Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a proxy server or SMTP relay server. If an active event (that has a principal and possibly target) passes through any intermediaries, they're added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that 'principal', 'target', and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C). items $ref Noun type array metadata $ref Metadata description Event metadata such as timestamp, source product, etc. network $ref Network description All network details go here, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). observer $ref Noun description Represents an observer entity (for example, a packet sniffer or network-based vulnerability scanner), which is not a direct intermediary, but which observes and reports on the event in question. principal $ref Noun description Represents the acting entity that originates the activity described in the event. The principal must include at least one machine detail (hostname, MACs, IPs, port, product-specific identifiers like an EDR asset ID) or user detail (for example, username), and optionally include process details. It must NOT include any of the following fields: email, files, registry keys or values. securityResult description A list of security results. items $ref SecurityResult type array src $ref Noun description Represents a source entity being acted upon by the participant along with the device or process context for the source object (the machine where the source object resides). For example, if user U copies file A on machine X to file B on machine Y, both file A and machine X would be specified in the src portion of the UDM event. target $ref Noun description Represents a target entity being referenced by the event or an object on the target entity. For example, in a firewall connection from device A to device B, A is described as the principal and B is described as the target. For a process injection by process C into target process D, process C is described as the principal and process D is described as the target. type object UdmColumnList id UdmColumnList properties values items $ref UdmColumnValue type array type object UdmColumnType id UdmColumnType properties list $ref UdmColumnList value $ref UdmColumnValue type object UdmColumnValue id UdmColumnValue properties boolVal type boolean bytesVal format byte type string dateVal $ref Date doubleVal format double type number int64Val format int64 type string nullVal type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any type object stringVal type string timestampVal format google-datetime type string uint64Val format uint64 type string type object UdmEventInfo id UdmEventInfo properties alertNumber format int32 type integer annotations items enum ANNOTATION_UNSPECIFIED ANNOTATION_ALERT enumDescriptions type string type array chip $ref Chip deprecated True connectedComponentLabel description Optional. format byte type string datatableRowInfo items $ref SearchDataTableRowInfo type array detections items $ref Collection type array displayName deprecated True type string entity $ref BackstoryEntity event $ref UDM eventLogToken type string filterProperties $ref FilterProperties deprecated True outcomes items $ref UdmColumnType type array tenantId description Optional. type string uid format byte type string type object UdmEventList id UdmEventList properties columnNames $ref ColumnNames complete type boolean datatableInfo items $ref SearchDataTableInfo type array events items $ref UdmEventInfo type array progress format double type number tooManyEvents type boolean type object UdmFieldAggregation id UdmFieldAggregation properties aggregationType enum UNSPECIFIED_FIELD_AGGREGATION_TYPE UDM_FIELD_AGGREGATION_TYPE ENTITY_FIELD_AGGREGATION_TYPE enumDescriptions type string allValues items $ref UdmValueCount type array baselineEventCount format int32 type integer bottomValues items $ref UdmValueCount type array eventCount format int32 type integer fieldName type string tooManyValues type boolean topValues items $ref UdmValueCount type array valueCount format int32 type integer type object UdmFieldAggregations id UdmFieldAggregations properties complete type boolean fields items $ref UdmFieldAggregation type array groupByFields items $ref GroupAggregationByField type array type object UdmFieldValue id UdmFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string isNull type boolean stringValue type string timestampValue format google-datetime type string uint32Value format uint32 type integer uint64Value format uint64 type string type object UdmPrevalence id UdmPrevalence properties artifacts items $ref FieldAndValue type array prevalence format int32 type integer type object UdmPrevalenceBucket id UdmPrevalenceBucket properties prevalence items $ref UdmPrevalence type array type object UdmPrevalenceResponse id UdmPrevalenceResponse properties buckets items $ref UdmPrevalenceBucket type array partialPrevalence type boolean type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UdmValueCount id UdmValueCount properties baselineEventCount format int32 type integer eventCount format int32 type integer value $ref UdmFieldValue type object Uint64Sequence description Uint64Sequence represents a sequence of uint64s. id Uint64Sequence properties uint64Vals description uint64 sequence. items format uint64 type string type array type object Url description Url. id Url properties categories description Categorisation done by VirusTotal partners. items type string type array favicon $ref Favicon description Difference hash and MD5 hash of the URL's. htmlMeta additionalProperties description Properties of the object. type any description Meta tags (only for URLs downloading HTML). type object lastFinalUrl description If the original URL redirects, where does it end. type string lastHttpResponseCode description HTTP response code of the last response. format int32 type integer lastHttpResponseContentLength description Length in bytes of the content received. format int64 type string lastHttpResponseContentSha256 description URL response body's SHA256 hash. type string lastHttpResponseCookies additionalProperties description Properties of the object. type any description Website's cookies. type object lastHttpResponseHeaders additionalProperties description Properties of the object. type any description Headers and values of the last HTTP response. type object tags description Tags. items type string type array title description Webpage title. type string trackers description Trackers found in the URL in a historical manner. items $ref Tracker type array url description URL. type string type object User description Information about a user. id User properties accountExpirationTime description User account expiration timestamp. format google-datetime type string accountLockoutTime description User account lockout timestamp. format google-datetime type string accountType description Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/ enum ACCOUNT_TYPE_UNSPECIFIED DOMAIN_ACCOUNT_TYPE LOCAL_ACCOUNT_TYPE CLOUD_ACCOUNT_TYPE SERVICE_ACCOUNT_TYPE DEFAULT_ACCOUNT_TYPE enumDescriptions Default user account type. A human account part of some domain in directory services. A local machine account. A SaaS service account type (such as Slack or GitHub). A non-human account for data access. A system built in default account. type string attribute $ref Attribute description Generic entity metadata attributes of the user. companyName description User job company name. type string department description User job department items type string type array emailAddresses description Email addresses of the user. This field can be used as an entity indicator for user entities. items type string type array employeeId description Human capital management identifier. This field can be used as an entity indicator for user entities. type string firstName description First name of the user (e.g. "John"). type string firstSeenTime description The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string groupIdentifiers description Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar). items type string type array groupid deprecated True description The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. type string hireDate description User job employment hire date. format google-datetime type string lastBadPasswordAttemptTime description User last bad password attempt timestamp. format google-datetime type string lastLoginTime description User last login timestamp. format google-datetime type string lastName description Last name of the user (e.g. "Locke"). type string lastPasswordChangeTime description User last password change timestamp. format google-datetime type string managers description User job manager(s). items $ref User type array middleName description Middle name of the user. type string officeAddress $ref Location description User job office location. passwordExpirationTime description User password expiration timestamp. format google-datetime type string personalAddress $ref Location description Personal address of the user. phoneNumbers description Phone numbers for the user. items type string type array productObjectId description A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar). This field can be used as an entity indicator for user entities. type string roleDescription deprecated True description System role description for user. Deprecated: use attribute.roles. type string roleName deprecated True description System role name for user. Deprecated: use attribute.roles. type string terminationDate description User job employment termination date. format google-datetime type string timeOff description User time off leaves from active work. items $ref TimeOff type array title description User job title. type string userAuthenticationStatus description System authentication status for user. enum UNKNOWN_AUTHENTICATION_STATUS ACTIVE SUSPENDED NO_ACTIVE_CREDENTIALS DELETED enumDescriptions The default authentication status. The authentication method is in active state. The authentication method is in suspended/disabled state. The authentication method has no active credentials. The authentication method has been deleted. type string userDisplayName description The display name of the user (e.g. "John Locke"). type string userRole deprecated True description System role for user. Deprecated: use attribute.roles. enum UNKNOWN_ROLE ADMINISTRATOR SERVICE_ACCOUNT enumDeprecated False False True enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. Deprecated: not a role, instead set User.account_type. type string userid description The ID of the user. This field can be used as an entity indicator for user entities. type string windowsSid description The Microsoft Windows SID of the user. This field can be used as an entity indicator for user entities. type string type object UserAgentProto id UserAgentProto properties annotation items $ref Annotation type array browser description Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents. type string browserEngineVersion description Version of the rendering engine e.g. "8.01" for "Opera/8.01" type string browserVersion description Minor and lower versions unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string carrier description Mobile specific: name of mobile carrier type string device description (Usually) Mobile specific: name of hardware device, may or may not contain the full model name. e.g. iPhone, Palm750, SPH-M800. Reduced to "K" for Android devices with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string deviceVersion description (Usually) Mobile specific: version of hardware device Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string family description User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.. enum USER_DEFINED MSIE GECKO APPLEWEBKIT OPERA KHTML OTHER APPLE BLACKBERRY DOCOMO GOOGLE OPENWAVE POLARIS OBIGO TELECA MICROSOFT NOKIA NETFRONT SEMC SMIT KOREAN CLIENT_HINTS enumDescriptions Used to represent new families supported by user-defined parsers Desktop user agent families WebKit based browsers e.g. Safari e.g. Konqueror Mobile and non-browser user agent families UA's w/o enough data to fit into a family Apple apps e.g. YouTube on iPhone Google Earth, Sketchup, UpdateChecker etc... UP.Browser Windows Media Player, RSS platform etc... Sony Ericsson Mobile Communications SKT, LGT Constructed from UA-CH instead of UserAgent string. type string googleToolbarVersion description Version number of GoogleToolbar, if installed. Applies only to MSIE and Firefox at this time. type string javaConfiguration description Mobile specific: e.g. Configuration/CLDC-1.1 type string javaConfigurationVersion type string javaProfile description Mobile specific: e.g. Profile/MIDP-2.0 type string javaProfileVersion type string locale description Locale in which the browser is running as country code and optionally language pair. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string messaging description Mobile specific: e.g. MMP/2.0 type string messagingVersion type string os description Full name of the operating system e.g. "Darwin/9.7.0", "Android 1.5", "Windows 98" Version is reduced, and other data might also be missing, for reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string osVariant description Extra qualifier for the OS e.g. "(i386)", "Build/CUPCAKE", "PalmSource/Palm-D061" Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string platform description The platform describes the environment in which the browser or app runs. For desktop user agents, Platform is a string describing the OS family e.g. Windows, Macintosh, Linux. For mobile user agents, Platform either describes the OS family (if available) or the hardware maker. e.g. Linux, or HTC, LG, Palm. type string security description Security level reported by user agent, either U, I or N. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string subFamily description Sub-family identifies individual regexps when a family has more than 1. This is used to generate the right UA string from a protobuf. Examples in the AppleWebKit family: Chrome and Safari. Can also be an arbitrary identifier. type string type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Validity description Defines certificate's validity period. id Validity properties expiryTime description Expiry date. format google-datetime type string issueTime description Issue date. format google-datetime type string type object Verdict description Deprecated. Encapsulates the threat verdict provided by human analysts and ML models. These fields are used to model Mandiant sources. id Verdict properties analystVerdict $ref AnalystVerdict description Human analyst verdict provided by sources like Mandiant. neighbourInfluence description Describes the neighbour influence of the verdict. type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer verdict $ref ProviderMLVerdict description ML Verdict provided by sources like Mandiant. type object VerdictInfo description Describes the threat verdict provided by human analysts and machine learning models. These fields are used to model Mandiant sources. id VerdictInfo properties benignCount description Count of responses where this IoC was marked as benign. format int32 type integer categoryDetails description Tags related to the verdict. type string confidenceScore description Confidence score of the verdict. format int32 type integer globalCustomerCount description Global customer count over the last 30 days format int32 type integer globalHitsCount description Global hit count over the last 30 days. format int32 type integer iocStats description List of IoCStats from which the verdict was generated. items $ref IoCStats type array maliciousCount description Count of responses where this IoC was marked as malicious. format int32 type integer neighbourInfluence description Describes the near neighbor influence of the verdict. type string pwn description Whether one or more Mandiant incident response customers had this indicator in their environment. type boolean pwnFirstTaggedTime description The timestamp of the first time a pwn was associated to this entity. format google-datetime type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer sourceProvider description Source provider giving the machine learning verdict. type string verdictResponse description Details about the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp when the verdict was generated. format google-datetime type string verdictType description Type of verdict. enum VERDICT_TYPE_UNSPECIFIED PROVIDER_ML_VERDICT ANALYST_VERDICT enumDescriptions Verdict category not specified. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. Verdict provided by the human analyst. These fields are used to model Mandiant sources. type string type object Vulnerabilities description The Vulnerabilities extension captures details on observed/detected vulnerabilities. id Vulnerabilities properties vulnerabilities description A list of vulnerabilities. items $ref Vulnerability type array type object Vulnerability description A vulnerability. id Vulnerability properties about $ref Noun description If the vulnerability is about a specific noun (e.g. executable), then add it here. cveDescription description Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record type string cveId description Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id type string cvssBaseScore description CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting. format float type number cvssVector description Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator type string cvssVersion description Version of CVSS Vector/Score. type string description description Description of the vulnerability. type string firstFound description Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset. format google-datetime type string lastFound description Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset. format google-datetime type string name description Name of the vulnerability (e.g. "Unsupported OS Version detected"). type string scanEndTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable. format google-datetime type string scanStartTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable. format google-datetime type string severity description The severity of the vulnerability. enum UNKNOWN_SEVERITY LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Low severity. Medium severity. High severity. Critical severity. type string severityDetails description Vendor-specific severity type string vendor description Vendor of scan that discovered vulnerability. type string vendorKnowledgeBaseArticleId description Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase type string vendorVulnerabilityId description Vendor specific vulnerability id (e.g. Microsoft security bulletin id). type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object X509 description File certificate. id X509 properties algorithm description Certificate algorithm. type string certIssuer description Issuer of the certificate. type string name description Certificate name. type string serialNumber description Certificate serial number. type string thumbprint description Certificate thumbprint. type string type object old_value CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{region}/instances/{instance} readOnly True type string type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Manual description Entities are added manually. id Manual properties type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object
prod/europe-west2-chronicle-v1alpha	dictionary_item_added root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['delete'] root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['undelete'] root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['legacy']['methods']['legacyCreateOrUpdateCase'] root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['legacy']['methods']['legacyCreateSoarAlert'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue'] root['schemas']['GoogleCloudStorageEventDrivenSettings'] root['schemas']['InstanceUdmSearchResponse'] root['schemas']['LegacyCreateOrUpdateCaseRequest'] root['schemas']['LegacyCreateSoarAlertRequest'] root['schemas']['LegacyFederatedUdmSearchViewResponse'] root['schemas']['LegacySoarAlert'] root['schemas']['SQSV2AccessKeySecretAuth'] root['schemas']['SoarEvent'] root['schemas']['UndeleteInstanceRequest'] root['schemas']['BackstoryFile']['properties']['symhash'] root['schemas']['ColumnMetadata']['properties']['latitude'] root['schemas']['ColumnMetadata']['properties']['longitude'] root['schemas']['EntityRisk']['properties']['riskWindowHasNewDetections'] root['schemas']['Extensions']['properties']['entityRisk'] root['schemas']['FeedDetails']['properties']['googleCloudStorageEventDrivenSettings'] root['schemas']['Instance']['properties']['customerCode'] root['schemas']['Instance']['properties']['deleteTime'] root['schemas']['Instance']['properties']['purgeTime'] root['schemas']['Instance']['properties']['wipeoutStatus'] root['schemas']['SQSAuthV2']['properties']['sqsV2AccessKeySecretAuth'] dictionary_item_removed root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['findings'] root['schemas']['FetchSimilarFindingsResponse'] root['schemas']['OmniflowAmazonS3Settings'] root['schemas']['OmniflowAmazonSQSSettings'] root['schemas']['OmniflowGoogleCloudStorageSettings'] root['schemas']['OmniflowS3Auth'] root['schemas']['FeedDetails']['properties']['omniflowAmazonS3Settings'] root['schemas']['FeedDetails']['properties']['omniflowAmazonSqsSettings'] root['schemas']['FeedDetails']['properties']['omniflowGcsSettings'] root['schemas']['FeedDetails']['properties']['feedSourceType']['enumDeprecated'] root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enumDeprecated'] root['schemas']['PackLogType']['properties']['recommendedSourceType']['enumDeprecated'] values_changed root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['generateCollectionAgentAuth']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to generate a collection agent auth json file for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to generate a collection agent auth json file for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['generateSoarAuthJwt']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['generateWorkspaceConnectionToken']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to create workspace token for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to create workspace token for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['get']['parameters']['name']['description'] new_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['report']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['legacy']['methods']['legacyBatchGetCases']['parameters']['instance']['description'] new_value Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}/legacy old_value Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}/legacy root['revision'] new_value 20250310 old_value 20250227 root['schemas']['EntityRisk']['description'] new_value Stores information related to the risk score of an entity. Next ID: 15 old_value Stores information related to the risk score of an entity. Next ID: 14 root['schemas']['EntityRisk']['properties']['riskWindowSize']['description'] new_value Risk window duration for the entity. old_value Risk window duration for the Entity. root['schemas']['Instance']['properties']['name']['description'] new_value Output only. The resource name of this instance. Format: projects/{project}/locations/{location}/instances/{instance} old_value Output only. The resource name of this instance. Format: projects/{project}/locations/{region}/instances/{instance} root['schemas']['SQSAuthV2']['properties']['additionalS3AccessKeySecretAuth']['description'] new_value Required. Deprecated. If the S3 objects referred to by the SQS queue require different auth info other than the SQS auth, that can be specified here. Additional S3AccessKeySecret. Required. old_value Required. If the S3 objects referred to by the SQS queue require different auth info other than the SQS auth, that can be specified here. Additional S3AccessKeySecret. Required. root['schemas']['StatusProto']['properties']['canonicalCode']['description'] new_value copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional int32 canonical_code = 6; old_value The canonical error code (see codes.proto) that most closely corresponds to this status. This may be missing, and in the common case of the generic space, it definitely will be. copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional int32 canonical_code = 6; root['schemas']['StatusProto']['properties']['space']['description'] new_value copybara:strip_begin(b/383363683) Space to which this status belongs copybara:strip_end_and_replace optional string space = 2; // Space to which this status belongs old_value The following are usually only present when code != 0 Space to which this status belongs copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional string space = 2; iterable_item_added root['schemas']['AnalyticValue']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['AnalyticValue']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['EnrichmentDisablementTarget']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['EnrichmentDisablementTarget']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['EventTypesSuggestion']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['EventTypesSuggestion']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][19] GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN root['schemas']['FeedDetails']['properties']['feedSourceType']['enumDescriptions'][19] Google Cloud Storage Feed backed by Omniflow STS driven by pubsub events. root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][19] GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enumDescriptions'][19] Google Cloud Storage Feed backed by Omniflow STS driven by pubsub events. root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][1412] BLOCKDAEMON_METOMIC root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2124] JIT root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2125] PROCORE root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2126] HP_INC_MFP root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2127] MERU_CONTENTKEEPER_PROXY root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2128] KPMG_JAPAN_HR root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2129] FORD_ADFS_IDP root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2130] FORD_BLUE_DNS root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2131] TSA_VMS root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2132] ALLIANZ_CPAM root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2133] HKBK_ASE1_DIGITALGUARDIAN_NDLP root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2134] PANORAYS root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2135] BBVA_BAEMPRE root['schemas']['Metadata']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['Metadata']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][19] GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN root['schemas']['PackLogType']['properties']['recommendedSourceType']['enumDescriptions'][19] Google Cloud Storage Feed backed by Omniflow STS driven by pubsub events. root['schemas']['RawLog']['properties']['type']['enum'][1412] BLOCKDAEMON_METOMIC root['schemas']['RawLog']['properties']['type']['enum'][2124] JIT root['schemas']['RawLog']['properties']['type']['enum'][2125] PROCORE root['schemas']['RawLog']['properties']['type']['enum'][2126] HP_INC_MFP root['schemas']['RawLog']['properties']['type']['enum'][2127] MERU_CONTENTKEEPER_PROXY root['schemas']['RawLog']['properties']['type']['enum'][2128] KPMG_JAPAN_HR root['schemas']['RawLog']['properties']['type']['enum'][2129] FORD_ADFS_IDP root['schemas']['RawLog']['properties']['type']['enum'][2130] FORD_BLUE_DNS root['schemas']['RawLog']['properties']['type']['enum'][2131] TSA_VMS root['schemas']['RawLog']['properties']['type']['enum'][2132] ALLIANZ_CPAM root['schemas']['RawLog']['properties']['type']['enum'][2133] HKBK_ASE1_DIGITALGUARDIAN_NDLP root['schemas']['RawLog']['properties']['type']['enum'][2134] PANORAYS root['schemas']['RawLog']['properties']['type']['enum'][2135] BBVA_BAEMPRE root['schemas']['RawLogEventInformation']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['RawLogEventInformation']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['SIEventData']['properties']['rawLogType']['enum'][1412] BLOCKDAEMON_METOMIC root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2124] JIT root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2125] PROCORE root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2126] HP_INC_MFP root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2127] MERU_CONTENTKEEPER_PROXY root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2128] KPMG_JAPAN_HR root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2129] FORD_ADFS_IDP root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2130] FORD_BLUE_DNS root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2131] TSA_VMS root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2132] ALLIANZ_CPAM root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2133] HKBK_ASE1_DIGITALGUARDIAN_NDLP root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2134] PANORAYS root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2135] BBVA_BAEMPRE iterable_item_removed root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][14] OMNIFLOW_GOOGLE_CLOUD_STORAGE root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][15] OMNIFLOW_AMAZON_S3 root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][16] OMNIFLOW_AMAZON_SQS root['schemas']['FeedDetails']['properties']['feedSourceType']['enumDescriptions'][14] root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][14] OMNIFLOW_GOOGLE_CLOUD_STORAGE root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][15] OMNIFLOW_AMAZON_S3 root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][16] OMNIFLOW_AMAZON_SQS root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enumDescriptions'][14] root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][14] OMNIFLOW_GOOGLE_CLOUD_STORAGE root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][15] OMNIFLOW_AMAZON_S3 root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][16] OMNIFLOW_AMAZON_SQS root['schemas']['PackLogType']['properties']['recommendedSourceType']['enumDescriptions'][14]
prod/europe-west2-chronicle-v1beta	values_changed root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['get']['parameters']['name']['description'] new_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{region}/instances/{instance} root['revision'] new_value 20250310 old_value 20250227 root['schemas'] new_value AIOverview description AI generated overview for the search results. id AIOverview properties aiSummary description AI summary for the search results. Markdown formatted. type string complete description Whether AI overview generation is complete. type boolean suggestions description Suggested actions to continue the investigation in chat. items $ref Action type array type object Action description Action represents an action that can be performed in the host UI. id Action properties actionType description Output only. Type of action. enum ACTION_TYPE_UNSPECIFIED FOLLOW_UP NAVIGATION EXECUTION enumDescriptions The action type is unspecified. The action is a follow up action. The action is a navigation action. The action is an execution action. readOnly True type string displayText description Output only. The text that'll be displayed to the user if this is rendered in the UI as a suggested action. readOnly True type string execution $ref Execution description Metadata for execution action. followUp $ref FollowUp description Metadata for follow up action. navigation $ref Navigation description Metadata for navigation action. useCaseId description Output only. The use case ID of the action. It's used internally to identify in which context the action is used. readOnly True type string type object AlertFieldAggregation id AlertFieldAggregation properties alertCount format int32 type integer allValues items $ref AlertFieldValueCount type array baselineAlertCount format int32 type integer bottomValues items $ref AlertFieldValueCount type array fieldName type string tooManyValues type boolean topValues items $ref AlertFieldValueCount type array valueCount format int32 type integer type object AlertFieldAggregations id AlertFieldAggregations properties fields items $ref AlertFieldAggregation type array type object AlertFieldValue id AlertFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string stringValue type string uint32Value format uint32 type integer uint64Value format uint64 type string type object AlertFieldValueCount id AlertFieldValueCount properties alertCount format int32 type integer baselineAlertCount format int32 type integer value $ref AlertFieldValue type object AnalystVerdict description Verdict provided by the human analyst. These fields are used to model Mandiant sources. id AnalystVerdict properties confidenceScore description Confidence score of the verdict. format int32 type integer verdictResponse description Details of the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp at which the verdict was generated. format google-datetime type string type object AnalyticsMetadata description Stores information about an analytics metric used in a rule. id AnalyticsMetadata properties analytic description Name of the analytic. type string type object Annotation description Extra parameters that don't fit anywhere else, captured as key/value. For example "VendorID/42" in BlackBerry user agents. The following keys are modified with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference): * "Chrome" (see `browser_version`) * "ChromiumBrowser" (unavailable) * "ChromeWebview" (unavailable) * "OS_VERSION" (see `os`) * "Rest" (unavailable) * "misc" (see `device`) id Annotation properties key type string value type string type object Artifact description Information about an artifact. The artifact can only be an IP. id Artifact properties anonymous description Whether the VPN tunnels are configured for anonymous browsing or not. type boolean artifactClient $ref ArtifactClient description Entity or software accessing or utilizing network resources. asOwner description Owner of the Autonomous System to which the IP address belongs. type string asn description Autonomous System Number to which the IP address belongs. format int64 type string firstSeenTime description First seen timestamp of the IP in the customer's environment. format google-datetime type string ip description IP address of the artifact. This field can be used as an entity indicator for an external destination IP entity. type string jarm description The JARM hash for the IP address. (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a). type string lastHttpsCertificate $ref SSLCertificate description SSL certificate information about the IP address. lastHttpsCertificateDate description Most recent date for the certificate in VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the IP address in the customer's environment. format google-datetime type string location $ref Location description Location of the Artifact's IP address. network $ref Network description Network information related to the Artifact's IP address. prevalence $ref Prevalence description The prevalence of the artifact within the customer's environment. regionalInternetRegistry description RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC). type string risks description This field lists potential risks associated with the network activity. items type string type array tags description Identification attributes items type string type array tunnels description VPN tunnels. items $ref Tunnels type array whois description WHOIS information as returned from the pertinent WHOIS server. type string whoisDate description Date of the last update of the WHOIS record in VirusTotal. format google-datetime type string type object ArtifactClient description Entity or software accessing or utilizing network resources. id ArtifactClient properties behaviors description The behaviors of the client accessing the network. items type string type array proxies description The type of proxies used by the client. items type string type array type object Asset description Information about a compute asset such as a workstation, laptop, phone, virtual desktop, or VM. id Asset properties assetId description The asset ID. Value must contain the ':' character. For example, cs:abcdd23434. This field can be used as an entity indicator for asset entities. type string attribute $ref Attribute description Generic entity metadata attributes of the asset. category description The category of the asset (e.g. "End User Asset", "Workstation", "Server"). type string creationTime deprecated True description Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. format google-datetime type string deploymentStatus description The deployment status of the asset for device lifecycle purposes. enum DEPLOYMENT_STATUS_UNSPECIFIED ACTIVE PENDING_DECOMISSION DECOMISSIONED enumDescriptions Unspecified deployment status. Asset is active, functional and deployed. Asset is pending decommission and no longer deployed. Asset is decommissioned. type string firstDiscoverTime description Time the asset was first discovered (by asset management/discoverability software). format google-datetime type string firstSeenTime description The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string hardware description The asset hardware specifications. items $ref Hardware type array hostname description Asset hostname or domain name field. This field can be used as an entity indicator for asset entities. type string ip description A list of IP addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array labels deprecated True description Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata. items $ref Label type array lastBootTime description Time the asset was last boot started. format google-datetime type string lastDiscoverTime description Time the asset was last discovered (by asset management/discoverability software). format google-datetime type string location $ref Location description Location of the asset. mac description List of MAC addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array natIp description List of NAT IP addresses associated with an asset. items type string type array networkDomain description The network domain of the asset (e.g. "corp.acme.com") type string platformSoftware $ref PlatformSoftware description The asset operating system platform software. productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID or similar). This field can be used as an entity indicator for asset entities. type string software description The asset software details. items $ref Software type array systemLastUpdateTime description Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a VM), use Attribute.last_update_time. format google-datetime type string type description The type of the asset (e.g. workstation or laptop or server). enum ROLE_UNSPECIFIED WORKSTATION LAPTOP IOT NETWORK_ATTACHED_STORAGE PRINTER SCANNER SERVER TAPE_LIBRARY MOBILE enumDescriptions Unspecified asset role. A workstation or desktop. A laptop computer. An IOT asset. A network attached storage device. A printer. A scanner. A server. A tape library device. A mobile device such as a mobile phone or PDA. type string vulnerabilities description Vulnerabilities discovered on asset. items $ref Vulnerability type array type object Association description Associations represents different metadata about malware and threat actors involved with an IoC. id Association properties alias description Different aliases of the threat actor given by different sources. items $ref AssociationAlias type array associatedActors description List of associated threat actors for a malware. Not applicable for threat actors. items $ref Association type array countryCode description Country from which the threat actor/ malware is originated. items type string type array description description Human readable description about the association. type string firstReferenceTime description First time the threat actor was referenced or seen. format google-datetime type string id description Unique association id generated by mandiant. type string industriesAffected description List of industries the threat actor affects. items type string type array lastReferenceTime description Last time the threat actor was referenced or seen. format google-datetime type string name description Name of the threat actor/malware. type string regionCode $ref Location description Name of the country, the threat is originating from. role description Role of the malware. Not applicable for threat actor. type string sourceCountry deprecated True description Name of the country the threat originated from. type string sponsorRegion $ref Location description Sponsor region of the threat actor. tags description Tags. items type string type array targetedRegions description Targeted regions. items $ref Location type array type description Signifies the type of association. enum ASSOCIATION_TYPE_UNSPECIFIED THREAT_ACTOR MALWARE enumDescriptions The default Association Type. Association type Threat actor. Association type Malware. type string type object AssociationAlias description Association Alias used to represent Mandiant Threat Intelligence. id AssociationAlias properties company description Name of the provider who gave the association's name. type string name description Name of the alias. type string type object AttackDetails description MITRE ATT&CK details. id AttackDetails properties tactics description Tactics employed. items $ref Tactic type array techniques description Techniques employed. items $ref Technique type array version description ATT&CK version (e.g. 12.1). type string type object Attribute description Attribute is a container for generic entity attributes including common attributes across core entities (such as, user or asset). For example, Cloud is a generic entity attribute since it can apply to an asset (for example, a VM) or a user (for example, an identity service account). id Attribute properties cloud $ref Cloud description Cloud metadata attributes such as project ID, account ID, or organizational hierarchy. creationTime description Time the resource or entity was created or provisioned. format google-datetime type string labels description Set of labels for the entity. Should only be used for product labels (for example, Google Cloud resource labels or Azure AD sensitivity labels. Should not be used for arbitrary key-value mappings. items $ref Label type array lastUpdateTime description Time the resource or entity was last updated. format google-datetime type string permissions description System permissions for IAM entity (human principal, service account, group). items $ref Permission type array roles description System IAM roles to be assumed by resources to use the role's permissions for access control. items $ref Role type array type object Authentication description The Authentication extension captures details specific to authentication events. General guidelines for authentication events: * Details about the source of the authentication event (for example, client IP or hostname), should be captured in principal. The principal may be empty if we have no details about the source of the login. * Details about the target of the authentication event (for example, details about the machine that is being logged into or logged out of) should be captured in target. * Some authentication events may involve a third-party. For example, a user logs into a cloud service (for example, Chronicle) via their company's SSO (the event is logged by their SSO solution). In this case, the principal captures information about the user's device, the target captures details about the cloud service they logged into, and the intermediary captures details about the SSO solution. id Authentication properties authDetails description The vendor defined details of the authentication. type string mechanism description The authentication mechanism. items enum MECHANISM_UNSPECIFIED USERNAME_PASSWORD OTP HARDWARE_KEY LOCAL REMOTE REMOTE_INTERACTIVE MECHANISM_OTHER BADGE_READER NETWORK BATCH SERVICE UNLOCK NETWORK_CLEAR_TEXT NEW_CREDENTIALS INTERACTIVE CACHED_INTERACTIVE CACHED_REMOTE_INTERACTIVE CACHED_UNLOCK BIOMETRIC WEARABLE enumDescriptions The default mechanism. Username + password authentication. OTP authentication. Hardware key authentication. Local authentication. Remote authentication. RDP, Terminal Services, or VNC. Some other mechanism that is not defined here. Badge reader authentication Network authentication. Batch authentication. Service authentication Direct human-interactive unlock authentication. Network clear text authentication. Authentication with new credentials. Interactive authentication. Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Biometric device such as a fingerprint reader. Wearable such as an Apple Watch. type string type array type description The type of authentication. enum AUTHTYPE_UNSPECIFIED MACHINE SSO VPN PHYSICAL TACACS enumDescriptions The default type. A machine authentication. An SSO authentication. A VPN authentication. A Physical authentication (e.g. "Badge reader"). A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+). type string type object AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. id AuthorityKeyId properties keyid description Key hexdump. type string serialNumber description Serial number hexdump. type string type object BackstoryEntity description An Entity provides additional context about an item in a UDM event. For example, a PROCESS_LAUNCH event describes that user 'abc@example.corp' launched process 'shady.exe'. The event does not include information that user 'abc@example.com' is a recently terminated employee who administers a server storing finance data. Information stored in one or more Entities can add this additional context. id BackstoryEntity properties additional additionalProperties description Properties of the object. type any description Important entity data that cannot be adequately represented within the formal sections of the Entity. type object entity $ref Noun description Noun in the UDM event that this entity represents. metadata $ref EntityMetadata description Entity metadata such as timestamp, product, etc. metric $ref Metric description Stores statistical metrics about the entity. Used if metadata.entity_type is METRIC. relations description One or more relationships between the entity (a) and other entities, including the relationship type and related entity. items $ref Relation type array riskScore $ref EntityRisk description Stores information related to the entity's risk score. type object BackstoryFile description Information about a file. id BackstoryFile properties ahash deprecated True description Deprecated. Use authentihash instead. type string authentihash description Authentihash of the file. type string capabilitiesTags description Capabilities tags. items type string type array createTime description Timestamp when the file was created. format google-datetime type string embeddedDomains description Embedded domains found in the file. items type string type array embeddedIps description Embedded IP addresses found in the file. items type string type array embeddedUrls description Embedded urls found in the file. items type string type array exifInfo $ref ExifInfo description Exif metadata from different file formats extracted by exiftool. fileMetadata $ref FileMetadata deprecated True description Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File. fileType description FileType field. enum FILE_TYPE_UNSPECIFIED FILE_TYPE_PE_EXE FILE_TYPE_PE_DLL FILE_TYPE_MSI FILE_TYPE_NE_EXE FILE_TYPE_NE_DLL FILE_TYPE_DOS_EXE FILE_TYPE_DOS_COM FILE_TYPE_COFF FILE_TYPE_ELF FILE_TYPE_LINUX_KERNEL FILE_TYPE_RPM FILE_TYPE_LINUX FILE_TYPE_MACH_O FILE_TYPE_JAVA_BYTECODE FILE_TYPE_DMG FILE_TYPE_DEB FILE_TYPE_PKG FILE_TYPE_PYC FILE_TYPE_LNK FILE_TYPE_DESKTOP_ENTRY FILE_TYPE_JPEG FILE_TYPE_TIFF FILE_TYPE_GIF FILE_TYPE_PNG FILE_TYPE_BMP FILE_TYPE_GIMP FILE_TYPE_IN_DESIGN FILE_TYPE_PSD FILE_TYPE_TARGA FILE_TYPE_XWD FILE_TYPE_DIB FILE_TYPE_JNG FILE_TYPE_ICO FILE_TYPE_FPX FILE_TYPE_EPS FILE_TYPE_SVG FILE_TYPE_EMF FILE_TYPE_WEBP FILE_TYPE_DWG FILE_TYPE_DXF FILE_TYPE_THREEDS FILE_TYPE_OGG FILE_TYPE_FLC FILE_TYPE_FLI FILE_TYPE_MP3 FILE_TYPE_FLAC FILE_TYPE_WAV FILE_TYPE_MIDI FILE_TYPE_AVI FILE_TYPE_MPEG FILE_TYPE_QUICKTIME FILE_TYPE_ASF FILE_TYPE_DIVX FILE_TYPE_FLV FILE_TYPE_WMA FILE_TYPE_WMV FILE_TYPE_RM FILE_TYPE_MOV FILE_TYPE_MP4 FILE_TYPE_T3GP FILE_TYPE_WEBM FILE_TYPE_MKV FILE_TYPE_PDF FILE_TYPE_PS FILE_TYPE_DOC FILE_TYPE_DOCX FILE_TYPE_PPT FILE_TYPE_PPTX FILE_TYPE_XLS FILE_TYPE_XLSX FILE_TYPE_RTF FILE_TYPE_PPSX FILE_TYPE_ODP FILE_TYPE_ODS FILE_TYPE_ODT FILE_TYPE_HWP FILE_TYPE_GUL FILE_TYPE_ODF FILE_TYPE_ODG FILE_TYPE_ONE_NOTE FILE_TYPE_OOXML FILE_TYPE_SLK FILE_TYPE_EBOOK FILE_TYPE_LATEX FILE_TYPE_TTF FILE_TYPE_EOT FILE_TYPE_WOFF FILE_TYPE_CHM FILE_TYPE_ZIP FILE_TYPE_GZIP FILE_TYPE_BZIP FILE_TYPE_RZIP FILE_TYPE_DZIP FILE_TYPE_SEVENZIP FILE_TYPE_CAB FILE_TYPE_JAR FILE_TYPE_RAR FILE_TYPE_MSCOMPRESS FILE_TYPE_ACE FILE_TYPE_ARC FILE_TYPE_ARJ FILE_TYPE_ASD FILE_TYPE_BLACKHOLE FILE_TYPE_KGB FILE_TYPE_ZLIB FILE_TYPE_TAR FILE_TYPE_ZST FILE_TYPE_LZFSE FILE_TYPE_PYTHON_WHL FILE_TYPE_PYTHON_PKG FILE_TYPE_MSIX FILE_TYPE_TEXT FILE_TYPE_SCRIPT FILE_TYPE_PHP FILE_TYPE_PYTHON FILE_TYPE_PERL FILE_TYPE_RUBY FILE_TYPE_C FILE_TYPE_CPP FILE_TYPE_JAVA FILE_TYPE_SHELLSCRIPT FILE_TYPE_PASCAL FILE_TYPE_AWK FILE_TYPE_DYALOG FILE_TYPE_FORTRAN FILE_TYPE_JAVASCRIPT FILE_TYPE_POWERSHELL FILE_TYPE_VBA FILE_TYPE_M4 FILE_TYPE_OBJETIVEC FILE_TYPE_JMOD FILE_TYPE_MAKEFILE FILE_TYPE_INI FILE_TYPE_CLJ FILE_TYPE_PDB FILE_TYPE_SQL FILE_TYPE_NEKO FILE_TYPE_WER FILE_TYPE_GOLANG FILE_TYPE_M3U FILE_TYPE_BAT FILE_TYPE_MSC FILE_TYPE_RDP FILE_TYPE_SYMBIAN FILE_TYPE_PALMOS FILE_TYPE_WINCE FILE_TYPE_ANDROID FILE_TYPE_IPHONE FILE_TYPE_HTML FILE_TYPE_XML FILE_TYPE_SWF FILE_TYPE_FLA FILE_TYPE_COOKIE FILE_TYPE_TORRENT FILE_TYPE_EMAIL_TYPE FILE_TYPE_OUTLOOK FILE_TYPE_SGML FILE_TYPE_JSON FILE_TYPE_CSV FILE_TYPE_HTA FILE_TYPE_INTERNET_SHORTCUT FILE_TYPE_CAP FILE_TYPE_ISOIMAGE FILE_TYPE_SQUASHFS FILE_TYPE_VHD FILE_TYPE_APPLE FILE_TYPE_MACINTOSH FILE_TYPE_APPLESINGLE FILE_TYPE_APPLEDOUBLE FILE_TYPE_MACINTOSH_HFS FILE_TYPE_APPLE_PLIST FILE_TYPE_MACINTOSH_LIB FILE_TYPE_APPLESCRIPT FILE_TYPE_APPLESCRIPT_COMPILED FILE_TYPE_CRX FILE_TYPE_XPI FILE_TYPE_ROM FILE_TYPE_IPS FILE_TYPE_PEM FILE_TYPE_PGP FILE_TYPE_CRT enumDescriptions File type is UNSPECIFIED. File type is PE_EXE. Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL. File type is MSI. File type is NE_EXE. File type is NE_DLL. File type is DOS_EXE. File type is DOS_COM. File type is COFF. File type is ELF. File type is LINUX_KERNEL. File type is RPM. File type is LINUX. File type is MACH_O. File type is JAVA_BYTECODE. File type is DMG. File type is DEB. File type is PKG. File type is PYC. File type is LNK. File type is DESKTOP_ENTRY. File type is JPEG. File type is TIFF. File type is GIF. File type is PNG. File type is BMP. File type is GIMP. File type is Adobe InDesign. File type is PSD. Adobe Photoshop. File type is TARGA. File type is XWD. File type is DIB. File type is JNG. File type is ICO. File type is FPX. File type is EPS. File type is SVG. File type is EMF. File type is WEBP. File type is DWG. File type is DXF. File type is 3DS. File type is OGG. File type is FLC. File type is FLI. File type is MP3. File type is FLAC. File type is WAV. File type is MIDI. File type is AVI. File type is MPEG. File type is QUICKTIME. File type is ASF. File type is DIVX. File type is FLV. File type is WMA. File type is WMV. File type is RM. RealMedia type. File type is MOV. File type is MP4. File type is T3GP. File type is WEBM. File type is MKV. File type is PDF. File type is PS. File type is DOC. File type is DOCX. File type is PPT. File type is PPTX. File type is XLS. File type is XLSX. File type is RTF. File type is PPSX. File type is ODP. File type is ODS. File type is ODT. File type is HWP. File type is GUL. File type is ODF. File type is ODG. File type is ONE_NOTE. File type is OOXML. File type is SLK. File type is EBOOK. File type is LATEX. File type is TTF. File type is EOT. File type is WOFF. File type is CHM. File type is ZIP. File type is GZIP. File type is BZIP. File type is RZIP. File type is DZIP. File type is SEVENZIP. File type is CAB. File type is JAR. File type is RAR. File type is MSCOMPRESS. File type is ACE. File type is ARC. File type is ARJ. File type is ASD. File type is BLACKHOLE. File type is KGB. File type is ZLIB. File type is TAR. File type is ZST. File type is LZFSE. File type is PYTHON_WHL. File type is PYTHON_PKG. File type is MSIX, new Windows app package format. File type is TEXT. File type is SCRIPT. File type is PHP. File type is PYTHON. File type is PERL. File type is RUBY. File type is C. File type is CPP. File type is JAVA. File type is SHELLSCRIPT. File type is PASCAL. File type is AWK. File type is DYALOG. File type is FORTRAN. File type is JAVASCRIPT. File type is POWERSHELL. File type is VBA. File type is M4. File type is OBJETIVEC. File type is JMOD. File type is MAKEFILE. File type is INI. File type is CLJ. File type is PDB. File type is SQL. File type is NEKO. File type is WER. File type is GOLANG. File type is M3U. File type is BAT, Windows .bat/.cmd (old files are tagged as SHELLSCRIPT). File type is MSC, Microsoft Management Console (MMC). File type is RDP, Microsoft Remote Desktop Protocol (RDP) file. File type is SYMBIAN. File type is PALMOS. File type is WINCE. File type is ANDROID. File type is IPHONE. File type is HTML. File type is XML. File type is SWF. File type is FLA. File type is COOKIE. File type is TORRENT. File type is EMAIL_TYPE. File type is OUTLOOK. File type is SGML. File type is JSON. File type is CSV. File type is HTA (HTML Application). File type is MSHTML .url. File type is CAP. File type is ISOIMAGE. File type is SQUASHFS. File type is VHD. File type is APPLE. File type is MACINTOSH. File type is APPLESINGLE. File type is APPLEDOUBLE. File type is MACINTOSH_HFS. File type is APPLE_PLIST. File type is MACINTOSH_LIB. File type is APPLESCRIPT. File type is APPLESCRIPT_COMPILED . File type is CRX. File type is XPI. File type is ROM. File type is IPS. File type is PEM. File type is PGP. File type is CRT. type string firstSeenTime description Timestamp the file was first seen in the customer's environment. format google-datetime type string firstSubmissionTime description First submission time of the file. format google-datetime type string fullPath description The full path identifying the location of the file on the system. This field can be used as an entity indicator for file entities. type string lastAccessTime description Timestamp when the file was accessed. format google-datetime type string lastAnalysisTime description Timestamp the file was last analysed. format google-datetime type string lastModificationTime description Timestamp when the file was last updated. format google-datetime type string lastSeenTime description Timestamp the file was last seen in the customer's environment. format google-datetime type string lastSubmissionTime description Last submission time of the file. format google-datetime type string mainIcon $ref Favicon description Icon's relevant hashes. md5 description The MD5 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string mimeType description The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script". type string names description Names fields. items type string type array ntfs $ref NtfsFileMetadata description NTFS metadata. pdfInfo $ref PDFInfo description Information about the PDF file structure. peFile $ref FileMetadataPE description Metadata about the Portable Executable (PE) file. prevalence $ref Prevalence description Prevalence of the file hash in the customer's environment. securityResult $ref SecurityResult description Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata. sha1 description The SHA1 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string sha256 description The SHA256 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string signatureInfo $ref SignatureInfo description File signature information extracted from different tools. size description The size of the file in bytes. format uint64 type string ssdeep description Ssdeep of the file type string statDev description The file system identifier to which the object belongs. format uint64 type string statFlags description User defined flags for file. format uint32 type integer statInode description The file identifier. Unique identifier of object within a file system. format uint64 type string statMode description The mode of the file. A bit string indicating the permissions and privileges of the file. format uint64 type string statNlink description Number of links to file. format uint64 type string symhash description SymHash of the file. Used for Mach-O (e.g. MacOS) binaries, to identify similar files based on their symbol table. type string tags description Tags for the file. items type string type array vhash description Vhash of the file. type string type object BoolSequence description BoolSequence represents a sequence of bools. id BoolSequence properties boolVals description bool sequence. items type boolean type array type object BytesSequence description BytesSequence represents a sequence of bytes. id BytesSequence properties bytesVals description bytes sequence. items format byte type string type array type object CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CertSignature description Certificate's signature and algorithm. id CertSignature properties signature description Signature. type string signatureAlgorithm description Algorithm. type string type object Certificate description Certificate information id Certificate properties issuer description Issuer of the certificate. type string md5 description The MD5 hash of the certificate, as a hex-encoded string. type string notAfter description Indicates when the certificate is no longer valid. format google-datetime type string notBefore description Indicates when the certificate is first valid. format google-datetime type string serial description Certificate serial number. type string sha1 description The SHA1 hash of the certificate, as a hex-encoded string. type string sha256 description The SHA256 hash of the certificate, as a hex-encoded string. type string subject description Subject of the certificate. type string version description Certificate version. type string type object Chip id Chip properties text type string type enum UNSPECIFIED ALERT NETWORK_CONNECTION EDR UNPARSED_RAW_LOG LOGIN_EVENT EMAIL_EVENT GENERIC TELEMETRY enumDescriptions type string type object Client description Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash). id Client properties certificate $ref Certificate description Client certificate. ja3 description JA3 hash from the TLS ClientHello, as a hex-encoded string. type string serverName description Host name of the server, that the client is connecting to. type string supportedCiphers description Ciphers supported by the client during client hello. items type string type array type object Cloud description Metadata related to the cloud environment. id Cloud properties availabilityZone description The cloud environment availability zone (different from region which is location.name). type string environment description The Cloud environment. enum UNSPECIFIED_CLOUD_ENVIRONMENT GOOGLE_CLOUD_PLATFORM AMAZON_WEB_SERVICES MICROSOFT_AZURE enumDescriptions Default. Google Cloud Platform. Amazon Web Services. Microsoft Azure. type string project $ref Resource deprecated True description The cloud environment project information. Deprecated: Use Resource.resource_ancestors vpc $ref Resource deprecated True description The cloud environment VPC. Deprecated. type object Collection description Collection represents a container of objects (such as events, entity context metadata, detection finding metadata) and state (such as investigation details). BEGIN GOOGLE-INTERNAL See go/udm:collections for additional details. END GOOGLE-INTERNAL An example use case for Collection is to model a detection and investigation from detection finding metadata to investigative state collected in the course of the investigation. For more complex investigation and response workflows a Collection could represent an incident consisting of multiple child findings or incidents. This can be expanded on to model remediation elements of a full detection and response workflow. NEXT TAG: 20 id Collection properties caseName description The resource name of the Case that this collection belongs to. Example: projects/{project id}/locations/{region}/chronicle/cases/{internal_case_id} type string collectionElements description Constituent elements of the collection. Each element shares an association that groups it together and is a component of the overall collection. For example, a detection collection may have several constituent elements that each share a correlation association that together represent a particular pattern or behavior. items $ref Element type array createdTime description Time the collection was created. format google-datetime type string dataAccessScope description The resource name of the DataAccessScope of this collection. BEGIN GOOGLE-INTERNAL We may change this name based on the final resource design of the scope. END GOOGLE-INTERNAL type string detection description Detection metadata for findings that represent detections, can include rule details, machine learning model metadata, and indicators implicated in the detection (using the .about field). items $ref SecurityResult type array detectionTime description Timestamp within the time_window related to the time of the collection_elements. For Rule Detections, this timestamp is the end of the the time_window for multi-event rules or the time of the event for single event rules. For late-arriving events that trigger new alerts, the detection_time will be the event time of the event. format google-datetime type string feedbackHistory description The history of feedback submitted by analysts for this finding, in descending order by timestamp. This field is limited to the most recent 1000 feedback events. The primary feedback will also be included in this list. items $ref Feedback type array feedbackSummary $ref Feedback description The current primary analyst feedback. This does not include the history of feedback given, which may be supplied in `feedback`. id description Unique ID for the collection. The ID is specific to the type of collection. For example, with rule detections this is the detection ID. type string idNamespace description The ID namespace used for the Collection. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string investigation $ref Investigation description Consolidated investigation details (categorization, status, etc) typically for collections that begin as detection findings and then evolve with analyst action and feedback into investigations around the detection output. lastUpdatedTime description Time the collection was last updated. format google-datetime type string responsePlatformInfo $ref ResponsePlatformInfo description Alert related info of this same alert in customer's SOAR platform. soarAlert description A boolean field indicating that the alert is present in SOAR. type boolean soarAlertMetadata $ref SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems via SOAR. tags description Tags set by UC/DSML/RE for the Finding during creation. items type string type array timeWindow $ref Interval description Time interval that the collection represents. type description What the collection represents. enum COLLECTION_TYPE_UNSPECIFIED TELEMETRY_ALERT GCTI_FINDING UPPERCASE_ALERT RULE_DETECTION MACHINE_INTELLIGENCE_ALERT SOAR_ALERT enumDescriptions An unspecified collection type. An alert reported in customer telemetry. A finding from the Uppercase team. A detection found by applying a rule. An alert generated by Chronicle machine learning models. An alert coming from other SIEMs via Chronicle SOAR. type string type object ColumnNames id ColumnNames properties names items type string type array type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DNSRecord description DNS record. id DNSRecord properties expire description Expire. format google-duration type string minimum description Minimum. format google-duration type string priority description Priority. format int64 type string refresh description Refresh. format google-duration type string retry description Retry. format int64 type string rname description Rname. type string serial description Serial. format int64 type string ttl description Time to live. format google-duration type string type description Type. type string value description Value. type string type object DataAccessIngestionLabel id DataAccessIngestionLabel properties key description The key. type string value description The value. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessLabels id DataAccessLabels properties allowScopedAccess description Are the labels ready for scoped access type boolean customLabels description All the complex labels (UDM search syntax based). items type string type array ingestionKvLabels description All the ingestion labels (key/value pairs). items $ref DataAccessIngestionLabel type array ingestionLabels deprecated True description All the ingestion labels. items type string type array logTypes description All the LogType labels. items type string type array namespaces description All the namespaces. items type string type array type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Date description Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values. * A month and day, with a zero year (for example, an anniversary). * A year on its own, with a zero month and a zero day. * A year and month, with a zero day (for example, a credit card expiration date). Related types: * google.type.TimeOfDay * google.type.DateTime * google.protobuf.Timestamp id Date properties day description Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. format int32 type integer month description Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. format int32 type integer year description Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. format int32 type integer type object Detections id Detections properties baselineAlertsCount format int32 type integer complete type boolean detectionFieldAggregations $ref AlertFieldAggregations detections items $ref Collection type array filteredAlertsCount format int32 type integer tooManyDetections type boolean validSnapshotQuery type boolean type object Dhcp description DHCP information. id Dhcp properties chaddr description Client hardware address (chaddr). type string ciaddr description Client IP address (ciaddr). type string clientHostname description Client hostname. See RFC2132, section 3.14. type string clientIdentifier description Client identifier. See RFC2132, section 9.14. Note: Make sure to update the client_identifier_string field as well if you update this field. format byte type string clientIdentifierString description Client identifier as string. See RFC2132, section 9.14. This field holds the string value of the client_identifier. type string file description Boot image filename. type string flags description Flags. format uint32 type integer giaddr description Relay agent IP address (giaddr). type string hlen description Hardware address length. format uint32 type integer hops description Hardware ops. format uint32 type integer htype description Hardware address type. format uint32 type integer leaseTimeSeconds description Lease time in seconds. See RFC2132, section 9.2. format uint32 type integer opcode description The BOOTP op code. enum UNKNOWN_OPCODE BOOTREQUEST BOOTREPLY enumDescriptions Default opcode. Request. Reply. type string options description List of DHCP options. items $ref Option type array requestedAddress description Requested IP address. See RFC2132, section 9.1. type string seconds description Seconds elapsed since client began address acquisition/renewal process. format uint32 type integer siaddr description IP address of the next bootstrap server. type string sname description Server name that the client wishes to boot from. type string transactionId description Transaction ID. format uint32 type integer type description DHCP message type. enum UNKNOWN_MESSAGE_TYPE DISCOVER OFFER REQUEST DECLINE ACK NAK RELEASE INFORM WIN_DELETED WIN_EXPIRED enumDescriptions Default message type. DHCPDISCOVER. DHCPOFFER. DHCPREQUEST. DHCPDECLINE. DHCPACK. DHCPNAK. DHCPRELEASE. DHCPINFORM. Microsoft Windows DHCP "lease deleted". Microsoft Windows DHCP "lease expired". type string yiaddr description Your IP address (yiaddr). type string type object Dns description DNS information. id Dns properties additional description A list of additional domain name servers that can be used to verify the answer to the domain. items $ref ResourceRecord type array answers description A list of answers to the domain name query. items $ref ResourceRecord type array authoritative description Other DNS header flags. See RFC1035, section 4.1.1. type boolean authority description A list of domain name servers which verified the answers to the domain name queries. items $ref ResourceRecord type array id description DNS query id. format uint32 type integer opcode description The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS). format uint32 type integer questions description A list of domain protocol message questions. items $ref Question type array recursionAvailable description Whether a recursive DNS lookup is available. type boolean recursionDesired description Whether a recursive DNS lookup is desired. type boolean response description Set to true if the event is a DNS response. See QR field from RFC1035. type boolean responseCode description Response code. See RCODE from RFC1035. format uint32 type integer truncated description Whether the DNS response was truncated. type boolean type object Domain description Information about a domain. id Domain properties admin $ref User description Parsed contact information for the administrative contact for the domain. auditUpdateTime description Audit updated time. format google-datetime type string billing $ref User description Parsed contact information for the billing contact of the domain. categories description Categories assign to the domain as retrieved from VirusTotal. items type string type array contactEmail description Contact email address. type string creationTime description Domain creation time. format google-datetime type string expirationTime description Expiration time. format google-datetime type string favicon $ref Favicon description Includes difference hash and MD5 hash of the domain's favicon. firstSeenTime description First seen timestamp of the domain in the customer's environment. format google-datetime type string ianaRegistrarId description IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml format int32 type integer jarm description Domain's JARM hash. type string lastDnsRecords description Domain's DNS records from the last scan. items $ref DNSRecord type array lastDnsRecordsTime description Date when the DNS records list was retrieved by VirusTotal. format google-datetime type string lastHttpsCertificate $ref SSLCertificate description SSL certificate object retrieved last time the domain was analyzed. lastHttpsCertificateTime description When the certificate was retrieved by VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the domain in the customer's environment. format google-datetime type string name description The domain name. This field can be used as an entity indicator for Domain entities. type string nameServer description Repeated list of name servers. items type string type array popularityRanks description Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc items $ref PopularityRank type array prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. privateRegistration description Indicates whether the domain appears to be using a private registration service to mask the owner's contact information. type boolean registrant $ref User description Parsed contact information for the registrant of the domain. registrar description Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM". type string registryDataRawText description Registry Data raw text. format byte type string status description Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values type string tags description List of representative attributes. items type string type array tech $ref User description Parsed contact information for the technical contact for the domain updateTime description Last updated time. format google-datetime type string whoisRecordRawText description WHOIS raw text. format byte type string whoisServer description Whois server name. type string whoisTime description Date of the last update of the WHOIS record. format google-datetime type string zone $ref User description Parsed contact information for the zone. type object DoubleSequence description DoubleSequence represents a sequence of doubles. id DoubleSequence properties doubleVals description double sequence. items format double type number type array type object EC description EC public key information. id EC properties oid description Curve name. type string pub description Public key hexdump. type string type object Element description NEXT TAG: 5 id Element properties association $ref SecurityResult description Metadata that provides the relevant association for the references in the element. For a detection, this can be the correlated aspect of the references that contributed to the overall detection. For example, may include sub-rule condition, machine learning model metadata, and/or indicators implicated in this component of the detection (using the .about field). label description A name that labels the entire references group. type string references description References to model primatives including events and entities that share a common association. Even though a reference can have both UDM and entity, a collection of references (of a single element) will only have one type of message in it (either UDM / Entity). items $ref Reference type array referencesSampled description Copied from the detection event_sample.too_many_event_samples field. If true, the number of references will be capped at the sample limit (set at rule service). This is applicable to both UDM references and Entity references. type boolean type object Email description Email info. id Email properties bcc description A list of 'bcc' addresses. items type string type array bounceAddress description The envelope from address. https://en.wikipedia.org/wiki/Bounce_address type string cc description A list of 'cc' addresses. items type string type array from description The 'from' address. type string mailId description The mail (or message) ID. type string replyTo description The 'reply to' address. type string subject description The subject line(s) of the email. items type string type array to description A list of 'to' addresses. items type string type array type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityChangedCountTimelineBucket id EntityChangedCountTimelineBucket properties entityChangedInfo items $ref EntityChangedInfo type array totalChangedEntitiesCount format int32 type integer type object EntityChangedInfo id EntityChangedInfo properties artifacts $ref FieldAndValue entityCount format int32 type integer type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityMetadata description Information about the Entity and the product where the entity was created. Next Tag: 17 id EntityMetadata properties collectedTimestamp description GMT timestamp when the entity information was collected by the vendor's local collection infrastructure. format google-datetime type string creationTimestamp description GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected. format google-datetime type string description description Human-readable description of the entity. type string entityType description Entity type. If an entity has multiple possible types, this specifies the most specific type. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string eventMetadata $ref Metadata description Metadata field from the event. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object feed description Vendor feed name for a threat indicator feed. type string interval $ref Interval description Valid existence time range for the version of the entity represented by this entity data. productEntityId description A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar). type string productName description Product name that produced the entity information. type string productVersion description Version of the product that produced the entity information. type string sourceLabels description Entity source metadata labels. items $ref Label type array sourceType description The source of the entity. enum SOURCE_TYPE_UNSPECIFIED ENTITY_CONTEXT DERIVED_CONTEXT GLOBAL_CONTEXT enumDescriptions Default source type Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT) Entities derived from customer data such as prevalence, artifact first/last seen, or asset/user first seen stats. Global contextual entities such as WHOIS or Safe Browsing. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Structured fields extracted from the log. type object threat description Metadata provided by a threat intelligence feed that identified the entity as malicious. items $ref SecurityResult type array vendorName description Vendor name of the product that produced the entity information. type string type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object EntityRisk description Stores information related to the risk score of an entity. Next ID: 15 id EntityRisk properties DEPRECATEDRiskScore deprecated True description Deprecated risk score. format int32 type integer detailUri description Link to the Google Security Operations UI with information about the entity risk score. If the SecOps instance has multiple frontend paths configured, this will be a relative path that can be used to construct the full URL. type string detectionsCount description Number of detections that make up the risk score within the time window. format int32 type integer firstDetectionTime description Timestamp of the first detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastDetectionTime description Timestamp of the last detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastResetTime description Timestamp for UEBA risk score reset based deduplication. Used specifically for risk based meta rules. format google-datetime type string normalizedRiskScore description Normalized risk score for the entity. This value is between 0-1000. format int32 type integer rawRiskDelta $ref RiskDelta description Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window. riskDelta $ref RiskDelta description Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window. riskScore description Raw risk score for the entity. format float type number riskVersion description Version of the risk score calculation algorithm. type string riskWindow $ref Interval description Time window used when computing the risk score for an entity, for example 24 hours or 7 days. riskWindowHasNewDetections description Whether there are new detections for the risk window. type boolean riskWindowSize description Risk window duration for the entity. format google-duration type string type object ErrorMessage id ErrorMessage properties errorText type string type enum UNDEFINED_ERROR_TYPE INVALID_QUERY_TYPE INVALID_FIELD_PATH_TYPE UNCLOSED_BRACKET_TYPE BACKEND_ERROR_TYPE UNCLOSED_QUOTES_TYPE QUERY_TOO_LARGE_TYPE enumDescriptions type string type object EventCountTimeline id EventCountTimeline properties buckets items $ref EventCountTimelineBucket type array sizeOfBucketMs format int64 type string type object EventCountTimelineBucket id EventCountTimelineBucket properties alertCount format int32 type integer baselineAlertCount format int32 type integer baselineEventCount format int32 type integer baselineTimedEntityCount format int32 type integer entityChangedCount $ref EntityChangedCountTimelineBucket eventCount format int32 type integer filteredTimedEntityCount format int32 type integer type object Execution description Execution can be used to store metadata required for what action the UI should execute. id Execution properties metadata additionalProperties type string description Output only. The payload to use when executing the action. readOnly True type object type object ExifInfo description Exif information. id ExifInfo properties company description company name. type string compilationTime description Compilation time. format google-datetime type string entryPoint description entry point. format int64 type string fileDescription description description of a file. type string originalFile description original file name. type string product description product name. type string type object Extension description Certificate's extensions. id Extension properties authorityKeyId $ref AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. ca description Whether the subject acts as a certificate authority (CA) or not. type boolean caInfoAccess description Authority information access locations are URLs that are added to a certificate in its authority information access extension. type string certTemplateNameDc description BMP data value "DomainController". See MS Q291010. type string certificatePolicies description Different certificate policies will relate to different applications which may use the certified key. type string crlDistributionPoints description CRL distribution points to which a certificate user should refer to ascertain if the certificate has been revoked. type string extendedKeyUsage description One or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field. type string keyUsage description The purpose for which the certified public key is used. type string netscapeCertComment description Used to include free-form text comments inside certificates. type string netscapeCertificate description Identify whether the certificate subject is an SSL client, an SSL server, or a CA. type boolean oldAuthorityKeyId description Whether the certificate has an old authority key identifier extension. type boolean peLogotype description Whether the certificate includes a logotype. type boolean subjectAlternativeName description Contains one or more alternative names, using any of a variety of name forms, for the entity that is bound by the CA to the certified public key. type string subjectKeyId description Identifies the public key being certified. type string type object Extensions description Extensions to a UDM event. id Extensions properties auth $ref Authentication description An authentication extension. entityRisk $ref EntityRisk description An entity risk change extension. vulns $ref Vulnerabilities description A vulnerability extension. type object Favicon description Difference hash and MD5 hash of the domain's favicon. id Favicon properties dhash description Difference hash. type string rawMd5 description Favicon's MD5 hash. type string type object Feedback id Feedback properties comment description Optional. type string confidenceScore format int32 type integer createdTime format google-datetime type string disregarded type boolean idpUserId type string priority description Optional. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string priorityDisplay description Optional. type string reason description Optional. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore format int32 type integer rootCause description Optional. type string severity format int32 type integer severityDisplay description Optional. type string status description Optional. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object FieldAndValue id FieldAndValue properties entityNamespace type string fieldPath type string kvalueType enum UNKNOWN COLLECTOR_ID EVENT_SHARD ASSET_IP_ADDRESS MAC HOSTNAME PRODUCT_SPECIFIC_ID NAMESPACE DOMAIN_NAME RESOLVED_IP_ADDRESS STEMMED_DOMAIN_NAME PROCESS_ID FULL_COMMAND_LINE FILE_NAME FILE_PATH HASH_MD5 HASH_SHA256 HASH_SHA1 RAW_PID PARENT_PROCESS_ID EMAIL USERNAME WINDOWS_SID EMPLOYEE_ID PRODUCT_OBJECT_ID USER_DISPLAY_NAME CLOUD_RESOURCE_NAME REGISTRY_KEY REGISTRY_VALUE_DATA REGISTRY_VALUE_NAME enumDescriptions type string value type string type object FileMetadata description Metadata about a file. Place metadata about different file types here, for example data from the Microsoft Windows VersionInfo block or digital signer details. Use a different sub-message per file type. id FileMetadata properties pe $ref PeFileMetadata deprecated True description Metadata for Microsoft Windows PE files. Deprecate PeFileMetadata in favor of single File proto. type object FileMetadataCodesign description File metadata from the codesign utility. id FileMetadataCodesign properties compilationTime description Code sign timestamp format google-datetime type string format description Code sign format. type string id description Code sign identifier. type string teamId description The assigned team identifier of the developer who signed the application. type string type object FileMetadataImports description File metadata imports. id FileMetadataImports properties functions description Function field. items type string type array library description Library field. type string type object FileMetadataPE description Metadata about the Portable Executable (PE) file. id FileMetadataPE properties compilationExiftoolTime description info.exiftool.TimeStamp. format google-datetime type string compilationTime description info.pe-timestamp. format google-datetime type string entryPoint description info.pe-entry-point. format int64 type string entryPointExiftool description info.exiftool.EntryPoint. format int64 type string imphash description Imphash of the file. type string imports description FilemetadataImports fields. items $ref FileMetadataImports type array resource description FilemetadataPeResourceInfo fields. items $ref FileMetadataPeResourceInfo type array resourcesLanguageCount deprecated True description Deprecated: use resources_language_count_str. items $ref StringToInt64MapEntry type array resourcesLanguageCountStr description Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10 items $ref Label type array resourcesTypeCount deprecated True description Deprecated: use resources_type_count_str. items $ref StringToInt64MapEntry type array resourcesTypeCountStr description Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5 items $ref Label type array section description FilemetadataSection fields. items $ref FileMetadataSection type array signatureInfo $ref FileMetadataSignatureInfo deprecated True description FilemetadataSignatureInfo field. deprecated, user File.signature_info instead. type object FileMetadataPeResourceInfo description File metadata for PE resource. id FileMetadataPeResourceInfo properties entropy description Entropy of the resource. format double type number fileType description File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum. type string filetypeMagic description Type of resource content, as identified by the magic Python module. type string languageCode description Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US | type string sha256Hex description SHA256_hex field.. type string type object FileMetadataSection description File metadata section. id FileMetadataSection properties entropy description Entropy of the section. format double type number md5Hex description MD5 hex of the file. type string name description Name of the section. type string rawSizeBytes description Raw file size in bytes. format int64 type string virtualSizeBytes description Virtual file size in bytes. format int64 type string type object FileMetadataSignatureInfo description Signature information. id FileMetadataSignatureInfo properties signer deprecated True description Deprecated: use signers field. items type string type array signers description File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority. items $ref SignerInfo type array verificationMessage description Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found. type string verified description True if verification_message == "Signed" type boolean x509 description List of certificates. items $ref X509 type array type object FilterProperties id FilterProperties properties hidden type boolean stringProperties additionalProperties $ref StringValues type object type object FindingVariable description A structure that holds the value and associated metadata for values extracted while producing a Finding. id FindingVariable properties boolSeq $ref BoolSequence description The value in boolsequence format. boolVal description The value in boolean format. type boolean bytesSeq $ref BytesSequence description The value in bytessequence format. bytesVal description The value in bytes format. format byte type string doubleSeq $ref DoubleSequence description The value in doublesequence format. doubleVal description The value in double format. format double type number int64Seq $ref Int64Sequence description The value in int64sequence format. int64Val description The value in int64 format. format int64 type string nullVal description Whether the value is null. type boolean sourcePath description The UDM field path for the field which this value was derived from. Example: `principal.user.username` type string stringSeq $ref StringSequence description The value in stringsequence format. stringVal description The value in string format. Enum values are returned as strings. type string type description The type of the variable. enum TYPE_UNSPECIFIED MATCH OUTCOME enumDescriptions An unspecified variable type. A variable coming from the match conditions. A variable representing significant data that was found in the detection logic. type string uint64Seq $ref Uint64Sequence description The value in uint64sequence format. uint64Val description The value in uint64 format. format uint64 type string value description The value in string form. type string type object FollowUp description FollowUp can be used to store metadata required to send a follow up message by the UI. id FollowUp properties followUp description Output only. The text to use as input when generating the follow up message. readOnly True type string type object Ftp description FTP info. id Ftp properties command description The FTP command. type string type object FunctionResponse id FunctionResponse properties rows items $ref FunctionResponseRow type array tooManyRows type boolean type object FunctionResponseRow id FunctionResponseRow properties values items $ref UdmFieldValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description LINT.IfChange(stats_data) Stats results when the query is for statistics NEXT TAG = 6; id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats properties dataQueryExpression description Expression that represent the subset of the requested query used to filter data. The expression will be used to enable features such as drill-down from stats results to UDM events. In that case, the new query will be composed by this expression and the expression related to a stats result. type string results description Result rows that are queried. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData type array sortOrder description Indicates the columns used for sorting and the order in which they are sorted. If no ORDER section is specified in the query, this will be empty. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort type array tooManyResults description If true, there are too many results to return and some have been omitted. type boolean totalResults description The total number of results returned. format int32 type integer type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData description Represents a single column in the set of columns returned as the stats query result. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData properties column description Used to store column names. type string filterExpression description Expression used to compose a query for filtering/drill-downs related to the data in this column. type string filterable description To identify if the column can be used for filtering/drill-downs. type boolean values description To store store column data. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort description Contains the column name and which direction the column is sorted (ascending or descenging). id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort properties descending description Whether the column is sorted in descending order (ascending by default); type boolean name description Name of the column. type string type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType description Singular vs list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType properties list $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description List of values in a column e.g. IPs value $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Single value in a column. type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description Store list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList properties values description List of values in one cell of the column. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Value of the column based on data type id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue properties boolVal description Boolean value. type boolean bytesVal description Bytes value. format byte type string dateVal $ref Date description Date values. doubleVal description Double value. format double type number int64Val description Integer value (signed). format int64 type string nullVal description True if the value is NULL. type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any description For any proto values that are not any of the above. type object stringVal description String value. Enum values are returned as strings. type string timestampVal description Timestamp values. format google-datetime type string uint64Val description Un-signed integer value. format uint64 type string type object Group description Information about an organizational group. id Group properties attribute $ref Attribute description Generic entity metadata attributes of the group. creationTime deprecated True description Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata. format google-datetime type string emailAddresses description Email addresses of the group. items type string type array groupDisplayName description Group display name. e.g. "Finance". type string productObjectId description Product globally unique user object identifier, such as an LDAP Object Identifier. type string windowsSid description Microsoft Windows SID of the group. type string type object GroupAggregationByField id GroupAggregationByField properties baselineEventCount format int32 type integer eventCount format int32 type integer fieldName type string fieldValue $ref UdmFieldValue fields items $ref UdmFieldAggregation type array valueCount format int32 type integer type object Hardware description Hardware specification details for a resource, including both physical and virtual hardware. id Hardware properties cpuClockSpeed description Clock speed of the hardware CPU in MHz. format uint64 type string cpuMaxClockSpeed description Maximum possible clock speed of the hardware CPU in MHz. format uint64 type string cpuModel description Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5"). type string cpuNumberCores description Number of CPU cores. format uint64 type string cpuPlatform description Platform of the hardware CPU (e.g. "Intel Broadwell"). type string manufacturer description Hardware manufacturer. type string model description Hardware model. type string ram description Amount of the hardware ramdom access memory (RAM) in Mb. format uint64 type string serialNumber description Hardware serial number. type string type object Http description Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target". id Http properties method description The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE"). type string parsedUserAgent $ref UserAgentProto description The parsed user_agent string. referralUrl description The URL for the HTTP referer. type string responseCode description The response status code, for example 200, 302, 404, or 500. format int32 type integer userAgent description The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent. type string type object Id description Identifier to identify a UDM object like a UDM event, Entity, Collection. The full identifier for persistence is created by setting the 32 most significant bits as the Id.Namespace enum and the rest according to go/udm:ids. This is a convenience wrapper to define the id space enum values and provide an easy interface for RPCs, most persistence use cases should use a denormalized form. See go/udm:ids for background and details. id Id properties id description Full raw ID. format byte type string namespace description Namespace the id belongs to. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string stringId description Some ids are stored as strings that are not able to be translated to bytes, so store these separately. Ex. detection id of the form de_aaaaaaaa-aaaa... type string type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{location}/instances/{instance} readOnly True type string type object InstanceUdmSearchResponse id InstanceUdmSearchResponse properties baselineEventsCount format int32 type integer complete type boolean detections $ref Detections filteredEventsCount format int32 type integer instanceId type string prevalence $ref UdmPrevalenceResponse progress format double type number runtimeErrors $ref RuntimeError timeline $ref EventCountTimeline tooManyEvents type boolean type object Int64Sequence description Int64Sequence represents a sequence of int64s. id Int64Sequence properties int64Vals description int64 sequence. items format int64 type string type array type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object Investigation description Represents the aggregated state of an investigation such as categorization, severity, and status. Can be expanded to include analyst assignment details and more. id Investigation properties comments description Comment added by the Analyst. items type string type array priority description Priority of the Alert or Finding set by analyst. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string reason description Reason for closing the Case or Alert. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation description Describes whether a finding was useful or not-useful. enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore description Risk score for a finding set by an analyst. format uint32 type integer rootCause description Root cause of the Alert or Finding set by analyst. type string severityScore description Severity score for a finding set by an analyst. format uint32 type integer status description Describes the workflow status of a finding. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict description Describes reason a finding investigation was resolved. enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object IoCStats description Information about the threat intelligence source. These fields are used to model Mandiant sources. id IoCStats properties benignCount description Count of responses where the IoC was identified as benign. format int32 type integer firstLevelSource description Name of first level IoC source, for example Mandiant or a third-party. type string iocStatsType description Describes the source of the IoCStat. enum UNSPECIFIED_IOC_STATS_TYPE MANDIANT_SOURCES THIRD_PARTY_SOURCES THREAT_INTELLIGENCE_IOC_STATS enumDescriptions IoCStat source is unidentified. IoCStat is from a Mandiant Source. IoCStat is from a third-party source. IoCStat is from a threat intelligence feed. type string maliciousCount description Count of responses where the IoC was identified as malicious. format int32 type integer quality description Level of confidence in the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total number of response from the source. format int32 type integer secondLevelSource description Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph. type string sourceCount description Number of sources from which information was extracted. format int32 type integer type object Label description Key value labels. id Label properties key description The key. type string rbacEnabled description Indicates whether this label can be used for Data RBAC type boolean source description Where the label is derived from. type string value description The value. type string type object LatLng description An object that represents a latitude/longitude pair. This is expressed as a pair of doubles to represent degrees latitude and degrees longitude. Unless specified otherwise, this object must conform to the WGS84 standard. Values must be within normalized ranges. id LatLng properties latitude description The latitude in degrees. It must be in the range [-90.0, +90.0]. format double type number longitude description The longitude in degrees. It must be in the range [-180.0, +180.0]. format double type number type object LegacyFederatedUdmSearchViewResponse description Response to a Federated UDM Search query. This will be used by StreamSearchOperation RPC to return the results of a federated search operation. id LegacyFederatedUdmSearchViewResponse properties activityTimeline $ref EventCountTimeline description Timeline of event counts broken into hourly/daily buckets to identify activity. aiOverview $ref AIOverview description LINT.ThenChange( //depot/google3/google/cloud/chronicle/v1main/dashboard_query.proto:data_sources, //depot/google3/googlex/security/malachite/proto/udm_search.proto:data_sources ) AI generated overview for the search results. Only populated if the AI features are enabled for the customer and generate_ai_overview is set to true in the request. baselineEventsCount description The number of events in the baseline query. format int32 type integer complete description Streaming for this response is done. There will be no additional updates. type boolean dataSources description Datasource of the query and results in case of a statistics query items enum SEARCH_DATA_SOURCE_UNSPECIFIED SEARCH_UDM SEARCH_ENTITY SEARCH_RULE_DETECTIONS SEARCH_RULESETS enumDescriptions Unspecified data source. Events Entities To be used for detections data source. To be used for ruleset with detections datasource. type string type array detectionFieldAggregations $ref AlertFieldAggregations description List of detection fields with aggregated values. This enabled filtering in the Alerts panel for federated search. events $ref UdmEventList description List of UDM events. NOTE: After complete is set to true, the `UdmEventList` message will be omitted from the response. The latest message should be used as reference. If the `UdmEventList` message is returned again, then it should replace the previous value. fieldAggregations $ref UdmFieldAggregations description List of UDM fields with aggregated values. filteredEventsCount description The number of events in the snapshot that match the snapshot_query. This is <= `baseline_events_count`. If the snapshot query is empty this will be equivalent to `baseline_events_count`. format int32 type integer groupedFieldAggregations $ref UdmFieldAggregations description List of grouped fields with aggregated values. instanceAggregations $ref UdmFieldAggregations description Instance aggregations for the search results. Provides information on the number of events per instance for the aggregations panel in the UI. This allows users to easily drill-down into the individual instances. instanceUdmSearchResponses description All the instance specific UDM search responses. items $ref InstanceUdmSearchResponse type array operation description The name of the operation resource representing the UDM Search operation. This can be passed to `StreamSearchOperation` to fetch stored results or stream the results of an in-progress operation. The metadata type of the operation is `UdmSearchMetadata`. The response type is `LegacyFetchUdmSearchViewResponse`. Format: projects/{project}/locations/{location}/instances/{instance}/operations/{operation} type string progress description Progress of the query represented as a double between 0 and 1. format double type number queryValidationErrors description Parse error for the baseline_query and/or the snapshot_query. items $ref ErrorMessage type array runtimeErrors description Runtime errors. items $ref RuntimeError type array stats $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description Stats results when the query is for statistics statsFunctionParameterValidationErrorMessage description If the request's stats_function_parameter` is invalid, this field will contain the detailed error message. type string statsFunctionResponse $ref FunctionResponse description Result for statistical function. timeline $ref EventCountTimeline description Timeline of event counts broken into buckets. This populates the trend-over-time chart in the UI. tooLargeResponse description If true, the response to be returned to the UI is too large and some events have been omitted. type boolean tooManyEvents description If true, there are too many events to return and some have been omitted. type boolean validBaselineQuery description Indicates whether the request baseline_query is a valid structured query or not. If not, `query_validation_errors` will include the parse error. type boolean validSnapshotQuery description Indicates whether the request baseline and snapshot queries are valid. If not, `query_validation_errors` will include the parse error. type boolean type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Location description Information about a location. id Location properties city description The city. type string countryOrRegion description The country or region. type string deskName description Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D"). type string floorName description Floor name, number or a combination of the two for a building. (e.g. "1-A"). type string name description Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2"). type string regionCoordinates $ref LatLng description Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. regionLatitude deprecated True description Deprecated: use region_coordinates. format float type number regionLongitude deprecated True description Deprecated: use region_coordinates. format float type number state description The state. type string type object Manual description Entities are added manually. id Manual properties type object Measure description Describes the precomputed measure. id Measure properties aggregateFunction description Function used to calculate the aggregated measure. enum AGGREGATE_FUNCTION_UNSPECIFIED MIN MAX COUNT SUM AVG STDDEV enumDescriptions Default value. Minimum. Maximum. Count. Sum. Average. Standard Deviation. type string value description Value of the aggregated measure. format double type number type object Metadata description General information associated with a UDM event. id Metadata properties baseLabels $ref DataAccessLabels description Data access labels on the base event. collectedTimestamp description The GMT timestamp when the event was collected by the vendor's local collection infrastructure. format google-datetime type string description description A human-readable unparsable description of the event. type string enrichmentLabels $ref DataAccessLabels description Data access labels from all the contextual events used to enrich the base event. enrichmentState description The enrichment state. enum ENRICHMENT_STATE_UNSPECIFIED ENRICHED UNENRICHED enumDescriptions Unspecified. The event has been enriched by Chronicle. The event has not been enriched by Chronicle. type string eventTimestamp description The GMT timestamp when the event was generated. format google-datetime type string eventType description The event type. If an event has multiple possible types, this specifies the most specific type. enum EVENTTYPE_UNSPECIFIED PROCESS_UNCATEGORIZED PROCESS_LAUNCH PROCESS_INJECTION PROCESS_PRIVILEGE_ESCALATION PROCESS_TERMINATION PROCESS_OPEN PROCESS_MODULE_LOAD REGISTRY_UNCATEGORIZED REGISTRY_CREATION REGISTRY_MODIFICATION REGISTRY_DELETION SETTING_UNCATEGORIZED SETTING_CREATION SETTING_MODIFICATION SETTING_DELETION MUTEX_UNCATEGORIZED MUTEX_CREATION FILE_UNCATEGORIZED FILE_CREATION FILE_DELETION FILE_MODIFICATION FILE_READ FILE_COPY FILE_OPEN FILE_MOVE FILE_SYNC USER_UNCATEGORIZED USER_LOGIN USER_LOGOUT USER_CREATION USER_CHANGE_PASSWORD USER_CHANGE_PERMISSIONS USER_STATS USER_BADGE_IN USER_DELETION USER_RESOURCE_CREATION USER_RESOURCE_UPDATE_CONTENT USER_RESOURCE_UPDATE_PERMISSIONS USER_COMMUNICATION USER_RESOURCE_ACCESS USER_RESOURCE_DELETION GROUP_UNCATEGORIZED GROUP_CREATION GROUP_DELETION GROUP_MODIFICATION EMAIL_UNCATEGORIZED EMAIL_TRANSACTION EMAIL_URL_CLICK NETWORK_UNCATEGORIZED NETWORK_FLOW NETWORK_CONNECTION NETWORK_FTP NETWORK_DHCP NETWORK_DNS NETWORK_HTTP NETWORK_SMTP STATUS_UNCATEGORIZED STATUS_HEARTBEAT STATUS_STARTUP STATUS_SHUTDOWN STATUS_UPDATE SCAN_UNCATEGORIZED SCAN_FILE SCAN_PROCESS_BEHAVIORS SCAN_PROCESS SCAN_HOST SCAN_VULN_HOST SCAN_VULN_NETWORK SCAN_NETWORK SCHEDULED_TASK_UNCATEGORIZED SCHEDULED_TASK_CREATION SCHEDULED_TASK_DELETION SCHEDULED_TASK_ENABLE SCHEDULED_TASK_DISABLE SCHEDULED_TASK_MODIFICATION SYSTEM_AUDIT_LOG_UNCATEGORIZED SYSTEM_AUDIT_LOG_WIPE SERVICE_UNSPECIFIED SERVICE_CREATION SERVICE_DELETION SERVICE_START SERVICE_STOP SERVICE_MODIFICATION GENERIC_EVENT RESOURCE_CREATION RESOURCE_DELETION RESOURCE_PERMISSIONS_CHANGE RESOURCE_READ RESOURCE_WRITTEN DEVICE_FIRMWARE_UPDATE DEVICE_CONFIG_UPDATE DEVICE_PROGRAM_UPLOAD DEVICE_PROGRAM_DOWNLOAD ANALYST_UPDATE_VERDICT ANALYST_UPDATE_REPUTATION ANALYST_UPDATE_SEVERITY_SCORE ANALYST_UPDATE_STATUS ANALYST_ADD_COMMENT ANALYST_UPDATE_PRIORITY ANALYST_UPDATE_ROOT_CAUSE ANALYST_UPDATE_REASON ANALYST_UPDATE_RISK_SCORE ENTITY_RISK_CHANGE enumDeprecated False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False enumDescriptions Default event type Activity related to a process which does not match any other event types. Process launch. Process injecting into another process. Process privilege escalation. Process termination. Process being opened. Process loading a module. Registry event which does not match any of the other event types. Registry creation. Registry modification. Registry deletion. Settings-related event which does not match any of the other event types. Setting creation. Setting modification. Setting deletion. Any mutex event other than creation. Mutex creation. File event which does not match any of the other event types. File created. File deleted. File modified. File read. File copied. Used for file copies, for example, to a thumb drive. File opened. File moved or renamed. File synced (for example, Google Drive, Dropbox, backup). User activity which does not match any of the other event types. User login. User logout. User creation. User password change event. Change in user permissions. Deprecated. Used to update user info for an LDAP dump. User physically badging into a location. User deletion. User creating a virtual resource. This is equivalent to RESOURCE_CREATION. User updating content of a virtual resource. This is equivalent to RESOURCE_WRITTEN. User updating permissions of a virtual resource. This is equivalent to RESOURCE_PERMISSIONS_CHANGE. User initiating communication through a medium (for example, video). User accessing a virtual resource. This is equivalent to RESOURCE_READ. User deleting a virtual resource. This is equivalent to RESOURCE_DELETION. A group activity that does not fall into one of the other event types. A group creation. A group deletion. A group modification. Email messages An email transaction. Deprecated: use NETWORK_HTTP instead. An email URL click event. A network event that does not fit into one of the other event types. Aggregated flow stats like netflow. Network connection details like from a FW. FTP telemetry. DHCP payload. DNS payload. HTTP telemetry. SMTP telemetry. A status message that does not fit into one of the other event types. Heartbeat indicating product is alive. An agent startup. An agent shutdown. A software or fingerprint update. Scan item that does not fit into one of the other event types. A file scan. Scan process behaviors. Please use SCAN_PROCESS instead. Scan process. Scan results from scanning an entire host device for threats/sensitive documents. Vulnerability scan logs about host vulnerabilities (e.g., out of date software) and network vulnerabilities (e.g., unprotected service detected via a network scan). Vulnerability scan logs about network vulnerabilities. Scan network for suspicious activity Scheduled task event that does not fall into one of the other event types. Scheduled task creation. Scheduled task deletion. Scheduled task being enabled. Scheduled task being disabled. Scheduled task being modified. A system audit log event that is not a wipe. A system audit log wipe. Service event that does not fit into one of the other event types. A service creation. A service deletion. A service start. A service stop. A service modification. Operating system events that are not described by any of the other event types. Might include uncategorized Microsoft Windows event logs. The resource was created/provisioned. This is equivalent to USER_RESOURCE_CREATION. The resource was deleted/deprovisioned. This is equivalent to USER_RESOURCE_DELETION. The resource had it's permissions or ACLs updated. This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS. The resource was read. This is equivalent to USER_RESOURCE_ACCESS. The resource was written to. This is equivalent to USER_RESOURCE_UPDATE_CONTENT. Firmware update. Configuration update. A program or application uploaded to a device. A program or application downloaded to a device. Analyst update about the Verdict (such as true positive, false positive, or disregard) of a finding. Analyst update about the Reputation (such as useful or not useful) of a finding. Analyst update about the Severity score (0-100) of a finding. Analyst update about the finding status. Analyst addition of a comment for a finding. Analyst update about the priority (such as low, medium, or high) for a finding. Analyst update about the root cause for a finding. Analyst update about the reason (such as malicious or not malicious) for a finding. Analyst update about the risk score (0-100) of a finding. An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. type string id description ID of the UDM event. Can be used for raw and normalized event retrieval. format byte type string ingestedTimestamp description The GMT timestamp when the event was ingested (received) by Chronicle. format google-datetime type string ingestionLabels description User-configured ingestion metadata labels. items $ref Label type array logType description The string value of log type. type string productDeploymentId description The deployment identifier assigned by the vendor for a product deployment. type string productEventType description A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start"). type string productLogId description A vendor-specific event identifier to uniquely identify the event (e.g. a GUID). type string productName description The name of the product. type string productVersion description The version of the product. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Flattened fields extracted from the log. type object tags $ref Tags description Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser. urlBackToProduct description A URL that takes the user to the source product console for this event. type string vendorName description The name of the product vendor. type string type object Metric description Stores precomputed aggregated analytic data for an entity. id Metric properties dimensions description All group by clauses used to calculate the metric. items enum DIMENSION_UNSPECIFIED PRINCIPAL_DEVICE TARGET_USER TARGET_DEVICE PRINCIPAL_USER TARGET_IP PRINCIPAL_FILE_HASH PRINCIPAL_COUNTRY SECURITY_CATEGORY NETWORK_ASN CLIENT_CERTIFICATE_HASH DNS_QUERY_TYPE DNS_DOMAIN HTTP_USER_AGENT EVENT_TYPE PRODUCT_NAME PRODUCT_EVENT_TYPE PARENT_FOLDER_PATH TARGET_RESOURCE_NAME PRINCIPAL_APPLICATION TARGET_APPLICATION EMAIL_TO_ADDRESS EMAIL_FROM_ADDRESS MAIL_ID PRINCIPAL_IP SECURITY_ACTION SECURITY_RULE_ID TARGET_NETWORK_ORGANIZATION_NAME PRINCIPAL_NETWORK_ORGANIZATION_NAME PRINCIPAL_PROCESS_FILE_PATH PRINCIPAL_PROCESS_FILE_HASH SECURITY_RESULT_RULE_NAME TARGET_RESOURCE_LABEL_KEY VENDOR_NAME TARGET_RESOURCE_TYPE TARGET_LOCATION_NAME enumDescriptions Default Principal Device Target User Target Device Principal User Target IP Principal File Hash Principal Country Security Category Network ASN Client Certificate Hash DNS Query Type DNS Domain HTTP User Agent Event Type Product Name Product Event Type Parent Folder Path Target resource Name Principal Application. Target Application. Email To Address. Email From Address. Mail Id. Principal IP. Security Action. Security Rule Id. Target Network Organization name. Principal Network Organization name. Principal Process File Path. Principal Process File SHA256 Hash. Security Result rule name. Target Resource label key. Vendor name. Target Resource type. Target Location name. type string type array exportWindow description Export window for which the metric was exported. format int64 type string firstSeen description Timestamp of the first time the entity was seen in the environment. format google-datetime type string lastSeen description Time stamp of the last time last time the entity was seen in the environment. format google-datetime type string metricName description Name of the analytic. enum METRIC_NAME_UNSPECIFIED NETWORK_BYTES_INBOUND NETWORK_BYTES_OUTBOUND NETWORK_BYTES_TOTAL AUTH_ATTEMPTS_SUCCESS AUTH_ATTEMPTS_FAIL AUTH_ATTEMPTS_TOTAL DNS_BYTES_OUTBOUND NETWORK_FLOWS_INBOUND NETWORK_FLOWS_OUTBOUND NETWORK_FLOWS_TOTAL DNS_QUERIES_SUCCESS DNS_QUERIES_FAIL DNS_QUERIES_TOTAL FILE_EXECUTIONS_SUCCESS FILE_EXECUTIONS_FAIL FILE_EXECUTIONS_TOTAL HTTP_QUERIES_SUCCESS HTTP_QUERIES_FAIL HTTP_QUERIES_TOTAL WORKSPACE_EMAILS_SENT_TOTAL WORKSPACE_TOTAL_DOWNLOAD_ACTIONS WORKSPACE_TOTAL_CHANGE_ACTIONS WORKSPACE_AUTH_ATTEMPTS_TOTAL WORKSPACE_NETWORK_BYTES_OUTBOUND WORKSPACE_NETWORK_BYTES_TOTAL ALERT_EVENT_NAME_COUNT RESOURCE_CREATION_TOTAL RESOURCE_CREATION_SUCCESS RESOURCE_READ_SUCCESS RESOURCE_READ_FAIL RESOURCE_DELETION_SUCCESS enumDescriptions Default Total received network bytes. Total network sent bytes. Total network sent bytes and received bytes. Successful authentication attempts. Failed authentication attempts. Total authentication attempts. Total number of sent bytes for DNS events. Total number of events having non-null received bytes. Total number of events having non-null sent bytes. Total events having non-null sent or received bytes. DNS query success count - Number of events with response_code = 0. Number of events with response_code != 0. Total number of DNS queries made. Number of successfule file executions. Number of failed file executions. Total number file executions. Number of successful HTTP queries. Number of failed HTTP queries. Total number of HTTP queries. Total number of emails sent in Google Workspace. Total number of download actions in Google Workspace. Total number of change actions in Google Workspace. Total number of authentication attempts in Google Workspace. Number of outbound network bytes (total sent) in Google Workspace. Total number of network bytes (both sent and received) in Google Workspace. Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH. First-time analytic tracking successful resource creations. Volume-based analytic tracking successful resource creations. Volume-based analytic tracking successful resource reads. Volume-based analytic tracking failed resource reads. Volume-based analytic tracking successful resource deletions. type string sumMeasure $ref Measure description Sum of all precomputed measures for the given metric. totalEvents description Total number of events used to calculate the given precomputed metric. format int64 type string type object Navigation description Navigation can be used to store the metadata required to navigate the user to a new URL. id Navigation properties targetUri description Output only. The URI to redirect the user to. readOnly True type string type object Network description A network event. id Network properties applicationProtocol description The application protocol. enum UNKNOWN_APPLICATION_PROTOCOL AFP APPC AMQP ATOM BEEP BITCOIN BIT_TORRENT CFDP CIP COAP COTP DCERPC DDS DEVICE_NET DHCP DICOM DNP3 DNS E_DONKEY ENRP FAST_TRACK FINGER FREENET FTAM GOOSE GOPHER GRPC HL7 H323 HTTP HTTPS IEC104 IRCP KADEMLIA KRB5 LDAP LPD MIME MMS MODBUS MQTT NETCONF NFS NIS NNTP NTCIP NTP OSCAR PNRP PTP QUIC RDP RELP RIP RLOGIN RPC RTMP RTP RTPS RTSP SAP SDP SIP SLP SMB SMTP SNMP SNTP SSH SSMS STYX SV TCAP TDS TOR TSP VTP WHOIS WEB_DAV X400 X500 XMPP enumDescriptions The default application protocol. Apple Filing Protocol. Advanced Program-to-Program Communication. Advanced Message Queuing Protocol. Publishing Protocol. Block Extensible Exchange Protocol. Crypto currency protocol. Peer-to-peer file sharing. Coherent File Distribution Protocol. Common Industrial Protocol. Constrained Application Protocol. Connection Oriented Transport Protocol. DCE/RPC. Data Distribution Service. Automation industry protocol. DHCP. Digital Imaging and Communications in Medicine Protocol. Distributed Network Protocol 3 (DNP3) DNS. Classic file sharing protocol. Endpoint Handlespace Redundancy Protocol. Filesharing peer-to-peer protocol. User Information Protocol. Censorship resistant peer-to-peer network. File Transfer Access and Management. GOOSE Protocol. Gopher protocol. gRPC Remote Procedure Call. Health Level Seven. Packet-based multimedia communications system. HTTP. HTTPS. IEC 60870-5-104 (IEC 104) Protocol. Internet Relay Chat Protocol. Peer-to-peer hashtables. Kerberos 5. Lightweight Directory Access Protocol. Line Printer Daemon Protocol. Multipurpose Internet Mail Extensions and Secure MIME. Multimedia Messaging Service. Serial communications protocol. Message Queuing Telemetry Transport. Network Configuration. Network File System. Network Information Service. Network News Transfer Protocol. National Transportation Communications for Intelligent Transportation System. Network Time Protocol. AOL Instant Messenger Protocol. Peer Name Resolution Protocol. Precision Time Protocol. QUIC. Remote Desktop Protocol. Reliable Event Logging Protocol. Routing Information Protocol. Remote Login in UNIX Systems. Remote Procedure Call. Real Time Messaging Protocol. Real-time Transport Protocol. Real Time Publish Subscribe. Real Time Streaming Protocol. Session Announcement Protocol. Session Description Protocol. Session Initiation Protocol. Service Location Protocol. Server Message Block. Simple Mail Transfer Protocol. Simple Network Management Protocol. Simple Network Time Protocol. Secure Shell. Secure SMS Messaging Protocol. Styx/9P - Plan 9 from Bell Labs distributed file system protocol. Sampled Values Protocol. Transaction Capabilities Application Part. Tabular Data Stream. Anonymity network. Time Stamp Protocol. Virtual Terminal Protocol. Remote Directory Access Protocol. Web Distributed Authoring and Versioning. Message Handling Service Protocol. Directory Access Protocol (DAP). Extensible Messaging and Presence Protocol. type string applicationProtocolVersion description The version of the application protocol. e.g. "1.1, 2.0" type string asn description Autonomous system number. type string carrierName description Carrier identification. type string communityId description Community ID network flow value. type string dhcp $ref Dhcp description DHCP info. direction description The direction of network traffic. enum UNKNOWN_DIRECTION INBOUND OUTBOUND BROADCAST enumDescriptions The default direction. An inbound request. An outbound request. A broadcast. type string dns $ref Dns description DNS info. dnsDomain description DNS domain name. type string email $ref Email description Email info for the sender/recipient. ftp $ref Ftp description FTP info. http $ref Http description HTTP info. ipProtocol description The IP protocol. enum UNKNOWN_IP_PROTOCOL ICMP IGMP TCP UDP IP6IN4 GRE ESP ICMP6 EIGRP ETHERIP PIM VRRP SCTP enumDescriptions The default protocol. ICMP. IGMP TCP. UDP. IPv6 Encapsulation Generic Routing Encapsulation Encapsulating Security Payload ICMPv6 Enhanced Interior Gateway Routing Ethernet-within-IP Encapsulation Protocol Independent Multicast Virtual Router Redundancy Protocol Stream Control Transmission Protocol type string ipSubnetRange description Associated human-readable IP subnet range (e.g. 10.1.2.0/24). type string organizationName description Organization name (e.g Google). type string parentSessionId description The ID of the parent network session. type string receivedBytes description The number of bytes received. format uint64 type string receivedPackets description The number of packets received. format int64 type string sentBytes description The number of bytes sent. format uint64 type string sentPackets description The number of packets sent. format int64 type string sessionDuration description The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer. format google-duration type string sessionId description The ID of the network session. type string smtp $ref Smtp description SMTP info. Store fields specific to SMTP not covered by Email. tls $ref Tls description TLS info. type object Noun description The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event. id Noun properties administrativeDomain description Domain which the device belongs to (for example, the Microsoft Windows domain). type string application description The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle". type string artifact $ref Artifact description Information about an artifact. asset $ref Asset description Information about the asset. assetId description The asset ID. This field can be used as an entity indicator for asset entities. type string cloud $ref Cloud deprecated True description Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud). domain $ref Domain description Information about the domain. email description Email address. Only filled in for security_result.about type string file $ref BackstoryFile description Information about the file. group $ref Group description Information about the group. hostname description Client hostname or domain name field. Hostname also doubles as the domain for remote entities. This field can be used as an entity indicator for asset entities. type string investigation $ref Investigation description Analyst feedback/investigation for alerts. ip description A list of IP addresses associated with a network connection. This field can be used as an entity indicator for asset entities. items type string type array ipGeoArtifact description Enriched geographic information corresponding to an IP address. Specifically, location and network data. items $ref Artifact type array ipLocation deprecated True description Deprecated: use ip_geo_artifact.location instead. items $ref Location type array labels deprecated True description Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels). items $ref Label type array location $ref Location description Physical location. For cloud environments, set the region in location.name. mac description List of MAC addresses associated with a device. This field can be used as an entity indicator for asset entities. items type string type array namespace description Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition. This field can be used along with an asset indicator to identify an asset. type string natIp description A list of NAT translated IP addresses associated with a network connection. items type string type array natPort description NAT external network port number when a specific network connection is described within an event. format int32 type integer network $ref Network description Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). objectReference $ref Id description Finding to which the Analyst updated the feedback. platform description Platform. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description Platform patch level. For example, "Build 17134.48" type string platformVersion description Platform version. For example, "Microsoft Windows 1803". type string port description Source or destination network port number when a specific network connection is described within an event. format int32 type integer process $ref Process description Information about the process. processAncestors description Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery. items $ref Process type array registry $ref Registry description Registry information. resource $ref Resource description Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun. resourceAncestors description Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource). items $ref Resource type array securityResult description A list of security results. items $ref SecurityResult type array url description The URL. type string urlMetadata $ref Url description Information about the URL. user $ref User description Information about the user. userManagementChain description Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery. items $ref User type array type object NtfsFileMetadata description NTFS-specific file metadata. id NtfsFileMetadata properties changeTime description NTFS MFT entry changed timestamp. format google-datetime type string filenameAccessTime description NTFS $FILE_NAME attribute accessed timestamp. format google-datetime type string filenameChangeTime description NTFS $FILE_NAME attribute changed timestamp. format google-datetime type string filenameCreateTime description NTFS $FILE_NAME attribute created timestamp. format google-datetime type string filenameModifyTime description NTFS $FILE_NAME attribute modified timestamp. format google-datetime type string type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object Option description DHCP options. id Option properties code description Code. See RFC1533. format uint32 type integer data description Data. format byte type string type object PDFInfo description Information about the PDF file structure. See https://developers.virustotal.com/reference/pdf_info id PDFInfo properties acroform description Number of /AcroForm tags found in the PDF. format int64 type string autoaction description Number of /AA tags found in the PDF. format int64 type string embeddedFile description Number of /EmbeddedFile tags found in the PDF. format int64 type string encrypted description Whether the document is encrypted or not. This is defined by the /Encrypt tag. format int64 type string endobjCount description Number of object definitions (endobj keyword). format int64 type string endstreamCount description Number of defined stream objects (stream keyword). format int64 type string flash description Number of /RichMedia tags found in the PDF. format int64 type string header description PDF version. type string javascript description Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios. format int64 type string jbig2Compression description Number of /JBIG2Decode tags found in the PDF. format int64 type string js description Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios. format int64 type string launchActionCount description Number of /Launch tags found in the PDF file. format int64 type string objCount description Number of objects definitions (obj keyword). format int64 type string objectStreamCount description Number of object streams. format int64 type string openaction description Number of /OpenAction tags found in the PDF. format int64 type string pageCount description Number of pages in the PDF. format int64 type string startxref description Number of startxref keywords in the PDF. format int64 type string streamCount description Number of defined stream objects (stream keyword). format int64 type string suspiciousColors description Number of colors expressed with more than 3 bytes (CVE-2009-3459). format int64 type string trailer description Number of trailer keywords in the PDF. format int64 type string xfa description Number of \XFA tags found in the PDF. format int64 type string xref description Number of xref keywords in the PDF. format int64 type string type object PeFileMetadata description Metadata about a Microsoft Windows Portable Executable. id PeFileMetadata properties importHash description Hash of PE imports. type string type object Permission description System permission for resource access and modification. id Permission properties description description Description of the permission (e.g. 'Ability to update detect rules'). type string name description Name of the permission (e.g. chronicle.analyst.updateRule). type string type description Type of the permission. enum UNKNOWN_PERMISSION_TYPE ADMIN_WRITE ADMIN_READ DATA_WRITE DATA_READ enumDescriptions Default permission type. Administrator write permission. Administrator read permission. Data resource access write permission. Data resource access read permission. type string type object PlatformSoftware description Platform software information about an operating system. id PlatformSoftware properties platform description The platform operating system. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description The platform software patch level ( e.g. "Build 17134.48", "SP1"). type string platformVersion description The platform software version ( e.g. "Microsoft Windows 1803"). type string type object PopularityRank description Domain's position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo. id PopularityRank properties giver description Name of the rank serial number hexdump. type string ingestionTime description Timestamp when the rank was ingested. format google-datetime type string rank description Rank position. format int64 type string type object Prevalence description The prevalence of a resource within the customer's environment. This measures how common it is for assets to access the resource. id Prevalence properties dayCount description The number of days over which rolling_max is calculated. format int32 type integer dayMax description The max prevalence score in a day interval window. format int32 type integer dayMaxSubDomains description The max prevalence score in a day interval window across sub-domains. This field is only valid for domains. format int32 type integer rollingMax description The maximum number of assets per day accessing the resource over the trailing day_count days. format int32 type integer rollingMaxSubDomains description The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains. format int32 type integer type object Process description Information about a process. id Process properties accessMask description A bit mask representing the level of access. format uint64 type string commandLine description The command line command that created the process. This field can be used as an entity indicator for process entities. type string commandLineHistory description The command line history of the process. items type string type array egid description The effective group ID of the process. type string euid description The effective user ID of the process. type string file $ref BackstoryFile description Information about the file in use by the process. integrityLevelRid description The Microsoft Windows integrity level relative ID (RID) of the process. format uint64 type string parentPid deprecated True description The ID of the parent process. Deprecated: use parent_process.pid instead. type string parentProcess $ref Process description Information about the parent process. pgid description The identifier that points to the process group ID leader. type string pid description The process ID. This field can be used as an entity indicator for process entities. type string productSpecificParentProcessId deprecated True description A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. type string productSpecificProcessId description A product specific process id. type string rgid description The real group ID of the process. type string ruid description The real user ID of the process. type string sessionLeaderPid description The process ID of the session leader process. type string tokenElevationType description The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled. enum UNKNOWN TYPE_1 TYPE_2 TYPE_3 enumDescriptions An undetermined token type. A full token with no privileges removed or groups disabled. An elevated token with no privileges removed or groups disabled. Used when running as administrator. A limited token with administrative privileges removed and administrative groups disabled. type string tty description The teletype terminal which the command was executed within. type string type object ProviderMLVerdict description Deprecated. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. id ProviderMLVerdict properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer confidenceScore description Confidence score of the verdict. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer mandiantSources description List of mandiant sources from which the verdict was generated. items $ref Source type array sourceProvider description Source provider giving the ML verdict. type string thirdPartySources description List of third-party sources from which the verdict was generated. items $ref Source type array type object PublicKey description Subject public key info. id PublicKey properties algorithm description Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the certificate. type string rsa $ref RSA description RSA public key information. type object Question description DNS Questions. See RFC1035, section 4.1.2. id Question properties class description The code specifying the class of the query. format uint32 type integer name description The domain name. type string prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. type description The code specifying the type of the query. format uint32 type integer type object RSA description RSA public key information. id RSA properties exponent description Key exponent hexdump. type string keySize description Key size. format int64 type string modulus description Key modulus hexdump. type string type object Reference description Reference to model primatives including event and entity. As support is added for fast retrieval of objects by identifiers, this will be expanded to include ID references rather than full object copies. BEGIN GOOGLE-INTERNAL See go/udm:ids for additional details. END GOOGLE-INTERNAL id Reference properties entity $ref BackstoryEntity description Entity being referenced. End one-of event $ref UDM description Only one of event or entity will be populated for a single reference. Start one-of Event being referenced. id $ref Id description Id being referenced. This field will also be populated for both event and entity with the event id. For detections, only this field will be populated. type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Registry description Information about a registry key or value. id Registry properties registryKey description Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...). type string registryValueData description Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp). type string registryValueName description Name of the registry value associated with an application or system component (e.g. TEMP). type string registryValueType description Type of the registry value. enum TYPE_UNSPECIFIED NONE SZ EXPAND_SZ BINARY DWORD DWORD_LITTLE_ENDIAN DWORD_BIG_ENDIAN LINK MULTI_SZ RESOURCE_LIST QWORD QWORD_LITTLE_ENDIAN enumDescriptions Default registry value type used when the type is unknown. The registry value is not set and only the key exists. A null-terminated string. A null-terminated string that contains unexpanded references to environment variables Binary data in any form. A 32-bit number. A 32-bit number in little-endian format. A 32-bit number in big-endian format. A null-terminated Unicode string that contains the target path of a symbolic link. A sequence of null-terminated strings, terminated by an empty string A device driver resource list. A 64-bit number. A 64-bit number in little-endian format. type string type object Relation description Defines the relationship between the entity (a) and another entity (b). id Relation properties direction description Directionality of relationship between primary entity (a) and the related entity (b). enum DIRECTIONALITY_UNSPECIFIED BIDIRECTIONAL UNIDIRECTIONAL enumDescriptions Default value. Modeled in both directions. Primary entity (a) to related entity (b) and related entity (b) to primary entity (a). Modeled in a single direction. Primary entity (a) to related entity (b). type string entity $ref Noun description Entity (b) that the primary entity (a) is related to. entityLabel description Label to identify the Noun of the relation. enum ENTITY_LABEL_UNSPECIFIED PRINCIPAL TARGET OBSERVER SRC NETWORK SECURITY_RESULT INTERMEDIARY enumDescriptions Default value. The Noun represents a principal type object. The Noun represents a target type object. The Noun represents an observer type object. The Noun represents src type object. The Noun represents a network type object. The Noun represents a SecurityResult object. The Noun represents an intermediary type object. type string entityType description Type of the related entity (b) in this relationship. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string relationship description Type of relationship. enum RELATIONSHIP_UNSPECIFIED OWNS ADMINISTERS MEMBER EXECUTES DOWNLOADED_FROM CONTACTS enumDescriptions Default value Related entity is owned by the primary entity (e.g. user owns device asset). Related entity is administered by the primary entity (e.g. user administers a group). Primary entity is a member of the related entity (e.g. user is a member of a group). Primary entity may have executed the related entity. Primary entity may have been downloaded from the related entity. Primary entity contacts the related entity. type string uid description UID of the relationship. format byte type string type object Resource description Information about a resource such as a task, Cloud Storage bucket, database, disk, logical policy, or something similar. id Resource properties attribute $ref Attribute description Generic entity metadata attributes of the resource. id deprecated True description Deprecated: Use resource.name or resource.product_object_id. type string name description The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. type string parent deprecated True description The parent of the resource. For a database table, the parent is the database. For a storage object, the bucket name. Deprecated: use resource_ancestors.name. type string productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) This field can be used as an entity indicator for a Resource entity. type string resourceSubtype description Resource sub-type (e.g. "BigQuery", "Bigtable"). type string resourceType description Resource type. enum UNSPECIFIED MUTEX TASK PIPE DEVICE FIREWALL_RULE MAILBOX_FOLDER VPC_NETWORK VIRTUAL_MACHINE STORAGE_BUCKET STORAGE_OBJECT DATABASE TABLE CLOUD_PROJECT CLOUD_ORGANIZATION SERVICE_ACCOUNT ACCESS_POLICY CLUSTER SETTING DATASET BACKEND_SERVICE POD CONTAINER FUNCTION RUNTIME IP_ADDRESS DISK VOLUME IMAGE SNAPSHOT REPOSITORY CREDENTIAL LOAD_BALANCER GATEWAY SUBNET USER enumDescriptions Default type. Mutex. Task. Named pipe. Device. Firewall rule. Mailbox folder. VPC Network. Virtual machine. Storage bucket. Storage object. Database. Data table. Cloud project. Cloud organization. Service account. Access policy. Cluster. Settings. Dataset. Endpoint that receive traffic from a load balancer or proxy. Pod, which is a collection of containers. Often used in Kubernetes. Container. Cloud function. Runtime. IP address. Disk. Volume. Machine image. Snapshot. Repository. Credential, e.g. access keys, ssh keys, tokens, certificates. Load balancer. Gateway. Subnet. User. type string type deprecated True description Deprecated: use resource_type instead. type string type object ResourceRecord description DNS Resource Records. See RFC1035, section 4.1.3. id ResourceRecord properties binaryData description The raw bytes of any non-UTF8 strings that might be included as part of a DNS response. format byte type string class description The code specifying the class of the resource record. format uint32 type integer data description The payload or response to the DNS question for all responses encoded in UTF-8 format type string name description The name of the owner of the resource record. type string ttl description The time interval for which the resource record can be cached before the source of the information should again be queried. format uint32 type integer type description The code specifying the type of the resource record. format uint32 type integer type object ResponsePlatformInfo description Related info of an Alert in customer's SOAR platform. id ResponsePlatformInfo properties alertId description Id of the alert in SOAR product. type string responsePlatformType description Type of SOAR product. enum RESPONSE_PLATFORM_TYPE_UNSPECIFIED RESPONSE_PLATFORM_TYPE_SIEMPLIFY enumDescriptions Response platform not specified. Siemplify type string type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object RiskDelta description Describes the difference in risk score between two points in time. id RiskDelta properties previousRangeEndTime description End time of the previous time window. format google-datetime type string previousRiskScore description Risk score from previous risk window format int32 type integer riskScoreDelta description Difference in the normalized risk score from the previous recorded value. format int32 type integer riskScoreNumericDelta description Numeric change between current and previous risk score format int32 type integer type object Role description System role for resource access and modification. id Role properties description description System role description for user. type string name description System role name for user. type string type description System role type for well known roles. enum TYPE_UNSPECIFIED ADMINISTRATOR SERVICE_ACCOUNT enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object RuntimeError id RuntimeError properties errorText type string timeRange $ref Interval type object SSLCertificate description SSL certificate. id SSLCertificate properties certExtensions additionalProperties description Properties of the object. type any description Certificate's extensions. type object certSignature $ref CertSignature description Certificate's signature and algorithm. ec $ref EC description EC public key information. extension $ref Extension deprecated True description (DEPRECATED) certificate's extension. firstSeenTime description Date the certificate was first retrieved by VirusTotal. format google-datetime type string issuer $ref Subject description Certificate's issuer data. publicKey $ref PublicKey description Public key information. serialNumber description Certificate's serial number hexdump. type string signatureAlgorithm description Algorithm used for the signature (for example, "sha1RSA"). type string size description Certificate content length. format int64 type string subject $ref Subject description Certificate's subject data. thumbprint description Certificate's content SHA1 hash. type string thumbprintSha256 description Certificate's content SHA256 hash. type string validity $ref Validity description Certificate's validity period. version description Certificate version (typically "V1", "V2" or "V3"). type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object SearchDataTableColumnInfo id SearchDataTableColumnInfo properties isDefault type boolean originalColumn type string type object SearchDataTableInfo id SearchDataTableInfo properties columnInfo items $ref SearchDataTableColumnInfo type array dataTable type string type object SearchDataTableRow id SearchDataTableRow properties column type string value type string type object SearchDataTableRowInfo id SearchDataTableRowInfo properties dataTable type string rows items $ref SearchDataTableRow type array type object SecurityResult description Security related metadata for the event. A security result might be something like "virus detected and quarantined," "malicious connection blocked," or "sensitive data included in document foo.doc." Each security result, of which there may be more than one, may either pertain to the whole event, or to a specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (such as process, user, IP, domain, URL, IP, or email address) in the about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty. id SecurityResult properties about $ref Noun description If the security result is about a specific entity (Noun), add it here. This field is not populated when the SecurityResult appears in a finding (a detection or alert). action description Actions taken for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_ACTION ALLOW BLOCK ALLOW_WITH_MODIFICATION QUARANTINE FAIL CHALLENGE enumDescriptions The default action. Allowed. Blocked. Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded). Put somewhere for later analysis (does NOT imply block). Failed (e.g. the event was allowed but failed). Challenged (e.g. the user was challenged by a Captcha, 2FA). type string type array actionDetails description The detail of the action taken as provided by the vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string alertState description The alerting types of this security result. This is primarily set for rule-generated detections and alerts. enum UNSPECIFIED NOT_ALERTING ALERTING enumDescriptions The security result type is not known. The security result is not an alert. The security result is an alert. type string analyticsMetadata description Stores metadata about each risk analytic metric the rule uses. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref AnalyticsMetadata type array associations description Associations related to the threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref Association type array attackDetails $ref AttackDetails description MITRE ATT&CK details. This field is not populated when the SecurityResult appears in a finding (a detection or alert). campaigns description Campaigns using this IOC threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array category description The security category. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_CATEGORY SOFTWARE_MALICIOUS SOFTWARE_SUSPICIOUS SOFTWARE_PUA NETWORK_MALICIOUS NETWORK_SUSPICIOUS NETWORK_CATEGORIZED_CONTENT NETWORK_DENIAL_OF_SERVICE NETWORK_RECON NETWORK_COMMAND_AND_CONTROL ACL_VIOLATION AUTH_VIOLATION EXPLOIT DATA_EXFILTRATION DATA_AT_REST DATA_DESTRUCTION TOR_EXIT_NODE MAIL_SPAM MAIL_PHISHING MAIL_SPOOFING POLICY_VIOLATION SOCIAL_ENGINEERING PHISHING enumDescriptions The default category. Malware, spyware, rootkit. Below the conviction threshold; probably bad. Potentially Unwanted App (such as adware). Includes C&C or network exploit. Suspicious activity, such as potential reverse tunnel. Non-security related: URL has category like gambling or porn. DoS, DDoS. Port scan detected by an IDS, probing of web app. If we know this is a C&C channel. Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc. Authentication failed (e.g. bad password or bad 2-factor authentication). Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits. DLP: Sensitive data transmission, copy to thumb drive. DLP: Sensitive data found at rest in a scan. Attempt to destroy/delete data. TOR Exit Nodes. Spam email, message, etc. Phishing email, chat messages, etc. Spoofed source email address, etc. Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action). Threats which manipulate to break normal security procedures. Phishing pages, pops, https phishing etc. type string type array categoryDetails description For vendor-specific categories. For web categorization, put type in here such as "gambling" or "porn". This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array confidence description The confidence level of the result as estimated by the product. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string confidenceDetails description Additional detail with regards to the confidence of a security event as estimated by the product vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string confidenceScore description The confidence score of the security result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format float type number description description A human-readable description (e.g. "user password was wrong"). This can be more detailed than the summary. type string detectionDepth description The depth of the detection chain. Applies only to composite detections. format int64 type string detectionFields description An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (the security result matched variables). This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array firstDiscoveredTime description First time the IoC threat was discovered in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastDiscoveredTime description Last time the IoC was seen in the provider data. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastUpdatedTime description Last time the IoC threat was updated in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string outcomes description A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to a stringified version of their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array priority description The priority of the result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_PRIORITY LOW_PRIORITY MEDIUM_PRIORITY HIGH_PRIORITY enumDescriptions Default priority level. Low priority. Medium priority. High priority. type string priorityDetails description Vendor-specific information about the security result priority. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string reports description Reports that reference this IOC threat. These are the report IDs. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array riskScore description The risk score of the security result. format float type number ruleAuthor description Author of the security rule. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string ruleId description A vendor-specific ID for a rule, varying by observer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe"). type string ruleLabels description A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John"). This is primarily set in rule-generated detections and alerts. items $ref Label type array ruleName description Name of the security rule (e.g. "BlockInboundToOracle"). type string ruleSet description The curated detection's rule set identifier. (for example, "windows-threats") This is primarily set in rule-generated detections and alerts. type string ruleSetDisplayName description The curated detections rule set display name. This is primarily set in rule-generated detections and alerts. type string ruleType description The type of security rule. type string ruleVersion description Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed. type string rulesetCategoryDisplayName description The curated detection rule set category display name. (for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration", the rule_set_category is "Cloud Threats"). This is primarily set in rule-generated detections and alerts. type string severity description The severity of the result. enum UNKNOWN_SEVERITY INFORMATIONAL ERROR NONE LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Info severity. An error. No malicious result. Low-severity malicious result. Medium-severity malicious result. High-severity malicious result. Critical-severity malicious result. type string severityDetails description Vendor-specific severity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string summary description A short human-readable summary (e.g. "failed login occurred") type string threatFeedName description Vendor feed name for a threat indicator feed. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatId description Vendor-specific ID for a threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatIdNamespace description The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string threatName description A vendor-assigned classification common across multiple customers (for example, "W32/File-A", "Slammer"). This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatStatus description Current status of the threat This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_STATUS_UNSPECIFIED ACTIVE CLEARED FALSE_POSITIVE enumDescriptions Default threat status Active threat. Cleared threat. False positive. type string threatVerdict description GCTI threat verdict on the security result entity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_VERDICT_UNSPECIFIED UNDETECTED SUSPICIOUS MALICIOUS enumDescriptions Unspecified threat verdict level. Undetected threat verdict level. Suspicious threat verdict level. Malicious threat verdict level. type string urlBackToProduct description URL that takes the user to the source product console for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string variables additionalProperties $ref FindingVariable description A list of outcomes and match variables that represent the results of this security finding. This list represents a mapping of names of the requested outcomes or match variables, to their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). type object verdict $ref Verdict deprecated True description Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead. verdictInfo description Verdict information about the IoC from the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref VerdictInfo type array type object Server description Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash). id Server properties certificate $ref Certificate description Server certificate. ja3s description JA3 hash from the TLS ServerHello, as a hex-encoded string. type string type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object SignatureInfo description File signature information extracted from different tools. id SignatureInfo properties codesign $ref FileMetadataCodesign description Signature information extracted from the codesign utility. sigcheck $ref FileMetadataSignatureInfo description Signature information extracted from the sigcheck tool. type object SignerInfo description File metadata related to the signer information. id SignerInfo properties certIssuer description Company that issued the certificate. type string name description Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority. type string status description It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid."). type string validUsage description Indicates which situations the certificate is valid for (e.g. "Code Signing"). type string type object Smtp description SMTP info. See RFC 2821. id Smtp properties helo description The client's 'HELO'/'EHLO' string. type string isTls description If the connection switched to TLS. type boolean isWebmail description If the message was sent via a webmail client. type boolean mailFrom description The client's 'MAIL FROM' string. type string messagePath description The message's path (extracted from the headers). type string rcptTo description The client's 'RCPT TO' string(s). items type string type array serverResponse description The server's response(s) to the client. items type string type array type object SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems. id SoarAlertMetadata properties alertId description Alert ID in the source SIEM system. type string product description Name of the product the alert is coming from. type string sourceRule description Name of the rule triggering the alert in the source SIEM. type string sourceSystem description Name of the Source SIEM system. type string sourceSystemTicketId description Ticket id for the alert in the source system. type string sourceSystemUri description Url to the source SIEM system. type string vendor description Name of the vendor. type string type object Software description Information about a software package or application. id Software properties description description The description of the software. type string name description The name of the software. type string permissions description System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE" items $ref Permission type array vendorName description The name of the software vendor. type string version description The version of the software. type string type object Source description Deprecated. Information about the threat intelligence source. These fields are used to model Mandiant sources. id Source properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer name description Name of the IoC source. type string quality description Quality of the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total response count from this source. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer threatIntelligenceSources description Different threat intelligence sources from which IoC info was extracted. items $ref Source type array type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object StringSequence description StringSequence represents a sequence of string. id StringSequence properties stringVals description string sequence. items type string type array type object StringToInt64MapEntry id StringToInt64MapEntry properties key description Key field. type string value description Value field. format int64 type string type object StringValue id StringValue properties displayValue type string rawValue type string type object StringValues id StringValues properties values items $ref StringValue type array type object Subject description Subject data. id Subject properties commonName description CN: CommonName. type string countryName description C: Country name. type string locality description L: Locality. type string organization description O: Organization. type string organizationalUnit description OU: OrganizationalUnit. type string stateOrProvinceName description ST: StateOrProvinceName. type string type object Tactic description Tactic information related to an attack or threat. id Tactic properties id description Tactic ID (e.g. "TA0043"). type string name description Tactic Name (e.g. "Reconnaissance") type string type object Tags description Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenant_id based on certain customer-defined parameters. id Tags properties dataTapConfigName description A list of sink name values defined in DataTap configurations. items type string type array tenantId description A list of subtenant ids that this event belongs to. items format byte type string type array type object Technique description Technique information related to an attack or threat. id Technique properties id description Technique ID (e.g. "T1595"). type string name description Technique Name (e.g. "Active Scanning"). type string subtechniqueId description Subtechnique ID (e.g. "T1595.001"). type string subtechniqueName description Subtechnique Name (e.g. "Scanning IP Blocks"). type string type object TimeOff description System record for leave/time-off from a Human Capital Management (HCM) system. id TimeOff properties description description Description of the leave if available (e.g. 'Vacation'). type string interval $ref Interval description Interval duration of the leave. type object Tls description Transport Layer Security (TLS) information. id Tls properties cipher description Cipher used during the connection. type string client $ref Client description Certificate information for the client certificate. curve description Elliptical curve used for a given cipher. type string established description Indicates whether the TLS negotiation was successful. type boolean nextProtocol description Protocol to be used for tunnel. type string resumed description Indicates whether the TLS connection was resumed from a previous TLS negotiation. type boolean server $ref Server description Certificate information for the server certificate. version description TLS version. type string versionProtocol description Protocol. type string type object Tracker description URL Tracker. id Tracker properties id description Tracker ID, if available. type string timestamp description Tracker ingestion date. format google-datetime type string tracker description Tracker name. type string url description Tracker script URL. type string type object Tunnels description VPN tunnels. id Tunnels properties provider description The provider of the VPN tunnels being used. type string type description The type of the VPN tunnels. type string type object UDM description A Unified Data Model event. id UDM properties about description Represents entities referenced by the event that are not otherwise described in principal, src, target, intermediary or observer. For example, it could be used to track email file attachments, domains/URLs/IPs embedded within an email body, and DLLs that are loaded during a PROCESS_LAUNCH event. items $ref Noun type array additional additionalProperties description Properties of the object. type any description Any important vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model. type object extensions $ref Extensions description All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object intermediary description Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a proxy server or SMTP relay server. If an active event (that has a principal and possibly target) passes through any intermediaries, they're added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that 'principal', 'target', and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C). items $ref Noun type array metadata $ref Metadata description Event metadata such as timestamp, source product, etc. network $ref Network description All network details go here, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). observer $ref Noun description Represents an observer entity (for example, a packet sniffer or network-based vulnerability scanner), which is not a direct intermediary, but which observes and reports on the event in question. principal $ref Noun description Represents the acting entity that originates the activity described in the event. The principal must include at least one machine detail (hostname, MACs, IPs, port, product-specific identifiers like an EDR asset ID) or user detail (for example, username), and optionally include process details. It must NOT include any of the following fields: email, files, registry keys or values. securityResult description A list of security results. items $ref SecurityResult type array src $ref Noun description Represents a source entity being acted upon by the participant along with the device or process context for the source object (the machine where the source object resides). For example, if user U copies file A on machine X to file B on machine Y, both file A and machine X would be specified in the src portion of the UDM event. target $ref Noun description Represents a target entity being referenced by the event or an object on the target entity. For example, in a firewall connection from device A to device B, A is described as the principal and B is described as the target. For a process injection by process C into target process D, process C is described as the principal and process D is described as the target. type object UdmColumnList id UdmColumnList properties values items $ref UdmColumnValue type array type object UdmColumnType id UdmColumnType properties list $ref UdmColumnList value $ref UdmColumnValue type object UdmColumnValue id UdmColumnValue properties boolVal type boolean bytesVal format byte type string dateVal $ref Date doubleVal format double type number int64Val format int64 type string nullVal type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any type object stringVal type string timestampVal format google-datetime type string uint64Val format uint64 type string type object UdmEventInfo id UdmEventInfo properties alertNumber format int32 type integer annotations items enum ANNOTATION_UNSPECIFIED ANNOTATION_ALERT enumDescriptions type string type array chip $ref Chip deprecated True connectedComponentLabel description Optional. format byte type string datatableRowInfo items $ref SearchDataTableRowInfo type array detections items $ref Collection type array displayName deprecated True type string entity $ref BackstoryEntity event $ref UDM eventLogToken type string filterProperties $ref FilterProperties deprecated True outcomes items $ref UdmColumnType type array tenantId description Optional. type string uid format byte type string type object UdmEventList id UdmEventList properties columnNames $ref ColumnNames complete type boolean datatableInfo items $ref SearchDataTableInfo type array events items $ref UdmEventInfo type array progress format double type number tooManyEvents type boolean type object UdmFieldAggregation id UdmFieldAggregation properties aggregationType enum UNSPECIFIED_FIELD_AGGREGATION_TYPE UDM_FIELD_AGGREGATION_TYPE ENTITY_FIELD_AGGREGATION_TYPE enumDescriptions type string allValues items $ref UdmValueCount type array baselineEventCount format int32 type integer bottomValues items $ref UdmValueCount type array eventCount format int32 type integer fieldName type string tooManyValues type boolean topValues items $ref UdmValueCount type array valueCount format int32 type integer type object UdmFieldAggregations id UdmFieldAggregations properties complete type boolean fields items $ref UdmFieldAggregation type array groupByFields items $ref GroupAggregationByField type array type object UdmFieldValue id UdmFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string isNull type boolean stringValue type string timestampValue format google-datetime type string uint32Value format uint32 type integer uint64Value format uint64 type string type object UdmPrevalence id UdmPrevalence properties artifacts items $ref FieldAndValue type array prevalence format int32 type integer type object UdmPrevalenceBucket id UdmPrevalenceBucket properties prevalence items $ref UdmPrevalence type array type object UdmPrevalenceResponse id UdmPrevalenceResponse properties buckets items $ref UdmPrevalenceBucket type array partialPrevalence type boolean type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UdmValueCount id UdmValueCount properties baselineEventCount format int32 type integer eventCount format int32 type integer value $ref UdmFieldValue type object Uint64Sequence description Uint64Sequence represents a sequence of uint64s. id Uint64Sequence properties uint64Vals description uint64 sequence. items format uint64 type string type array type object Url description Url. id Url properties categories description Categorisation done by VirusTotal partners. items type string type array favicon $ref Favicon description Difference hash and MD5 hash of the URL's. htmlMeta additionalProperties description Properties of the object. type any description Meta tags (only for URLs downloading HTML). type object lastFinalUrl description If the original URL redirects, where does it end. type string lastHttpResponseCode description HTTP response code of the last response. format int32 type integer lastHttpResponseContentLength description Length in bytes of the content received. format int64 type string lastHttpResponseContentSha256 description URL response body's SHA256 hash. type string lastHttpResponseCookies additionalProperties description Properties of the object. type any description Website's cookies. type object lastHttpResponseHeaders additionalProperties description Properties of the object. type any description Headers and values of the last HTTP response. type object tags description Tags. items type string type array title description Webpage title. type string trackers description Trackers found in the URL in a historical manner. items $ref Tracker type array url description URL. type string type object User description Information about a user. id User properties accountExpirationTime description User account expiration timestamp. format google-datetime type string accountLockoutTime description User account lockout timestamp. format google-datetime type string accountType description Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/ enum ACCOUNT_TYPE_UNSPECIFIED DOMAIN_ACCOUNT_TYPE LOCAL_ACCOUNT_TYPE CLOUD_ACCOUNT_TYPE SERVICE_ACCOUNT_TYPE DEFAULT_ACCOUNT_TYPE enumDescriptions Default user account type. A human account part of some domain in directory services. A local machine account. A SaaS service account type (such as Slack or GitHub). A non-human account for data access. A system built in default account. type string attribute $ref Attribute description Generic entity metadata attributes of the user. companyName description User job company name. type string department description User job department items type string type array emailAddresses description Email addresses of the user. This field can be used as an entity indicator for user entities. items type string type array employeeId description Human capital management identifier. This field can be used as an entity indicator for user entities. type string firstName description First name of the user (e.g. "John"). type string firstSeenTime description The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string groupIdentifiers description Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar). items type string type array groupid deprecated True description The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. type string hireDate description User job employment hire date. format google-datetime type string lastBadPasswordAttemptTime description User last bad password attempt timestamp. format google-datetime type string lastLoginTime description User last login timestamp. format google-datetime type string lastName description Last name of the user (e.g. "Locke"). type string lastPasswordChangeTime description User last password change timestamp. format google-datetime type string managers description User job manager(s). items $ref User type array middleName description Middle name of the user. type string officeAddress $ref Location description User job office location. passwordExpirationTime description User password expiration timestamp. format google-datetime type string personalAddress $ref Location description Personal address of the user. phoneNumbers description Phone numbers for the user. items type string type array productObjectId description A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar). This field can be used as an entity indicator for user entities. type string roleDescription deprecated True description System role description for user. Deprecated: use attribute.roles. type string roleName deprecated True description System role name for user. Deprecated: use attribute.roles. type string terminationDate description User job employment termination date. format google-datetime type string timeOff description User time off leaves from active work. items $ref TimeOff type array title description User job title. type string userAuthenticationStatus description System authentication status for user. enum UNKNOWN_AUTHENTICATION_STATUS ACTIVE SUSPENDED NO_ACTIVE_CREDENTIALS DELETED enumDescriptions The default authentication status. The authentication method is in active state. The authentication method is in suspended/disabled state. The authentication method has no active credentials. The authentication method has been deleted. type string userDisplayName description The display name of the user (e.g. "John Locke"). type string userRole deprecated True description System role for user. Deprecated: use attribute.roles. enum UNKNOWN_ROLE ADMINISTRATOR SERVICE_ACCOUNT enumDeprecated False False True enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. Deprecated: not a role, instead set User.account_type. type string userid description The ID of the user. This field can be used as an entity indicator for user entities. type string windowsSid description The Microsoft Windows SID of the user. This field can be used as an entity indicator for user entities. type string type object UserAgentProto id UserAgentProto properties annotation items $ref Annotation type array browser description Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents. type string browserEngineVersion description Version of the rendering engine e.g. "8.01" for "Opera/8.01" type string browserVersion description Minor and lower versions unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string carrier description Mobile specific: name of mobile carrier type string device description (Usually) Mobile specific: name of hardware device, may or may not contain the full model name. e.g. iPhone, Palm750, SPH-M800. Reduced to "K" for Android devices with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string deviceVersion description (Usually) Mobile specific: version of hardware device Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string family description User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.. enum USER_DEFINED MSIE GECKO APPLEWEBKIT OPERA KHTML OTHER APPLE BLACKBERRY DOCOMO GOOGLE OPENWAVE POLARIS OBIGO TELECA MICROSOFT NOKIA NETFRONT SEMC SMIT KOREAN CLIENT_HINTS enumDescriptions Used to represent new families supported by user-defined parsers Desktop user agent families WebKit based browsers e.g. Safari e.g. Konqueror Mobile and non-browser user agent families UA's w/o enough data to fit into a family Apple apps e.g. YouTube on iPhone Google Earth, Sketchup, UpdateChecker etc... UP.Browser Windows Media Player, RSS platform etc... Sony Ericsson Mobile Communications SKT, LGT Constructed from UA-CH instead of UserAgent string. type string googleToolbarVersion description Version number of GoogleToolbar, if installed. Applies only to MSIE and Firefox at this time. type string javaConfiguration description Mobile specific: e.g. Configuration/CLDC-1.1 type string javaConfigurationVersion type string javaProfile description Mobile specific: e.g. Profile/MIDP-2.0 type string javaProfileVersion type string locale description Locale in which the browser is running as country code and optionally language pair. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string messaging description Mobile specific: e.g. MMP/2.0 type string messagingVersion type string os description Full name of the operating system e.g. "Darwin/9.7.0", "Android 1.5", "Windows 98" Version is reduced, and other data might also be missing, for reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string osVariant description Extra qualifier for the OS e.g. "(i386)", "Build/CUPCAKE", "PalmSource/Palm-D061" Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string platform description The platform describes the environment in which the browser or app runs. For desktop user agents, Platform is a string describing the OS family e.g. Windows, Macintosh, Linux. For mobile user agents, Platform either describes the OS family (if available) or the hardware maker. e.g. Linux, or HTC, LG, Palm. type string security description Security level reported by user agent, either U, I or N. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string subFamily description Sub-family identifies individual regexps when a family has more than 1. This is used to generate the right UA string from a protobuf. Examples in the AppleWebKit family: Chrome and Safari. Can also be an arbitrary identifier. type string type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Validity description Defines certificate's validity period. id Validity properties expiryTime description Expiry date. format google-datetime type string issueTime description Issue date. format google-datetime type string type object Verdict description Deprecated. Encapsulates the threat verdict provided by human analysts and ML models. These fields are used to model Mandiant sources. id Verdict properties analystVerdict $ref AnalystVerdict description Human analyst verdict provided by sources like Mandiant. neighbourInfluence description Describes the neighbour influence of the verdict. type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer verdict $ref ProviderMLVerdict description ML Verdict provided by sources like Mandiant. type object VerdictInfo description Describes the threat verdict provided by human analysts and machine learning models. These fields are used to model Mandiant sources. id VerdictInfo properties benignCount description Count of responses where this IoC was marked as benign. format int32 type integer categoryDetails description Tags related to the verdict. type string confidenceScore description Confidence score of the verdict. format int32 type integer globalCustomerCount description Global customer count over the last 30 days format int32 type integer globalHitsCount description Global hit count over the last 30 days. format int32 type integer iocStats description List of IoCStats from which the verdict was generated. items $ref IoCStats type array maliciousCount description Count of responses where this IoC was marked as malicious. format int32 type integer neighbourInfluence description Describes the near neighbor influence of the verdict. type string pwn description Whether one or more Mandiant incident response customers had this indicator in their environment. type boolean pwnFirstTaggedTime description The timestamp of the first time a pwn was associated to this entity. format google-datetime type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer sourceProvider description Source provider giving the machine learning verdict. type string verdictResponse description Details about the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp when the verdict was generated. format google-datetime type string verdictType description Type of verdict. enum VERDICT_TYPE_UNSPECIFIED PROVIDER_ML_VERDICT ANALYST_VERDICT enumDescriptions Verdict category not specified. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. Verdict provided by the human analyst. These fields are used to model Mandiant sources. type string type object Vulnerabilities description The Vulnerabilities extension captures details on observed/detected vulnerabilities. id Vulnerabilities properties vulnerabilities description A list of vulnerabilities. items $ref Vulnerability type array type object Vulnerability description A vulnerability. id Vulnerability properties about $ref Noun description If the vulnerability is about a specific noun (e.g. executable), then add it here. cveDescription description Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record type string cveId description Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id type string cvssBaseScore description CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting. format float type number cvssVector description Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator type string cvssVersion description Version of CVSS Vector/Score. type string description description Description of the vulnerability. type string firstFound description Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset. format google-datetime type string lastFound description Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset. format google-datetime type string name description Name of the vulnerability (e.g. "Unsupported OS Version detected"). type string scanEndTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable. format google-datetime type string scanStartTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable. format google-datetime type string severity description The severity of the vulnerability. enum UNKNOWN_SEVERITY LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Low severity. Medium severity. High severity. Critical severity. type string severityDetails description Vendor-specific severity type string vendor description Vendor of scan that discovered vulnerability. type string vendorKnowledgeBaseArticleId description Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase type string vendorVulnerabilityId description Vendor specific vulnerability id (e.g. Microsoft security bulletin id). type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object X509 description File certificate. id X509 properties algorithm description Certificate algorithm. type string certIssuer description Issuer of the certificate. type string name description Certificate name. type string serialNumber description Certificate serial number. type string thumbprint description Certificate thumbprint. type string type object old_value CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{region}/instances/{instance} readOnly True type string type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Manual description Entities are added manually. id Manual properties type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object
prod/europe-west2-containerfilesystem-	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/europe-west2-containerfilesystem-v1	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/europe-west3-connectgateway-	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/europe-west3-connectgateway-v1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/europe-west3-connectgateway-v1beta1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/europe-west3-containerfilesystem-	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/europe-west3-containerfilesystem-v1	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/familymanagement-pa-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/familymanagement-pa-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/fcmregistrations-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/fcmregistrations-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/firealerts-pa-	values_changed root['revision'] new_value 20250311 old_value 20250304
prod/firealerts-pa-v1	values_changed root['revision'] new_value 20250311 old_value 20250304
prod/firebaseabt-pa-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/firebaseabt-pa-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/firebaseabt-pa-v2	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/firebaseappcheck-pa-	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/firebaseappcheck-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/firebaseapptesters-	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/firebaseapptesters-v1	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/firebaseapptesters-v1alpha	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/firebasecrashlytics-	values_changed root['revision'] new_value 20250313 old_value 20250310 root['schemas'] new_value Breadcrumb description Analytics events recorded during the session. id Breadcrumb properties eventTime description Device timestamp for the event. format google-datetime type string params additionalProperties type string description Event parameters. type object title description Analytic event name. type string type object DeleteUserCrashReportsResponse description Response message for the DeleteUserCrashReports method. All crash reports associated with the specified user will be deleted typically within 24 hours of receiving the crash report. id DeleteUserCrashReportsResponse properties targetCompleteTime description Target time to complete the delete crash reports operation. format google-datetime type string type object Device description Mobile device metadata. id Device properties architecture description Device processor architecture. type string companyName description An invariant name of the manufacturer that submitted this product in its most recognizable human-readable form. e.g. "Google" type string displayName description Full device name, suitable for passing to DeviceFilter. Formatted like "manufacturer (model)". type string formFactor description See FormFactor message enum FORM_FACTOR_UNSPECIFIED PHONE TABLET DESKTOP TV WATCH enumDescriptions Unknown Includes mobile phones, small foldables and other form factors not fitting the other categories. Includes tablets and larger foldables. Includes desktops, laptops, Chromebooks, etc. Includes televisions and set-tops Includes both watches and other wearables type string manufacturer description Device brand name which is consistent with android.os.Build.BRAND type string marketingName description Marketing name, most recognizable human-readable form. e.g. "Pixel 6" type string model description The model name which is consistent with android.os.Build.MODEL e.g. ("SPH-L710", "GT-I9300") type string type object Error description A non-fatal error and its stacktrace, only from Apple apps. id Error properties blamed description True when the Crashlytics analysis has determined that the stacktrace in this error is where the fault occurred. type boolean code description Error code associated with the app's custom logged NSError. format int64 type string frames description The frames in the error's stacktrace. items $ref Frame type array queue description The queue on which the thread was running. type string subtitle description The subtitle of the error. type string title description The title of the error. type string type object Event description The message describing a single Crashlytics event. Should be almost the same as the big query schema for consistency. google3/java/com/google/fabric/crashlytics/proto/bigqueryexport.proto id Event properties appOrientation description App orientation at the time of the crash (portrait or landscape). type string blameFrame $ref Frame description The stack trace frame blamed by Crashlytics processing. May not be present in future analyzer. breadcrumbs description Analytics events recorded by the analytics SDK during the session. items $ref Breadcrumb type array buildStamp description Metadata provided by the app's build system, including version control repository info. type string bundleOrPackage description The bundle name for iOS apps or the package name of Android apps. Format usually like "com.mycompany.myapp". type string crashlyticsSdkVersion description Crashlytics SDK version. type string customKeys additionalProperties type string description Custom keys set by the developer during the session. type object device $ref Device description Mobile device metadata. deviceOrientation description Device orientation at the time of the crash (portrait or landscape). type string errors description Apple only: A non-fatal error captured by the iOS SDK and its stacktrace. items $ref Error type array eventId description Output only. Immutable. The unique event identifier is assigned during processing. readOnly True type string eventTime description Device timestamp at which the event was recorded. format google-datetime type string exceptions description Android only: Exceptions that occurred during this event. Nested exceptions are presented in reverse chronological order, so that the last record is the first exception thrown. items $ref Exception type array installationUuid description Unique identifier for the device-app installation. This field is used to compute the unique number of impacted users. type string issue $ref Issue description Details for the [Issue] assigned to this [Event]. issueSubtitle description The subtitle of the issue in which the event was grouped. This is usually a symbol or an exception message. type string issueTitle description The title of the issue in which the event was grouped. This is usually a source file or method name. type string logs description Log messages recorded by the developer during the session. items $ref Log type array memory $ref Memory description Mobile device memory usage. name description Required. Output only. Immutable. Identifier. The name of the event resource. Format: `projects/{project}/apps/{app_id}/events/{event}` readOnly True type string operatingSystem $ref OperatingSystem description Operating system and version. platform description Mobile platform (Android or iOS). type string processState description The state of the app process at the time of the event. type string receivedTime description Server timestamp at which the event was received by Crashlytics. format google-datetime type string storage $ref Storage description Mobile device disk/flash usage. threads description Application threads present at the time the event was recorded. Each contains a stacktrace. One thread will be blamed for the error. items $ref Thread type array user $ref User description End user identifiers for the device owner. version $ref Version description Mobile application version. type object Exception description A Java exception and its stacktrace, only from Android apps. id Exception properties blamed description True when the Crashlytics analysis has determined that this thread is where the fault occurred. type boolean exceptionMessage description A message associated with the exception. type string frames description The frames in the exception's stacktrace. items $ref Frame type array nested description True for all but the last-thrown exception (i.e. the first record). type boolean subtitle description The subtitle of the exception. type string title description The title of the exception. type string type description The exception type e.g. java.lang.IllegalStateException. type string type object FirebaseSessionEvent description Sessions recorded by the Firebase App Quality Sessions SDK id FirebaseSessionEvent properties device $ref Device description Mobile device metadata. eventTime description The start timestamp for the session event. format google-datetime type string eventType description Session event type. The SDK only supports SESSION_START events at this time. enum SESSION_EVENT_TYPE_UNKNOWN SESSION_START enumDescriptions Unknown Application session started type string firebaseInstallationId description Uniquely identifies a device with Firebase apps installed. type string firstSessionId description The identifier of the first session since the last "cold start." This id and the session_id will be the same for app launches. type string operatingSystem $ref OperatingSystem description Operating system and version. sessionId description Unique identifier for the Firebase session type string sessionIndex description Indicates the number of sessions since the last cold start. format int32 type integer version $ref Version description Mobile application version numbers. type object Frame description A frame in a stacktrace. id Frame properties address description The address in the binary image which contains the code. Present for native frames. format int64 type string blamed description True when the Crashlytics analysis has determined that this frame is likely to be the cause of the error. type boolean file description The name of the source file in which the frame is found. type string library description The display name of the library that includes the frame. type string line description The line number in the file of the frame. format int64 type string offset description The byte offset into the binary image that contains the code. Present for native frames. format int64 type string owner description One of DEVELOPER, VENDOR, RUNTIME, PLATFORM, or SYSTEM. type string symbol description The frame symbol after it has been deobfuscated or symbolicated. The raw symbol from the device if it could not be hydrated. type string type object IntervalMetrics description A set of computed metric values for a time interval id IntervalMetrics properties endTime description The end of the interval covered by the computation. format google-datetime type string eventsCount description The total count of events in the interval. format int64 type string impactedUsersCount description The cardinality of distinct users in the set of events. format int64 type string startTime description The start of the interval covered by the computation. format google-datetime type string type object Issue description An issue describes a set of similar events that have been analyzed by Crashlytics and grouped together. All events within an issue will be of the same error_type: crash, non-fatal exception or ANR. All events within an issue will contain similar stack traces in their blamed thread. id Issue properties errorType description Output only. Immutable. Indicates whether this issue is a crash, non-fatal exception, or ANR. enum ERROR_TYPE_UNSPECIFIED FATAL NON_FATAL ANR enumDescriptions Unknown Fatal crash event. Non-fatal event, such as a caught Java exception or NSError on iOS. Application not responding error, Android only. readOnly True type string firstSeenVersion description Output only. Immutable. The first app display_version in which this issue was seen. readOnly True type string id description Output only. Immutable. Unique identifier for the issue. readOnly True type string lastSeenVersion description Output only. The most recent app display_version in which this issue was seen. readOnly True type string name description Required. Output only. Immutable. Identifier. The name of the issue resource. Format: `projects/{project}/apps/{app}/issues/{issue}` readOnly True type string notesCount description Output only. Immutable. The number of notes attached to an issue. format int64 readOnly True type string sampleEvent description Output only. The resource name for a sample event in this issue. readOnly True type string signals description Output only. Immutable. Distinctive characteristics assigned by the Crashlytics analyzer. items $ref IssueSignals readOnly True type array state description Output only. Indicates whether this issue is open, closed or muted. For details on how issue states change without user actions, see https://firebase.google.com/docs/crashlytics/troubleshooting?platform=ios#regressed-issues. enum STATE_UNSPECIFIED OPEN CLOSED MUTED enumDescriptions Unknown Ongoing issue. Issue resolved. Issue muted. No alerts will be fired for this issue. readOnly True type string subtitle description Output only. Immutable. Caption subtitle. This is usually a symbol or an exception message. readOnly True type string title description Output only. Immutable. Caption title. This is usually a source file or method name. readOnly True type string uri description Output only. Provides a link to the Issue on the Firebase console. When this Issue is obtained as part of a Report, then the link will be configured with the same time interval and filters as the request. readOnly True type string variants description Output only. Immutable. The top 12 variants (subgroups) within the issue. Variants group events within an issue that are very similar. A single result implies that the "variant" is the same as the parent issue. This field will be empty when multiple issues are requested. Request a single issue to list variants. items $ref IssueVariant readOnly True type array type object IssueSignals description Distinctive characteristics assigned by the Crashlytics analyzer. id IssueSignals properties description description Output only. Supporting detail information. readOnly True type string signal description Output only. The signal name. enum SIGNAL_UNSPECIFIED SIGNAL_EARLY SIGNAL_FRESH SIGNAL_REGRESSED SIGNAL_REPETITIVE enumDescriptions Default Indicates an issue that is impacting end users early in the app session. Indicates newly detected issues. Indicates previously closed issues which have been detected again. Indicates issues impacting some end users multiple times. readOnly True type string type object IssueVariant description A variant is a subgroup of an issue where all events have very similar stack traces. Issues may contain one or more variants. id IssueVariant properties id description Output only. Immutable. Distinct identifier for the variant. readOnly True type string sampleEvent description Output only. The resource name for a sample event in this variant. readOnly True type string uri description Output only. Provides a link to the Variant on the Firebase console. When this Variant is obtained as part of a Report, then the link will be configured with the same time interval and filters as the request. readOnly True type string type object Log description Developer-provided log lines recorded during the session. id Log properties logTime description Device timestamp when the line was logged. format google-datetime type string message description Log message. type string type object Memory description Mobile device memory usage. id Memory properties free description Bytes free. format int64 type string used description Bytes in use. format int64 type string type object OperatingSystem description Mobile device operating system metadata. id OperatingSystem properties deviceType description The device category (mobile, tablet, desktop). type string displayName description Formatted name and version number, suitable for passing to OperatingSystemFilter. type string displayVersion description Operating system display version number. type string modificationState description Indicates if the OS has been modified or "jailbroken." type string os description Operating system name. type string type description The OS type on Apple platforms (iOS, iPadOS, etc.). type string type object PlayTrack description Describes a release track in the Play Developer Console. id PlayTrack properties title description User-generated or auto-generated name of this track. PROD and INTERNAL track types always have auto-generated names, ie. "prod" and "internal" respectively. Tracks of type EARLY_ACCESS always have a user-generated name. Other track types do not have any guarantees, might have user-generated or auto-generated names. type string type description The type of track (prod, internal, etc.). enum TRACK_TYPE_UNSPECIFIED TRACK_TYPE_PROD TRACK_TYPE_INTERNAL TRACK_TYPE_OPEN_TESTING TRACK_TYPE_CLOSED_TESTING TRACK_TYPE_EARLY_ACCESS enumDescriptions Unknown Production Internal testing Open testing Closed testing Early access type string type object ReportGroup description A group of results in an EventReport, similar to a SQL "GROUP BY" result. In any report, the group_parent field is strictly the same type for all of the groups in any collection. id ReportGroup properties device $ref Device description Device metrics group issue $ref Issue description Issue metrics group metrics description Scalar metrics will contain a single object covering the entire interval, while time-dimensioned graphs will contain one per time grain. items $ref IntervalMetrics type array operatingSystem $ref OperatingSystem description Operating system metrics group subgroups description Additional nested groupings when relevant, eg by operating system and operating system version items $ref ReportGroup type array variant $ref IssueVariant description Issue variant metrics group version $ref Version description Version metrics group type object Storage description Mobile device disk/flash usage. Not reported for all devices. id Storage properties free description Bytes free. format int64 type string used description Bytes used. format int64 type string type object Thread description An application thread. id Thread properties blamed description True when the Crashlytics analysis has determined that the stacktrace in this thread is where the fault occurred. type boolean crashAddress description The address of the signal that caused the application to crash. Only present on crashed native threads format int64 type string crashed description True when the thread has crashed. type boolean frames description The frames in the thread's stacktrace. items $ref Frame type array name description The name of the thread. type string queue description The queue on which the thread was running. type string signal description The name of the signal that caused the app to crash. Only present on crashed native threads. type string signalCode description The code of the signal that caused the app to crash. Only present on crashed native threads. type string subtitle description The subtitle of the thread. type string sysThreadId description The system id of the thread, only available for ANR threads. format int64 type string threadId description The id of the thread, only available for ANR threads. format int64 type string threadState description Output only. The state of the thread at the time the ANR occurred. enum STATE_UNSPECIFIED THREAD_STATE_TERMINATED THREAD_STATE_RUNNABLE THREAD_STATE_TIMED_WAITING THREAD_STATE_BLOCKED THREAD_STATE_WAITING THREAD_STATE_NEW THREAD_STATE_NATIVE_RUNNABLE THREAD_STATE_NATIVE_WAITING enumDescriptions Thread state unspecified. Thread was terminated. Thread was runnable. Thread was waiting with a timeout. Thread was blocked. Thread was waiting. Thread was started, yet to run anything. The thread was native and we could not heuristically determine that it was was waiting, so assume it's runnable. We heuristically determined that the thread is waiting. readOnly True type string title description The title of the thread. type string type object User description Developer-provided end user identifiers. id User properties id description User id if provided by the app developer. type string type object Version description Application software version. id Version properties buildVersion description One display_version can have many build_version. On Android, strictly the same as "version code" On iOS, strictly the same as "build number" or CFBundleVersion type string displayName description Compound human-readable string containing both display and build versions. Formatted like "display_version (build_version)" eg "1.2.3 (456)" This string can be used for filtering with the VersionFilter.display_name field. type string displayVersion description Human-readable version string, eg "1.2.3" On Android, strictly the same as "version name" On iOS, strictly the same as "version number" or CFBundleShortVersionString type string tracks description Indicates releases which have artifacts that are currently available in the Play Store to the target audience of the track. Versions may be available in multiple tracks. items $ref PlayTrack type array type object old_value DeleteUserCrashReportsResponse description Response message for the DeleteUserCrashReports method. All crash reports associated with the specified user will be deleted typically within 24 hours of receiving the crash report. id DeleteUserCrashReportsResponse properties targetCompleteTime description Target time to complete the delete crash reports operation. format google-datetime type string type object
prod/firebasecrashlytics-v1alpha	values_changed root['revision'] new_value 20250313 old_value 20250311 root['schemas'] new_value Breadcrumb description Analytics events recorded during the session. id Breadcrumb properties eventTime description Device timestamp for the event. format google-datetime type string params additionalProperties type string description Event parameters. type object title description Analytic event name. type string type object DeleteUserCrashReportsResponse description Response message for the DeleteUserCrashReports method. All crash reports associated with the specified user will be deleted typically within 24 hours of receiving the crash report. id DeleteUserCrashReportsResponse properties targetCompleteTime description Target time to complete the delete crash reports operation. format google-datetime type string type object Device description Mobile device metadata. id Device properties architecture description Device processor architecture. type string companyName description An invariant name of the manufacturer that submitted this product in its most recognizable human-readable form. e.g. "Google" type string displayName description Full device name, suitable for passing to DeviceFilter. Formatted like "manufacturer (model)". type string formFactor description See FormFactor message enum FORM_FACTOR_UNSPECIFIED PHONE TABLET DESKTOP TV WATCH enumDescriptions Unknown Includes mobile phones, small foldables and other form factors not fitting the other categories. Includes tablets and larger foldables. Includes desktops, laptops, Chromebooks, etc. Includes televisions and set-tops Includes both watches and other wearables type string manufacturer description Device brand name which is consistent with android.os.Build.BRAND type string marketingName description Marketing name, most recognizable human-readable form. e.g. "Pixel 6" type string model description The model name which is consistent with android.os.Build.MODEL e.g. ("SPH-L710", "GT-I9300") type string type object Error description A non-fatal error and its stacktrace, only from Apple apps. id Error properties blamed description True when the Crashlytics analysis has determined that the stacktrace in this error is where the fault occurred. type boolean code description Error code associated with the app's custom logged NSError. format int64 type string frames description The frames in the error's stacktrace. items $ref Frame type array queue description The queue on which the thread was running. type string subtitle description The subtitle of the error. type string title description The title of the error. type string type object Event description The message describing a single Crashlytics event. Should be almost the same as the big query schema for consistency. google3/java/com/google/fabric/crashlytics/proto/bigqueryexport.proto id Event properties appOrientation description App orientation at the time of the crash (portrait or landscape). type string blameFrame $ref Frame description The stack trace frame blamed by Crashlytics processing. May not be present in future analyzer. breadcrumbs description Analytics events recorded by the analytics SDK during the session. items $ref Breadcrumb type array buildStamp description Metadata provided by the app's build system, including version control repository info. type string bundleOrPackage description The bundle name for iOS apps or the package name of Android apps. Format usually like "com.mycompany.myapp". type string crashlyticsSdkVersion description Crashlytics SDK version. type string customKeys additionalProperties type string description Custom keys set by the developer during the session. type object device $ref Device description Mobile device metadata. deviceOrientation description Device orientation at the time of the crash (portrait or landscape). type string errors description Apple only: A non-fatal error captured by the iOS SDK and its stacktrace. items $ref Error type array eventId description Output only. Immutable. The unique event identifier is assigned during processing. readOnly True type string eventTime description Device timestamp at which the event was recorded. format google-datetime type string exceptions description Android only: Exceptions that occurred during this event. Nested exceptions are presented in reverse chronological order, so that the last record is the first exception thrown. items $ref Exception type array installationUuid description Unique identifier for the device-app installation. This field is used to compute the unique number of impacted users. type string issue $ref Issue description Details for the [Issue] assigned to this [Event]. issueSubtitle description The subtitle of the issue in which the event was grouped. This is usually a symbol or an exception message. type string issueTitle description The title of the issue in which the event was grouped. This is usually a source file or method name. type string logs description Log messages recorded by the developer during the session. items $ref Log type array memory $ref Memory description Mobile device memory usage. name description Required. Output only. Immutable. Identifier. The name of the event resource. Format: `projects/{project}/apps/{app_id}/events/{event}` readOnly True type string operatingSystem $ref OperatingSystem description Operating system and version. platform description Mobile platform (Android or iOS). type string processState description The state of the app process at the time of the event. type string receivedTime description Server timestamp at which the event was received by Crashlytics. format google-datetime type string storage $ref Storage description Mobile device disk/flash usage. threads description Application threads present at the time the event was recorded. Each contains a stacktrace. One thread will be blamed for the error. items $ref Thread type array user $ref User description End user identifiers for the device owner. version $ref Version description Mobile application version. type object Exception description A Java exception and its stacktrace, only from Android apps. id Exception properties blamed description True when the Crashlytics analysis has determined that this thread is where the fault occurred. type boolean exceptionMessage description A message associated with the exception. type string frames description The frames in the exception's stacktrace. items $ref Frame type array nested description True for all but the last-thrown exception (i.e. the first record). type boolean subtitle description The subtitle of the exception. type string title description The title of the exception. type string type description The exception type e.g. java.lang.IllegalStateException. type string type object FirebaseSessionEvent description Sessions recorded by the Firebase App Quality Sessions SDK id FirebaseSessionEvent properties device $ref Device description Mobile device metadata. eventTime description The start timestamp for the session event. format google-datetime type string eventType description Session event type. The SDK only supports SESSION_START events at this time. enum SESSION_EVENT_TYPE_UNKNOWN SESSION_START enumDescriptions Unknown Application session started type string firebaseInstallationId description Uniquely identifies a device with Firebase apps installed. type string firstSessionId description The identifier of the first session since the last "cold start." This id and the session_id will be the same for app launches. type string operatingSystem $ref OperatingSystem description Operating system and version. sessionId description Unique identifier for the Firebase session type string sessionIndex description Indicates the number of sessions since the last cold start. format int32 type integer version $ref Version description Mobile application version numbers. type object Frame description A frame in a stacktrace. id Frame properties address description The address in the binary image which contains the code. Present for native frames. format int64 type string blamed description True when the Crashlytics analysis has determined that this frame is likely to be the cause of the error. type boolean file description The name of the source file in which the frame is found. type string library description The display name of the library that includes the frame. type string line description The line number in the file of the frame. format int64 type string offset description The byte offset into the binary image that contains the code. Present for native frames. format int64 type string owner description One of DEVELOPER, VENDOR, RUNTIME, PLATFORM, or SYSTEM. type string symbol description The frame symbol after it has been deobfuscated or symbolicated. The raw symbol from the device if it could not be hydrated. type string type object IntervalMetrics description A set of computed metric values for a time interval id IntervalMetrics properties endTime description The end of the interval covered by the computation. format google-datetime type string eventsCount description The total count of events in the interval. format int64 type string impactedUsersCount description The cardinality of distinct users in the set of events. format int64 type string startTime description The start of the interval covered by the computation. format google-datetime type string type object Issue description An issue describes a set of similar events that have been analyzed by Crashlytics and grouped together. All events within an issue will be of the same error_type: crash, non-fatal exception or ANR. All events within an issue will contain similar stack traces in their blamed thread. id Issue properties errorType description Output only. Immutable. Indicates whether this issue is a crash, non-fatal exception, or ANR. enum ERROR_TYPE_UNSPECIFIED FATAL NON_FATAL ANR enumDescriptions Unknown Fatal crash event. Non-fatal event, such as a caught Java exception or NSError on iOS. Application not responding error, Android only. readOnly True type string firstSeenVersion description Output only. Immutable. The first app display_version in which this issue was seen. readOnly True type string id description Output only. Immutable. Unique identifier for the issue. readOnly True type string lastSeenVersion description Output only. The most recent app display_version in which this issue was seen. readOnly True type string name description Required. Output only. Immutable. Identifier. The name of the issue resource. Format: `projects/{project}/apps/{app}/issues/{issue}` readOnly True type string notesCount description Output only. Immutable. The number of notes attached to an issue. format int64 readOnly True type string sampleEvent description Output only. The resource name for a sample event in this issue. readOnly True type string signals description Output only. Immutable. Distinctive characteristics assigned by the Crashlytics analyzer. items $ref IssueSignals readOnly True type array state description Output only. Indicates whether this issue is open, closed or muted. For details on how issue states change without user actions, see https://firebase.google.com/docs/crashlytics/troubleshooting?platform=ios#regressed-issues. enum STATE_UNSPECIFIED OPEN CLOSED MUTED enumDescriptions Unknown Ongoing issue. Issue resolved. Issue muted. No alerts will be fired for this issue. readOnly True type string subtitle description Output only. Immutable. Caption subtitle. This is usually a symbol or an exception message. readOnly True type string title description Output only. Immutable. Caption title. This is usually a source file or method name. readOnly True type string uri description Output only. Provides a link to the Issue on the Firebase console. When this Issue is obtained as part of a Report, then the link will be configured with the same time interval and filters as the request. readOnly True type string variants description Output only. Immutable. The top 12 variants (subgroups) within the issue. Variants group events within an issue that are very similar. A single result implies that the "variant" is the same as the parent issue. This field will be empty when multiple issues are requested. Request a single issue to list variants. items $ref IssueVariant readOnly True type array type object IssueSignals description Distinctive characteristics assigned by the Crashlytics analyzer. id IssueSignals properties description description Output only. Supporting detail information. readOnly True type string signal description Output only. The signal name. enum SIGNAL_UNSPECIFIED SIGNAL_EARLY SIGNAL_FRESH SIGNAL_REGRESSED SIGNAL_REPETITIVE enumDescriptions Default Indicates an issue that is impacting end users early in the app session. Indicates newly detected issues. Indicates previously closed issues which have been detected again. Indicates issues impacting some end users multiple times. readOnly True type string type object IssueVariant description A variant is a subgroup of an issue where all events have very similar stack traces. Issues may contain one or more variants. id IssueVariant properties id description Output only. Immutable. Distinct identifier for the variant. readOnly True type string sampleEvent description Output only. The resource name for a sample event in this variant. readOnly True type string uri description Output only. Provides a link to the Variant on the Firebase console. When this Variant is obtained as part of a Report, then the link will be configured with the same time interval and filters as the request. readOnly True type string type object Log description Developer-provided log lines recorded during the session. id Log properties logTime description Device timestamp when the line was logged. format google-datetime type string message description Log message. type string type object Memory description Mobile device memory usage. id Memory properties free description Bytes free. format int64 type string used description Bytes in use. format int64 type string type object OperatingSystem description Mobile device operating system metadata. id OperatingSystem properties deviceType description The device category (mobile, tablet, desktop). type string displayName description Formatted name and version number, suitable for passing to OperatingSystemFilter. type string displayVersion description Operating system display version number. type string modificationState description Indicates if the OS has been modified or "jailbroken." type string os description Operating system name. type string type description The OS type on Apple platforms (iOS, iPadOS, etc.). type string type object PlayTrack description Describes a release track in the Play Developer Console. id PlayTrack properties title description User-generated or auto-generated name of this track. PROD and INTERNAL track types always have auto-generated names, ie. "prod" and "internal" respectively. Tracks of type EARLY_ACCESS always have a user-generated name. Other track types do not have any guarantees, might have user-generated or auto-generated names. type string type description The type of track (prod, internal, etc.). enum TRACK_TYPE_UNSPECIFIED TRACK_TYPE_PROD TRACK_TYPE_INTERNAL TRACK_TYPE_OPEN_TESTING TRACK_TYPE_CLOSED_TESTING TRACK_TYPE_EARLY_ACCESS enumDescriptions Unknown Production Internal testing Open testing Closed testing Early access type string type object ReportGroup description A group of results in an EventReport, similar to a SQL "GROUP BY" result. In any report, the group_parent field is strictly the same type for all of the groups in any collection. id ReportGroup properties device $ref Device description Device metrics group issue $ref Issue description Issue metrics group metrics description Scalar metrics will contain a single object covering the entire interval, while time-dimensioned graphs will contain one per time grain. items $ref IntervalMetrics type array operatingSystem $ref OperatingSystem description Operating system metrics group subgroups description Additional nested groupings when relevant, eg by operating system and operating system version items $ref ReportGroup type array variant $ref IssueVariant description Issue variant metrics group version $ref Version description Version metrics group type object Storage description Mobile device disk/flash usage. Not reported for all devices. id Storage properties free description Bytes free. format int64 type string used description Bytes used. format int64 type string type object Thread description An application thread. id Thread properties blamed description True when the Crashlytics analysis has determined that the stacktrace in this thread is where the fault occurred. type boolean crashAddress description The address of the signal that caused the application to crash. Only present on crashed native threads format int64 type string crashed description True when the thread has crashed. type boolean frames description The frames in the thread's stacktrace. items $ref Frame type array name description The name of the thread. type string queue description The queue on which the thread was running. type string signal description The name of the signal that caused the app to crash. Only present on crashed native threads. type string signalCode description The code of the signal that caused the app to crash. Only present on crashed native threads. type string subtitle description The subtitle of the thread. type string sysThreadId description The system id of the thread, only available for ANR threads. format int64 type string threadId description The id of the thread, only available for ANR threads. format int64 type string threadState description Output only. The state of the thread at the time the ANR occurred. enum STATE_UNSPECIFIED THREAD_STATE_TERMINATED THREAD_STATE_RUNNABLE THREAD_STATE_TIMED_WAITING THREAD_STATE_BLOCKED THREAD_STATE_WAITING THREAD_STATE_NEW THREAD_STATE_NATIVE_RUNNABLE THREAD_STATE_NATIVE_WAITING enumDescriptions Thread state unspecified. Thread was terminated. Thread was runnable. Thread was waiting with a timeout. Thread was blocked. Thread was waiting. Thread was started, yet to run anything. The thread was native and we could not heuristically determine that it was was waiting, so assume it's runnable. We heuristically determined that the thread is waiting. readOnly True type string title description The title of the thread. type string type object User description Developer-provided end user identifiers. id User properties id description User id if provided by the app developer. type string type object Version description Application software version. id Version properties buildVersion description One display_version can have many build_version. On Android, strictly the same as "version code" On iOS, strictly the same as "build number" or CFBundleVersion type string displayName description Compound human-readable string containing both display and build versions. Formatted like "display_version (build_version)" eg "1.2.3 (456)" This string can be used for filtering with the VersionFilter.display_name field. type string displayVersion description Human-readable version string, eg "1.2.3" On Android, strictly the same as "version name" On iOS, strictly the same as "version number" or CFBundleShortVersionString type string tracks description Indicates releases which have artifacts that are currently available in the Play Store to the target audience of the track. Versions may be available in multiple tracks. items $ref PlayTrack type array type object old_value DeleteUserCrashReportsResponse description Response message for the DeleteUserCrashReports method. All crash reports associated with the specified user will be deleted typically within 24 hours of receiving the crash report. id DeleteUserCrashReportsResponse properties targetCompleteTime description Target time to complete the delete crash reports operation. format google-datetime type string type object
prod/firebasedurablelinks-ipv4-pa-	values_changed root['revision'] new_value 20250310 old_value 20250307
prod/firebasedurablelinks-ipv4-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250307
prod/firebasedurablelinks-pa-	values_changed root['revision'] new_value 20250310 old_value 20250307
prod/firebasedurablelinks-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250307
prod/firebaseextensions-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/firebaseextensions-v1beta	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/firebaseextensionspublisher-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/firebaseextensionspublisher-v1beta	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/firebasegenaimonitoring-pa-	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/firebasegenaimonitoring-pa-v1	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/firebaseinappmessaging-pa-	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/firebaseinappmessaging-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/firebasemessagingcampaigns-	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/firebasemessagingcampaigns-v1beta	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/firebasereleasemon-pa-	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/firebasereleasemon-pa-v1	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/firebaseremoteconfig-pa-	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/firebaseremoteconfig-pa-v1	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/firebaseremoteconfig-pa-v2	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/firebaseremoteconfigrealtime-	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/firebaseremoteconfigrealtime-v1	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/firebasesagepredictions-pa-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/firebasesagepredictions-pa-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/firebasesegmentation-pa-	values_changed root['revision'] new_value 20250311 old_value 20250304
prod/firebasesegmentation-pa-v1	values_changed root['revision'] new_value 20250311 old_value 20250304
prod/firebasetargeting-pa-	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/firebasetargeting-pa-v1	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/fireconsole-pa-	values_changed root['revision'] new_value 20250312 old_value 20250307 iterable_item_added root['schemas']['Permission']['properties']['entityAction']['enum'][58] RECEIVE_PERFORMANCE_EMAIL root['schemas']['Permission']['properties']['entityAction']['enumDescriptions'][58] Allows a user to receive performance emails. See go/gacs-performance-emails for details.
prod/fireconsole-pa-v1	values_changed root['revision'] new_value 20250312 old_value 20250307 iterable_item_added root['schemas']['Permission']['properties']['entityAction']['enum'][58] RECEIVE_PERFORMANCE_EMAIL root['schemas']['Permission']['properties']['entityAction']['enumDescriptions'][58] Allows a user to receive performance emails. See go/gacs-performance-emails for details.
prod/fit-	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/fit-v2beta1	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/gcmcontextualcampaign-pa-	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/gcmcontextualcampaign-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/gcmcontextualcampaign-pa-v2	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/gdchardwaremanagement-	dictionary_item_added root['schemas']['Zone']['properties']['useDualPowerSupplyUnits'] values_changed root['revision'] new_value 20250306 old_value 20250227
prod/gdchardwaremanagement-v1alpha	dictionary_item_added root['schemas']['Zone']['properties']['useDualPowerSupplyUnits'] values_changed root['revision'] new_value 20250306 old_value 20250227
prod/generativelanguage-	values_changed root['revision'] new_value 20250313 old_value 20250309
prod/generativelanguage-v1	values_changed root['revision'] new_value 20250313 old_value 20250311
prod/generativelanguage-v1alpha	dictionary_item_added root['schemas']['Schema']['properties']['anyOf'] root['schemas']['Schema']['properties']['maximum'] root['schemas']['Schema']['properties']['minimum'] values_changed root['revision'] new_value 20250313 old_value 20250311
prod/generativelanguage-v1beta	dictionary_item_added root['schemas']['Schema']['properties']['anyOf'] root['schemas']['Schema']['properties']['maximum'] root['schemas']['Schema']['properties']['minimum'] values_changed root['revision'] new_value 20250313 old_value 20250309
prod/generativelanguage-v1beta1	values_changed root['revision'] new_value 20250313 old_value 20250309
prod/generativelanguage-v1beta2	values_changed root['revision'] new_value 20250313 old_value 20250311
prod/generativelanguage-v1beta3	values_changed root['revision'] new_value 20250313 old_value 20250309
prod/geoar-	values_changed root['revision'] new_value 20250313 old_value 20250309
prod/geoar-v1	values_changed root['revision'] new_value 20250313 old_value 20250309
prod/geofeedtaskrouting-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/geofeedtaskrouting-v1alpha	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/growth-pa-	values_changed root['revision'] new_value 20250311 old_value 20250307
prod/growth-pa-v1	values_changed root['revision'] new_value 20250311 old_value 20250307
prod/gsuiteaddons-	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/gsuiteaddons-v1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/guidedhelp-pa-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/guidedhelp-pa-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/guts-	values_changed root['revision'] new_value 20250313 old_value 20250226
prod/guts-v3	values_changed root['revision'] new_value 20250313 old_value 20250226
prod/hangouts-	values_changed root['revision'] new_value 20250310 old_value 20250304
prod/hangouts-v1	values_changed root['revision'] new_value 20250310 old_value 20250304
prod/hourly-dynamicmail-pa.sandbox-	values_changed root['revision'] new_value 20250314 old_value 20250311
prod/hourly-dynamicmail-pa.sandbox-v2	values_changed root['revision'] new_value 20250314 old_value 20250311
prod/ipprotection-ppissuer-	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/ipprotection-ppissuer-v1	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/jibemessagestore-	values_changed root['revision'] new_value 20250311 old_value 20250304
prod/jibemessagestore-v1	values_changed root['revision'] new_value 20250311 old_value 20250304
prod/keep-pa-	dictionary_item_added root['schemas']['GetNoteInfoResponse']['properties']['type']['enumDeprecated'] root['schemas']['Note']['properties']['quillNote']['deprecated'] values_changed root['revision'] new_value 20250304 old_value 20250207 root['schemas']['Note']['properties']['quillNote']['description'] new_value A quillNote is a note with an empty message. old_value A quillNote is a note with an empty message.
prod/keep-pa-v1	dictionary_item_added root['schemas']['GetNoteInfoResponse']['properties']['type']['enumDeprecated'] root['schemas']['Note']['properties']['quillNote']['deprecated'] values_changed root['revision'] new_value 20250304 old_value 20250207 root['schemas']['Note']['properties']['quillNote']['description'] new_value A quillNote is a note with an empty message. old_value A quillNote is a note with an empty message.
prod/kidsmanagement-pa-	values_changed root['revision'] new_value 20250311 old_value 20250310
prod/kidsmanagement-pa-v1	values_changed root['revision'] new_value 20250311 old_value 20250310
prod/kidsnotification-pa-	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/kidsnotification-pa-v1	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/krmapihosting-	values_changed root['revision'] new_value 20250305 old_value 20250219
prod/krmapihosting-v1	values_changed root['revision'] new_value 20250305 old_value 20250219
prod/krmapihosting-v1alpha1	values_changed root['revision'] new_value 20250305 old_value 20250219
prod/legalproductions-pa-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/legalproductions-pa-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/linkauthorization-	values_changed root['revision'] new_value 20250312 old_value 20250307
prod/linkauthorization-v1	values_changed root['revision'] new_value 20250312 old_value 20250307
prod/localservicespartner-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/localservicespartner-v1beta1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/lookerstudio-pa-	dictionary_item_added root['resources']['c']['resources']['v1']['resources']['firstparty']['methods']['deleteLasikSuite'] root['resources']['c']['resources']['v1']['resources']['firstparty']['resources']['createLasikRun'] root['resources']['firstparty']['methods']['deleteLasikSuite'] root['resources']['firstparty']['resources']['createLasikRun'] root['schemas']['CreateLasikRunRequest'] root['schemas']['CreateLasikRunResponse'] root['schemas']['DeleteLasikSuiteRequest'] root['schemas']['DeleteLasikSuiteResponse'] root['schemas']['WebHook'] values_changed root['revision'] new_value 20250311 old_value 20250302 root['resources']['firstparty']['resources']['assets']['methods']['search']['parameters']['orderBy.fieldName']['enumDescriptions'][8] new_value Order by id of assets. old_value Order by name of assets. root['resources']['firstparty']['resources']['assets']['methods']['search']['parameters']['orderBy.fieldName']['enum'][8] new_value CATEGORY_ID old_value CATEGORY_NAME root['resources']['c']['resources']['v1']['resources']['firstparty']['resources']['assets']['methods']['search']['parameters']['orderBy.fieldName']['enumDescriptions'][8] new_value Order by id of assets. old_value Order by name of assets. root['resources']['c']['resources']['v1']['resources']['firstparty']['resources']['assets']['methods']['search']['parameters']['orderBy.fieldName']['enum'][8] new_value CATEGORY_ID old_value CATEGORY_NAME
prod/lookerstudio-pa-v1	dictionary_item_added root['resources']['c']['resources']['v1']['resources']['firstparty']['methods']['deleteLasikSuite'] root['resources']['c']['resources']['v1']['resources']['firstparty']['resources']['createLasikRun'] root['resources']['firstparty']['methods']['deleteLasikSuite'] root['resources']['firstparty']['resources']['createLasikRun'] root['schemas']['CreateLasikRunRequest'] root['schemas']['CreateLasikRunResponse'] root['schemas']['DeleteLasikSuiteRequest'] root['schemas']['DeleteLasikSuiteResponse'] root['schemas']['WebHook'] values_changed root['revision'] new_value 20250311 old_value 20250302 root['resources']['firstparty']['resources']['assets']['methods']['search']['parameters']['orderBy.fieldName']['enumDescriptions'][8] new_value Order by id of assets. old_value Order by name of assets. root['resources']['firstparty']['resources']['assets']['methods']['search']['parameters']['orderBy.fieldName']['enum'][8] new_value CATEGORY_ID old_value CATEGORY_NAME root['resources']['c']['resources']['v1']['resources']['firstparty']['resources']['assets']['methods']['search']['parameters']['orderBy.fieldName']['enumDescriptions'][8] new_value Order by id of assets. old_value Order by name of assets. root['resources']['c']['resources']['v1']['resources']['firstparty']['resources']['assets']['methods']['search']['parameters']['orderBy.fieldName']['enum'][8] new_value CATEGORY_ID old_value CATEGORY_NAME
prod/mapsplatformdatasets-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/mapsplatformdatasets-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/mapsplatformdatasets-v1alpha	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/media3p-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/media3p-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/memorystore-	dictionary_item_added root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['rescheduleMaintenance'] root['schemas']['CrossInstanceReplicationConfig'] root['schemas']['MaintenancePolicy'] root['schemas']['MaintenanceSchedule'] root['schemas']['Membership'] root['schemas']['RemoteInstance'] root['schemas']['RescheduleMaintenanceRequest'] root['schemas']['TimeOfDay'] root['schemas']['WeeklyMaintenanceWindow'] root['schemas']['Instance']['properties']['crossInstanceReplicationConfig'] root['schemas']['Instance']['properties']['maintenancePolicy'] root['schemas']['Instance']['properties']['maintenanceSchedule'] root['schemas']['Instance']['properties']['ondemandMaintenance'] dictionary_item_removed root['schemas']['BillingView'] root['schemas']['Exemplar'] root['schemas']['GoogleApiServicecontrolV1AttributeValue'] root['schemas']['GoogleApiServicecontrolV1Attributes'] root['schemas']['GoogleApiServicecontrolV1Distribution'] root['schemas']['GoogleApiServicecontrolV1ExplicitBuckets'] root['schemas']['GoogleApiServicecontrolV1ExponentialBuckets'] root['schemas']['GoogleApiServicecontrolV1HttpRequest'] root['schemas']['GoogleApiServicecontrolV1LinearBuckets'] root['schemas']['GoogleApiServicecontrolV1LogEntry'] root['schemas']['GoogleApiServicecontrolV1LogEntryOperation'] root['schemas']['GoogleApiServicecontrolV1LogEntrySourceLocation'] root['schemas']['GoogleApiServicecontrolV1MetricValue'] root['schemas']['GoogleApiServicecontrolV1MetricValueSet'] root['schemas']['GoogleApiServicecontrolV1Operation'] root['schemas']['GoogleApiServicecontrolV1QuotaProperties'] root['schemas']['GoogleApiServicecontrolV1ReportRequest'] root['schemas']['GoogleApiServicecontrolV1ResourceInfo'] root['schemas']['GoogleApiServicecontrolV1TraceSpan'] root['schemas']['GoogleApiServicecontrolV1TruncatableString'] root['schemas']['Money'] values_changed root['revision'] new_value 20250307 old_value 20250220 root['schemas']['Instance']['properties']['engineVersion']['description'] new_value Optional. Engine version of the instance. old_value Optional. Immutable. Engine version of the instance. root['schemas']['Instance']['properties']['nodeType']['description'] new_value Optional. Machine type for individual nodes of the instance. old_value Optional. Immutable. Machine type for individual nodes of the instance.
prod/memorystore-v1	dictionary_item_added root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['rescheduleMaintenance'] root['schemas']['CrossInstanceReplicationConfig'] root['schemas']['MaintenancePolicy'] root['schemas']['MaintenanceSchedule'] root['schemas']['Membership'] root['schemas']['RemoteInstance'] root['schemas']['RescheduleMaintenanceRequest'] root['schemas']['TimeOfDay'] root['schemas']['WeeklyMaintenanceWindow'] root['schemas']['Instance']['properties']['crossInstanceReplicationConfig'] root['schemas']['Instance']['properties']['maintenancePolicy'] root['schemas']['Instance']['properties']['maintenanceSchedule'] root['schemas']['Instance']['properties']['ondemandMaintenance'] dictionary_item_removed root['schemas']['BillingView'] root['schemas']['Exemplar'] root['schemas']['GoogleApiServicecontrolV1AttributeValue'] root['schemas']['GoogleApiServicecontrolV1Attributes'] root['schemas']['GoogleApiServicecontrolV1Distribution'] root['schemas']['GoogleApiServicecontrolV1ExplicitBuckets'] root['schemas']['GoogleApiServicecontrolV1ExponentialBuckets'] root['schemas']['GoogleApiServicecontrolV1HttpRequest'] root['schemas']['GoogleApiServicecontrolV1LinearBuckets'] root['schemas']['GoogleApiServicecontrolV1LogEntry'] root['schemas']['GoogleApiServicecontrolV1LogEntryOperation'] root['schemas']['GoogleApiServicecontrolV1LogEntrySourceLocation'] root['schemas']['GoogleApiServicecontrolV1MetricValue'] root['schemas']['GoogleApiServicecontrolV1MetricValueSet'] root['schemas']['GoogleApiServicecontrolV1Operation'] root['schemas']['GoogleApiServicecontrolV1QuotaProperties'] root['schemas']['GoogleApiServicecontrolV1ReportRequest'] root['schemas']['GoogleApiServicecontrolV1ResourceInfo'] root['schemas']['GoogleApiServicecontrolV1TraceSpan'] root['schemas']['GoogleApiServicecontrolV1TruncatableString'] root['schemas']['Money'] values_changed root['revision'] new_value 20250307 old_value 20250220 root['schemas']['Instance']['properties']['engineVersion']['description'] new_value Optional. Engine version of the instance. old_value Optional. Immutable. Engine version of the instance. root['schemas']['Instance']['properties']['nodeType']['description'] new_value Optional. Machine type for individual nodes of the instance. old_value Optional. Immutable. Machine type for individual nodes of the instance.
prod/memorystore-v1alpha	dictionary_item_added root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['rescheduleMaintenance'] root['schemas']['CrossInstanceReplicationConfig'] root['schemas']['MaintenancePolicy'] root['schemas']['MaintenanceSchedule'] root['schemas']['Membership'] root['schemas']['RemoteInstance'] root['schemas']['RescheduleMaintenanceRequest'] root['schemas']['TimeOfDay'] root['schemas']['WeeklyMaintenanceWindow'] root['schemas']['Instance']['properties']['crossInstanceReplicationConfig'] root['schemas']['Instance']['properties']['maintenancePolicy'] root['schemas']['Instance']['properties']['maintenanceSchedule'] root['schemas']['Instance']['properties']['ondemandMaintenance'] dictionary_item_removed root['schemas']['BillingView'] root['schemas']['Exemplar'] root['schemas']['GoogleApiServicecontrolV1AttributeValue'] root['schemas']['GoogleApiServicecontrolV1Attributes'] root['schemas']['GoogleApiServicecontrolV1Distribution'] root['schemas']['GoogleApiServicecontrolV1ExplicitBuckets'] root['schemas']['GoogleApiServicecontrolV1ExponentialBuckets'] root['schemas']['GoogleApiServicecontrolV1HttpRequest'] root['schemas']['GoogleApiServicecontrolV1LinearBuckets'] root['schemas']['GoogleApiServicecontrolV1LogEntry'] root['schemas']['GoogleApiServicecontrolV1LogEntryOperation'] root['schemas']['GoogleApiServicecontrolV1LogEntrySourceLocation'] root['schemas']['GoogleApiServicecontrolV1MetricValue'] root['schemas']['GoogleApiServicecontrolV1MetricValueSet'] root['schemas']['GoogleApiServicecontrolV1Operation'] root['schemas']['GoogleApiServicecontrolV1QuotaProperties'] root['schemas']['GoogleApiServicecontrolV1ReportRequest'] root['schemas']['GoogleApiServicecontrolV1ResourceInfo'] root['schemas']['GoogleApiServicecontrolV1TraceSpan'] root['schemas']['GoogleApiServicecontrolV1TruncatableString'] root['schemas']['Money'] values_changed root['revision'] new_value 20250307 old_value 20250220 root['schemas']['Instance']['properties']['engineVersion']['description'] new_value Optional. Engine version of the instance. old_value Optional. Immutable. Engine version of the instance. root['schemas']['Instance']['properties']['nodeType']['description'] new_value Optional. Machine type for individual nodes of the instance. old_value Optional. Immutable. Machine type for individual nodes of the instance.
prod/memorystore-v1beta	dictionary_item_added root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['rescheduleMaintenance'] root['schemas']['CrossInstanceReplicationConfig'] root['schemas']['MaintenancePolicy'] root['schemas']['MaintenanceSchedule'] root['schemas']['Membership'] root['schemas']['RemoteInstance'] root['schemas']['RescheduleMaintenanceRequest'] root['schemas']['TimeOfDay'] root['schemas']['WeeklyMaintenanceWindow'] root['schemas']['Instance']['properties']['crossInstanceReplicationConfig'] root['schemas']['Instance']['properties']['maintenancePolicy'] root['schemas']['Instance']['properties']['maintenanceSchedule'] root['schemas']['Instance']['properties']['ondemandMaintenance'] dictionary_item_removed root['schemas']['BillingView'] root['schemas']['Exemplar'] root['schemas']['GoogleApiServicecontrolV1AttributeValue'] root['schemas']['GoogleApiServicecontrolV1Attributes'] root['schemas']['GoogleApiServicecontrolV1Distribution'] root['schemas']['GoogleApiServicecontrolV1ExplicitBuckets'] root['schemas']['GoogleApiServicecontrolV1ExponentialBuckets'] root['schemas']['GoogleApiServicecontrolV1HttpRequest'] root['schemas']['GoogleApiServicecontrolV1LinearBuckets'] root['schemas']['GoogleApiServicecontrolV1LogEntry'] root['schemas']['GoogleApiServicecontrolV1LogEntryOperation'] root['schemas']['GoogleApiServicecontrolV1LogEntrySourceLocation'] root['schemas']['GoogleApiServicecontrolV1MetricValue'] root['schemas']['GoogleApiServicecontrolV1MetricValueSet'] root['schemas']['GoogleApiServicecontrolV1Operation'] root['schemas']['GoogleApiServicecontrolV1QuotaProperties'] root['schemas']['GoogleApiServicecontrolV1ReportRequest'] root['schemas']['GoogleApiServicecontrolV1ResourceInfo'] root['schemas']['GoogleApiServicecontrolV1TraceSpan'] root['schemas']['GoogleApiServicecontrolV1TruncatableString'] root['schemas']['Money'] values_changed root['revision'] new_value 20250307 old_value 20250220 root['schemas']['Instance']['properties']['engineVersion']['description'] new_value Optional. Engine version of the instance. old_value Optional. Immutable. Engine version of the instance. root['schemas']['Instance']['properties']['nodeType']['description'] new_value Optional. Machine type for individual nodes of the instance. old_value Optional. Immutable. Machine type for individual nodes of the instance.
prod/meshca-	values_changed root['revision'] new_value 20250307 old_value 20250228
prod/meshca-v1	values_changed root['revision'] new_value 20250307 old_value 20250228
prod/mlkit-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/mlkit-pa-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/mlkit-pa-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/mlkit-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/mlkit-v1beta1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/mobilemlaccelerationcompatibility-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/mobilemlaccelerationcompatibility-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/mobileperformancereporting-pa-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/mobileperformancereporting-pa-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/mobilesdk-pa-	values_changed root['revision'] new_value 20250312 old_value 20250307
prod/mobilesdk-pa-v1	values_changed root['revision'] new_value 20250312 old_value 20250307
prod/modelarmor-	dictionary_item_added root['schemas']['FilterResult']['properties']['csamFilterFilterResult'] dictionary_item_removed root['schemas']['FilterResult']['properties']['csamFilterResult'] values_changed root['revision'] new_value 20250305 old_value 20250226
prod/modelarmor-v1	dictionary_item_added root['schemas']['FilterResult']['properties']['csamFilterFilterResult'] dictionary_item_removed root['schemas']['FilterResult']['properties']['csamFilterResult'] values_changed root['revision'] new_value 20250305 old_value 20250226
prod/modelarmor-v1alpha	dictionary_item_added root['schemas']['FilterResult']['properties']['csamFilterFilterResult'] dictionary_item_removed root['schemas']['FilterResult']['properties']['csamFilterResult'] values_changed root['revision'] new_value 20250305 old_value 20250226
prod/monospace-pa-	dictionary_item_added root['resources']['billingaccounts'] root['resources']['projects'] root['schemas']['BillingAccount'] root['schemas']['ListBillingAccountsResponse'] root['schemas']['ModalityTokenCount'] root['schemas']['ProjectBillingInfo'] root['schemas']['UsageMetadata'] root['schemas']['GeminiGenerateContentResponse']['properties']['usageMetadata'] values_changed root['revision'] new_value 20250313 old_value 20250309
prod/monospace-pa-v1	dictionary_item_added root['resources']['billingaccounts'] root['resources']['projects'] root['schemas']['BillingAccount'] root['schemas']['ListBillingAccountsResponse'] root['schemas']['ModalityTokenCount'] root['schemas']['ProjectBillingInfo'] root['schemas']['UsageMetadata'] root['schemas']['GeminiGenerateContentResponse']['properties']['usageMetadata'] values_changed root['revision'] new_value 20250313 old_value 20250309
prod/moviesanywhere-	values_changed root['revision'] new_value 20250310 old_value 20250203
prod/moviesanywhere-v1	values_changed root['revision'] new_value 20250310 old_value 20250203
prod/myphonenumbers-pa-	values_changed root['revision'] new_value 20250311 old_value 20250304
prod/myphonenumbers-pa-v1	values_changed root['revision'] new_value 20250311 old_value 20250304
prod/networkbuildingblocks-pa-	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/networkbuildingblocks-pa-v1beta1	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/northamerica-northeast1-connectgateway-	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/northamerica-northeast1-connectgateway-v1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/northamerica-northeast1-connectgateway-v1beta1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/northamerica-northeast1-containerfilesystem-	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/northamerica-northeast1-containerfilesystem-v1	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/northamerica-northeast2-connectgateway-	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/northamerica-northeast2-connectgateway-v1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/northamerica-northeast2-connectgateway-v1beta1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/northamerica-northeast2-dataproccontrol-	values_changed root['revision'] new_value 20250311 old_value 20250306
prod/northamerica-northeast2-dataproccontrol-v1	values_changed root['revision'] new_value 20250311 old_value 20250306
prod/notes-pa-	dictionary_item_added root['schemas']['DownSync']['properties']['derivedNoteAttributes']['deprecated'] root['schemas']['DownSync']['properties']['derivedNoteAttributes']['description'] root['schemas']['DownSyncWriteResult']['properties']['missingEmbeddedImages']['deprecated'] root['schemas']['DownSyncWriteResult']['properties']['status']['enumDeprecated'] root['schemas']['Node']['properties']['clientChanges']['properties']['commandMetadata']['properties']['imageIdMap']['deprecated'] root['schemas']['Node']['properties']['serverChanges']['properties']['images']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['note']['properties']['commandEncoding']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['quill']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['quill']['properties']['commandEncoding']['deprecated'] values_changed root['revision'] new_value 20250304 old_value 20250210 root['schemas']['DownSyncWriteResult']['properties']['missingEmbeddedImages']['description'] new_value The embedded images referenced by the uploaded commands for which the corresponding data was not found by the server. Clients are expected to re-upload these images before issuing a new sync request. old_value The embedded images referenced by the uploaded commands for which the corresponding data was not found by the server. Clients are expected to re-upload these images before issuing a new sync request. This field is only populated when the status is set to MISSING_EMBEDDED_IMAGE. root['schemas']['Node']['properties']['clientChanges']['properties']['commandMetadata']['properties']['imageIdMap']['description'] new_value For images referenced by the model, maps images' client IDs to server IDs. old_value For images referenced by the model, maps images' client IDs to server IDs. root['schemas']['Node']['properties']['serverChanges']['properties']['images']['description'] new_value Metadata on images referenced by the model. old_value Metadata on images referenced by the model. This will include all images upon initial sync (no changes) and only images referenced by changes when changes exist. root['schemas']['DownSyncWriteResult']['properties']['status']['enumDescriptions'][2] new_value The uploaded commands refer to embedded images that have not yet been uploaded. Clients are expected to recover from this error by re-uploading the image before issuing a new sync request. old_value The uploaded commands refer to embedded images that have not yet been uploaded. Clients are expected to recover from this error by re-uploading the image before issuing a new sync request.
prod/notes-pa-v1	dictionary_item_added root['schemas']['DownSync']['properties']['derivedNoteAttributes']['deprecated'] root['schemas']['DownSync']['properties']['derivedNoteAttributes']['description'] root['schemas']['DownSyncWriteResult']['properties']['missingEmbeddedImages']['deprecated'] root['schemas']['DownSyncWriteResult']['properties']['status']['enumDeprecated'] root['schemas']['Node']['properties']['clientChanges']['properties']['commandMetadata']['properties']['imageIdMap']['deprecated'] root['schemas']['Node']['properties']['serverChanges']['properties']['images']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['note']['properties']['commandEncoding']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['quill']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['quill']['properties']['commandEncoding']['deprecated'] values_changed root['revision'] new_value 20250304 old_value 20250210 root['schemas']['DownSyncWriteResult']['properties']['missingEmbeddedImages']['description'] new_value The embedded images referenced by the uploaded commands for which the corresponding data was not found by the server. Clients are expected to re-upload these images before issuing a new sync request. old_value The embedded images referenced by the uploaded commands for which the corresponding data was not found by the server. Clients are expected to re-upload these images before issuing a new sync request. This field is only populated when the status is set to MISSING_EMBEDDED_IMAGE. root['schemas']['Node']['properties']['clientChanges']['properties']['commandMetadata']['properties']['imageIdMap']['description'] new_value For images referenced by the model, maps images' client IDs to server IDs. old_value For images referenced by the model, maps images' client IDs to server IDs. root['schemas']['Node']['properties']['serverChanges']['properties']['images']['description'] new_value Metadata on images referenced by the model. old_value Metadata on images referenced by the model. This will include all images upon initial sync (no changes) and only images referenced by changes when changes exist. root['schemas']['DownSyncWriteResult']['properties']['status']['enumDescriptions'][2] new_value The uploaded commands refer to embedded images that have not yet been uploaded. Clients are expected to recover from this error by re-uploading the image before issuing a new sync request. old_value The uploaded commands refer to embedded images that have not yet been uploaded. Clients are expected to recover from this error by re-uploading the image before issuing a new sync request.
prod/notifications-pa-	dictionary_item_added root['schemas']['WalletGooglepayCommon__AddHealthCardTarget'] root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['fcmToken'] root['schemas']['GoogleInternalTapandpayV1PassesTemplates__AddContentData']['properties']['isPreviousAmount'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['deprecated'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['description'] root['schemas']['NotificationsFrontendDataCommon__SupportedFeatures']['properties']['standaloneInboxSupported'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystem'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystemVersion'] root['schemas']['WalletGooglepayCommon__NavigationTarget']['properties']['addHealthCard'] dictionary_item_removed root['schemas']['Sidekick__InlineVideo'] root['schemas']['Sidekick__SmallContentModule']['properties']['inlineVideo'] values_changed root['revision'] new_value 20250311 old_value 20250309 root['schemas']['WalletGooglepayCommon__NavigationTarget']['description'] new_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 75 old_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 74 iterable_item_added root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enum'][3] DIRECT_FCM_DELIVERY root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enumDescriptions'][3] Client supports receiving direct FCM delivery. This bypasses a lot of the Chime latencies. root['schemas']['SearchNotificationsClientCommon__InboxChimeData']['properties']['category']['enum'][56] GOOGLY_NOTIF root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][438] CONTENT_EXPLORATION_WEB root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][438] For exploring web content, as part of the Discover Exploration project. go/discover-exploration-dd. root['schemas']['Sidekick__SemanticProperties']['properties']['notificationCategory']['enum'][56] GOOGLY_NOTIF
prod/notifications-pa-v1	dictionary_item_added root['schemas']['WalletGooglepayCommon__AddHealthCardTarget'] root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['fcmToken'] root['schemas']['GoogleInternalTapandpayV1PassesTemplates__AddContentData']['properties']['isPreviousAmount'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['deprecated'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['description'] root['schemas']['NotificationsFrontendDataCommon__SupportedFeatures']['properties']['standaloneInboxSupported'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystem'] root['schemas']['NotificationsFrontendData_RenderContextDeviceInfo_WebContext']['properties']['webHostOperatingSystemVersion'] root['schemas']['WalletGooglepayCommon__NavigationTarget']['properties']['addHealthCard'] dictionary_item_removed root['schemas']['Sidekick__InlineVideo'] root['schemas']['Sidekick__SmallContentModule']['properties']['inlineVideo'] values_changed root['revision'] new_value 20250311 old_value 20250309 root['schemas']['WalletGooglepayCommon__NavigationTarget']['description'] new_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 75 old_value The target to navigate to. A target should be a pure navigation target. I.e. the target should not represent an action to be taken (besides navigation). Next id: 74 iterable_item_added root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enum'][3] DIRECT_FCM_DELIVERY root['schemas']['CommunicationPusherProto__AndroidDevicePayload']['properties']['notificationFeatures']['items']['enumDescriptions'][3] Client supports receiving direct FCM delivery. This bypasses a lot of the Chime latencies. root['schemas']['SearchNotificationsClientCommon__InboxChimeData']['properties']['category']['enum'][56] GOOGLY_NOTIF root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][438] CONTENT_EXPLORATION_WEB root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][438] For exploring web content, as part of the Discover Exploration project. go/discover-exploration-dd. root['schemas']['Sidekick__SemanticProperties']['properties']['notificationCategory']['enum'][56] GOOGLY_NOTIF
prod/ogads-pa-	values_changed root['revision'] new_value 20250302 old_value 20250309 iterable_item_removed root['resources']['v1']['methods']['getdata']['parameters']['hostProduct']['enum'][719] CUSTOMER_ENGAGEMENT_AI root['resources']['v1']['methods']['getdata']['parameters']['hostProduct']['enumDescriptions'][719] go/connect-ai-agent root['resources']['v1']['methods']['getdata']['parameters']['subproduct']['enum'][719] CUSTOMER_ENGAGEMENT_AI root['resources']['v1']['methods']['getdata']['parameters']['subproduct']['enumDescriptions'][719] go/connect-ai-agent
prod/ogads-pa-v1	values_changed root['revision'] new_value 20250302 old_value 20250309 iterable_item_removed root['resources']['v1']['methods']['getdata']['parameters']['hostProduct']['enum'][719] CUSTOMER_ENGAGEMENT_AI root['resources']['v1']['methods']['getdata']['parameters']['hostProduct']['enumDescriptions'][719] go/connect-ai-agent root['resources']['v1']['methods']['getdata']['parameters']['subproduct']['enum'][719] CUSTOMER_ENGAGEMENT_AI root['resources']['v1']['methods']['getdata']['parameters']['subproduct']['enumDescriptions'][719] go/connect-ai-agent
prod/opengallery-	values_changed root['revision'] new_value 20250311 old_value 20250303
prod/opengallery-v1	values_changed root['revision'] new_value 20250311 old_value 20250303
prod/opengallery-v1beta1	values_changed root['revision'] new_value 20250311 old_value 20250303
prod/orglifecycle-	values_changed root['revision'] new_value 20250305 old_value 20250226
prod/orglifecycle-v1	values_changed root['revision'] new_value 20250305 old_value 20250226
prod/paisadatamixer-pa-	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/paisadatamixer-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/partners-pa-	values_changed root['revision'] new_value 20250311 old_value 20250305
prod/partners-pa-v1	values_changed root['revision'] new_value 20250311 old_value 20250305
prod/partners-pa-v2	values_changed root['revision'] new_value 20250311 old_value 20250305
prod/peoplestack-pa-	values_changed root['revision'] new_value 20250312 old_value 20250305 iterable_item_added root['resources']['autocomplete']['methods']['autocomplete']['parameters']['affinityType']['enum'][310] POLARIS_AFFINITY root['resources']['autocomplete']['methods']['warmup']['parameters']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackAutocompleteRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackBlockPersonRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackCreateGroupRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackCreateGroupRequest']['properties']['product']['enum'][13] PRODUCT_UNIVERSAL_SAVES root['schemas']['PeoplestackDeleteGroupsRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackFlexorgsProtoInternalExternal']['properties']['application']['enum'][455] POLARIS root['schemas']['PeoplestackFlexorgsProtoInternalExternal']['properties']['application']['enumDescriptions'][455] Polaris Team contact: gcs-nexus@google.com root['schemas']['PeoplestackJoinGroupRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackLeaveGroupRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackLookupRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackMutateConnectionLabelRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackReadAllGroupsRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackReadGroupsRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackSmartAddressRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackUpdateGroupRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackWarmupRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['SocialClientsApplicationProto3Wrapper']['properties']['application']['enum'][455] POLARIS root['schemas']['SocialClientsApplicationProto3Wrapper']['properties']['application']['enumDescriptions'][455] Polaris Team contact: gcs-nexus@google.com
prod/peoplestack-pa-v1	values_changed root['revision'] new_value 20250312 old_value 20250305 iterable_item_added root['resources']['autocomplete']['methods']['autocomplete']['parameters']['affinityType']['enum'][310] POLARIS_AFFINITY root['resources']['autocomplete']['methods']['warmup']['parameters']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackAutocompleteRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackBlockPersonRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackCreateGroupRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackCreateGroupRequest']['properties']['product']['enum'][13] PRODUCT_UNIVERSAL_SAVES root['schemas']['PeoplestackDeleteGroupsRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackFlexorgsProtoInternalExternal']['properties']['application']['enum'][455] POLARIS root['schemas']['PeoplestackFlexorgsProtoInternalExternal']['properties']['application']['enumDescriptions'][455] Polaris Team contact: gcs-nexus@google.com root['schemas']['PeoplestackJoinGroupRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackLeaveGroupRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackLookupRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackMutateConnectionLabelRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackReadAllGroupsRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackReadGroupsRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackSmartAddressRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackUpdateGroupRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['PeoplestackWarmupRequest']['properties']['affinityType']['enum'][310] POLARIS_AFFINITY root['schemas']['SocialClientsApplicationProto3Wrapper']['properties']['application']['enum'][455] POLARIS root['schemas']['SocialClientsApplicationProto3Wrapper']['properties']['application']['enumDescriptions'][455] Polaris Team contact: gcs-nexus@google.com
prod/performanceparameters-	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/performanceparameters-v1	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/policyremediator-	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/policyremediator-v1alpha	values_changed root['revision'] new_value 20250309 old_value 20250302
prod/ppissuer-	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/ppissuer-v1	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/preprod-hangouts-	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/preprod-hangouts-v1	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/preprod-keep-pa-	dictionary_item_added root['schemas']['GetNoteInfoResponse']['properties']['type']['enumDeprecated'] root['schemas']['Note']['properties']['quillNote']['deprecated'] values_changed root['revision'] new_value 20250311 old_value 20250213 root['schemas']['Note']['properties']['quillNote']['description'] new_value A quillNote is a note with an empty message. old_value A quillNote is a note with an empty message.
prod/preprod-keep-pa-v1	dictionary_item_added root['schemas']['GetNoteInfoResponse']['properties']['type']['enumDeprecated'] root['schemas']['Note']['properties']['quillNote']['deprecated'] values_changed root['revision'] new_value 20250311 old_value 20250213 root['schemas']['Note']['properties']['quillNote']['description'] new_value A quillNote is a note with an empty message. old_value A quillNote is a note with an empty message.
prod/preprod-notes-pa.sandbox-	dictionary_item_added root['schemas']['DownSync']['properties']['derivedNoteAttributes']['deprecated'] root['schemas']['DownSync']['properties']['derivedNoteAttributes']['description'] root['schemas']['DownSyncWriteResult']['properties']['missingEmbeddedImages']['deprecated'] root['schemas']['DownSyncWriteResult']['properties']['status']['enumDeprecated'] root['schemas']['Node']['properties']['clientChanges']['properties']['commandMetadata']['properties']['imageIdMap']['deprecated'] root['schemas']['Node']['properties']['serverChanges']['properties']['images']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['note']['properties']['commandEncoding']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['quill']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['quill']['properties']['commandEncoding']['deprecated'] dictionary_item_removed root['schemas']['Node']['properties']['sharerEmail'] values_changed root['revision'] new_value 20250311 old_value 20250211 root['schemas']['DownSyncWriteResult']['properties']['missingEmbeddedImages']['description'] new_value The embedded images referenced by the uploaded commands for which the corresponding data was not found by the server. Clients are expected to re-upload these images before issuing a new sync request. old_value The embedded images referenced by the uploaded commands for which the corresponding data was not found by the server. Clients are expected to re-upload these images before issuing a new sync request. This field is only populated when the status is set to MISSING_EMBEDDED_IMAGE. root['schemas']['Node']['properties']['clientChanges']['properties']['commandMetadata']['properties']['imageIdMap']['description'] new_value For images referenced by the model, maps images' client IDs to server IDs. old_value For images referenced by the model, maps images' client IDs to server IDs. root['schemas']['Node']['properties']['serverChanges']['properties']['images']['description'] new_value Metadata on images referenced by the model. old_value Metadata on images referenced by the model. This will include all images upon initial sync (no changes) and only images referenced by changes when changes exist. root['schemas']['DownSyncWriteResult']['properties']['status']['enumDescriptions'][2] new_value The uploaded commands refer to embedded images that have not yet been uploaded. Clients are expected to recover from this error by re-uploading the image before issuing a new sync request. old_value The uploaded commands refer to embedded images that have not yet been uploaded. Clients are expected to recover from this error by re-uploading the image before issuing a new sync request.
prod/preprod-notes-pa.sandbox-v1	dictionary_item_added root['schemas']['DownSync']['properties']['derivedNoteAttributes']['deprecated'] root['schemas']['DownSync']['properties']['derivedNoteAttributes']['description'] root['schemas']['DownSyncWriteResult']['properties']['missingEmbeddedImages']['deprecated'] root['schemas']['DownSyncWriteResult']['properties']['status']['enumDeprecated'] root['schemas']['Node']['properties']['clientChanges']['properties']['commandMetadata']['properties']['imageIdMap']['deprecated'] root['schemas']['Node']['properties']['serverChanges']['properties']['images']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['note']['properties']['commandEncoding']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['quill']['deprecated'] root['schemas']['UpSync']['properties']['requestHeader']['properties']['modelOptions']['properties']['quill']['properties']['commandEncoding']['deprecated'] dictionary_item_removed root['schemas']['Node']['properties']['sharerEmail'] values_changed root['revision'] new_value 20250311 old_value 20250211 root['schemas']['DownSyncWriteResult']['properties']['missingEmbeddedImages']['description'] new_value The embedded images referenced by the uploaded commands for which the corresponding data was not found by the server. Clients are expected to re-upload these images before issuing a new sync request. old_value The embedded images referenced by the uploaded commands for which the corresponding data was not found by the server. Clients are expected to re-upload these images before issuing a new sync request. This field is only populated when the status is set to MISSING_EMBEDDED_IMAGE. root['schemas']['Node']['properties']['clientChanges']['properties']['commandMetadata']['properties']['imageIdMap']['description'] new_value For images referenced by the model, maps images' client IDs to server IDs. old_value For images referenced by the model, maps images' client IDs to server IDs. root['schemas']['Node']['properties']['serverChanges']['properties']['images']['description'] new_value Metadata on images referenced by the model. old_value Metadata on images referenced by the model. This will include all images upon initial sync (no changes) and only images referenced by changes when changes exist. root['schemas']['DownSyncWriteResult']['properties']['status']['enumDescriptions'][2] new_value The uploaded commands refer to embedded images that have not yet been uploaded. Clients are expected to recover from this error by re-uploading the image before issuing a new sync request. old_value The uploaded commands refer to embedded images that have not yet been uploaded. Clients are expected to recover from this error by re-uploading the image before issuing a new sync request.
prod/privacysandboxmaven-	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/privacysandboxmaven-v1	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/progressiverollout-	values_changed root['revision'] new_value 20250312 old_value 20250305
prod/progressiverollout-v1alpha	values_changed root['revision'] new_value 20250312 old_value 20250305
prod/progressiverollout-v1beta	values_changed root['revision'] new_value 20250312 old_value 20250305
prod/quantum-	values_changed root['revision'] new_value 20250311 old_value 20250309
prod/quantum-v1alpha1	values_changed root['revision'] new_value 20250311 old_value 20250309
prod/rbmopenmaap-	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/rbmopenmaap-v1	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/reach-pa-	values_changed root['revision'] new_value 20250313 old_value 20250305
prod/reach-pa-v1	values_changed root['revision'] new_value 20250313 old_value 20250305
prod/reauth-	values_changed root['revision'] new_value 20250311 old_value 20250304
prod/reauth-v1	values_changed root['revision'] new_value 20250311 old_value 20250304
prod/reauth-v2	values_changed root['revision'] new_value 20250311 old_value 20250304
prod/resultstore-	values_changed root['revision'] new_value 20250311 old_value 20250307
prod/resultstore-v2	values_changed root['revision'] new_value 20250311 old_value 20250307
prod/riskmanager-	values_changed root['revision'] new_value 20250313 old_value 20250309
prod/riskmanager-v1	values_changed root['revision'] new_value 20250313 old_value 20250309
prod/riskmanager-v1alpha1	values_changed root['revision'] new_value 20250313 old_value 20250309
prod/routeoptimization-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/routeoptimization-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/routes-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/routes-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/routespreferred-	values_changed root['revision'] new_value 20250312 old_value 20250306
prod/routespreferred-v1	values_changed root['revision'] new_value 20250312 old_value 20250306
prod/routespreferred-v1alpha	values_changed root['revision'] new_value 20250312 old_value 20250306
prod/runapps-	values_changed root['revision'] new_value 20250305 old_value 20250226
prod/runapps-v1alpha1	values_changed root['revision'] new_value 20250305 old_value 20250226
prod/saasmanagement-	dictionary_item_added root['schemas']['TerraformFlags'] root['schemas']['Features']['properties']['terraformFlags'] values_changed root['resources']['projects']['resources']['locations']['resources']['instanceTypes']['methods']['patch']['parameters']['updateMask']['description'] new_value Required. Mask of fields to update. At least one path must be supplied in this field. For the `FieldMask` definition, see https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask Supported fieldmask values are: - `labels` - `display_name` - `features` - `features.auto_wipeout` - `features.enable_health_monitoring` - `features.gcp_tenant_project` - `features.gcp_tenant_project_v2` - `features.harpoon` - `features.harpoon.harpoon_requestor_id` - `features.mutation_timeout_minutes` - `features.notification` - `features.reconciliation.reconciliation_policy` - `features.reconciliation.create_conflict_policy` - `features.reconciliation` - `features.slo_config` - `features.slo_config.slos` - `features.update_on_hidden_consumer_project` - `features.terraform_flags.plan_parallelism` - `features.terraform_flags.apply_parallelism` old_value Required. Mask of fields to update. At least one path must be supplied in this field. For the `FieldMask` definition, see https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask Supported fieldmask values are: - `labels` - `display_name` - `features` - `features.auto_wipeout` - `features.enable_health_monitoring` - `features.gcp_tenant_project` - `features.gcp_tenant_project_v2` - `features.harpoon` - `features.harpoon.harpoon_requestor_id` - `features.mutation_timeout_minutes` - `features.notification` - `features.reconciliation.reconciliation_policy` - `features.reconciliation.create_conflict_policy` - `features.reconciliation` - `features.slo_config` - `features.slo_config.slos` - `features.update_on_hidden_consumer_project` root['revision'] new_value 20250305 old_value 20250219
prod/saasmanagement-v1beta	dictionary_item_added root['schemas']['TerraformFlags'] root['schemas']['Features']['properties']['terraformFlags'] values_changed root['resources']['projects']['resources']['locations']['resources']['instanceTypes']['methods']['patch']['parameters']['updateMask']['description'] new_value Required. Mask of fields to update. At least one path must be supplied in this field. For the `FieldMask` definition, see https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask Supported fieldmask values are: - `labels` - `display_name` - `features` - `features.auto_wipeout` - `features.enable_health_monitoring` - `features.gcp_tenant_project` - `features.gcp_tenant_project_v2` - `features.harpoon` - `features.harpoon.harpoon_requestor_id` - `features.mutation_timeout_minutes` - `features.notification` - `features.reconciliation.reconciliation_policy` - `features.reconciliation.create_conflict_policy` - `features.reconciliation` - `features.slo_config` - `features.slo_config.slos` - `features.update_on_hidden_consumer_project` - `features.terraform_flags.plan_parallelism` - `features.terraform_flags.apply_parallelism` old_value Required. Mask of fields to update. At least one path must be supplied in this field. For the `FieldMask` definition, see https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#fieldmask Supported fieldmask values are: - `labels` - `display_name` - `features` - `features.auto_wipeout` - `features.enable_health_monitoring` - `features.gcp_tenant_project` - `features.gcp_tenant_project_v2` - `features.harpoon` - `features.harpoon.harpoon_requestor_id` - `features.mutation_timeout_minutes` - `features.notification` - `features.reconciliation.reconciliation_policy` - `features.reconciliation.create_conflict_policy` - `features.reconciliation` - `features.slo_config` - `features.slo_config.slos` - `features.update_on_hidden_consumer_project` root['revision'] new_value 20250305 old_value 20250219
prod/salesforceshopping-	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/salesforceshopping-v1	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/scone-pa-	values_changed root['revision'] new_value 20250312 old_value 20250305 iterable_item_added root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enumDescriptions'][66] b/400713111 root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enumDescriptions'][154] b/399143770 root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enumDescriptions'][277] b/397762924 root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enumDescriptions'][372] b/399076775 root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enumDescriptions'][727] b/399143094 root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enumDescriptions'][66] b/400713111 root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enumDescriptions'][154] b/399143770 root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enumDescriptions'][277] b/397762924 root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enumDescriptions'][372] b/399076775 root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enumDescriptions'][727] b/399143094 root['schemas']['SconeV1CidGetTreeRequest']['properties']['frdId']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['SconeV1CidGetTreeRequest']['properties']['frdId']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['SconeV1CidGetTreeRequest']['properties']['frdId']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['SconeV1CidGetTreeRequest']['properties']['frdId']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['SconeV1CidGetTreeRequest']['properties']['frdId']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['SconeV1CidGetTreeRequest']['properties']['frdId']['enumDescriptions'][66] b/400713111 root['schemas']['SconeV1CidGetTreeRequest']['properties']['frdId']['enumDescriptions'][154] b/399143770 root['schemas']['SconeV1CidGetTreeRequest']['properties']['frdId']['enumDescriptions'][277] b/397762924 root['schemas']['SconeV1CidGetTreeRequest']['properties']['frdId']['enumDescriptions'][372] b/399076775 root['schemas']['SconeV1CidGetTreeRequest']['properties']['frdId']['enumDescriptions'][727] b/399143094 root['schemas']['SconeV1CidSearchRequest']['properties']['frdId']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['SconeV1CidSearchRequest']['properties']['frdId']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['SconeV1CidSearchRequest']['properties']['frdId']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['SconeV1CidSearchRequest']['properties']['frdId']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['SconeV1CidSearchRequest']['properties']['frdId']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['SconeV1CidSearchRequest']['properties']['frdId']['enumDescriptions'][66] b/400713111 root['schemas']['SconeV1CidSearchRequest']['properties']['frdId']['enumDescriptions'][154] b/399143770 root['schemas']['SconeV1CidSearchRequest']['properties']['frdId']['enumDescriptions'][277] b/397762924 root['schemas']['SconeV1CidSearchRequest']['properties']['frdId']['enumDescriptions'][372] b/399076775 root['schemas']['SconeV1CidSearchRequest']['properties']['frdId']['enumDescriptions'][727] b/399143094 root['schemas']['SconeV1ContactFormGetRequest']['properties']['requestSource']['enum'][143] RS_RISK_MANAGEMENT_AND_COMPLIANCE root['schemas']['SconeV1GetAvailableValuesForGraphRequest']['properties']['resultFrdIdentifierMask']['items']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['SconeV1GetAvailableValuesForGraphRequest']['properties']['resultFrdIdentifierMask']['items']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['SconeV1GetAvailableValuesForGraphRequest']['properties']['resultFrdIdentifierMask']['items']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['SconeV1GetAvailableValuesForGraphRequest']['properties']['resultFrdIdentifierMask']['items']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['SconeV1GetAvailableValuesForGraphRequest']['properties']['resultFrdIdentifierMask']['items']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['SconeV1GetAvailableValuesForGraphRequest']['properties']['resultFrdIdentifierMask']['items']['enumDescriptions'][66] b/400713111 root['schemas']['SconeV1GetAvailableValuesForGraphRequest']['properties']['resultFrdIdentifierMask']['items']['enumDescriptions'][154] b/399143770 root['schemas']['SconeV1GetAvailableValuesForGraphRequest']['properties']['resultFrdIdentifierMask']['items']['enumDescriptions'][277] b/397762924 root['schemas']['SconeV1GetAvailableValuesForGraphRequest']['properties']['resultFrdIdentifierMask']['items']['enumDescriptions'][372] b/399076775 root['schemas']['SconeV1GetAvailableValuesForGraphRequest']['properties']['resultFrdIdentifierMask']['items']['enumDescriptions'][727] b/399143094 root['schemas']['SconeV1RequestSource']['properties']['value']['enum'][143] RS_RISK_MANAGEMENT_AND_COMPLIANCE root['schemas']['SconeV1UserSpecificFrdValuesGetRequest']['properties']['frdIdentifier']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['SconeV1UserSpecificFrdValuesGetRequest']['properties']['frdIdentifier']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['SconeV1UserSpecificFrdValuesGetRequest']['properties']['frdIdentifier']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['SconeV1UserSpecificFrdValuesGetRequest']['properties']['frdIdentifier']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['SconeV1UserSpecificFrdValuesGetRequest']['properties']['frdIdentifier']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['SconeV1UserSpecificFrdValuesGetRequest']['properties']['frdIdentifier']['enumDescriptions'][66] b/400713111 root['schemas']['SconeV1UserSpecificFrdValuesGetRequest']['properties']['frdIdentifier']['enumDescriptions'][154] b/399143770 root['schemas']['SconeV1UserSpecificFrdValuesGetRequest']['properties']['frdIdentifier']['enumDescriptions'][277] b/397762924 root['schemas']['SconeV1UserSpecificFrdValuesGetRequest']['properties']['frdIdentifier']['enumDescriptions'][372] b/399076775 root['schemas']['SconeV1UserSpecificFrdValuesGetRequest']['properties']['frdIdentifier']['enumDescriptions'][727] b/399143094
prod/scone-pa-v1	values_changed root['revision'] new_value 20250312 old_value 20250305 iterable_item_added root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enumDescriptions'][66] b/400713111 root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enumDescriptions'][154] b/399143770 root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enumDescriptions'][277] b/397762924 root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enumDescriptions'][372] b/399076775 root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorContext']['properties']['frdIdentifier']['enumDescriptions'][727] b/399143094 root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enumDescriptions'][66] b/400713111 root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enumDescriptions'][154] b/399143770 root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enumDescriptions'][277] b/397762924 root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enumDescriptions'][372] b/399076775 root['schemas']['EngageApiSharedCmsConfigurationFieldRelationshipDescriptorValue']['properties']['frdIdentifier']['enumDescriptions'][727] b/399143094 root['schemas']['SconeV1CidGetTreeRequest']['properties']['frdId']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['SconeV1CidGetTreeRequest']['properties']['frdId']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['SconeV1CidGetTreeRequest']['properties']['frdId']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['SconeV1CidGetTreeRequest']['properties']['frdId']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['SconeV1CidGetTreeRequest']['properties']['frdId']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['SconeV1CidGetTreeRequest']['properties']['frdId']['enumDescriptions'][66] b/400713111 root['schemas']['SconeV1CidGetTreeRequest']['properties']['frdId']['enumDescriptions'][154] b/399143770 root['schemas']['SconeV1CidGetTreeRequest']['properties']['frdId']['enumDescriptions'][277] b/397762924 root['schemas']['SconeV1CidGetTreeRequest']['properties']['frdId']['enumDescriptions'][372] b/399076775 root['schemas']['SconeV1CidGetTreeRequest']['properties']['frdId']['enumDescriptions'][727] b/399143094 root['schemas']['SconeV1CidSearchRequest']['properties']['frdId']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['SconeV1CidSearchRequest']['properties']['frdId']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['SconeV1CidSearchRequest']['properties']['frdId']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['SconeV1CidSearchRequest']['properties']['frdId']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['SconeV1CidSearchRequest']['properties']['frdId']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['SconeV1CidSearchRequest']['properties']['frdId']['enumDescriptions'][66] b/400713111 root['schemas']['SconeV1CidSearchRequest']['properties']['frdId']['enumDescriptions'][154] b/399143770 root['schemas']['SconeV1CidSearchRequest']['properties']['frdId']['enumDescriptions'][277] b/397762924 root['schemas']['SconeV1CidSearchRequest']['properties']['frdId']['enumDescriptions'][372] b/399076775 root['schemas']['SconeV1CidSearchRequest']['properties']['frdId']['enumDescriptions'][727] b/399143094 root['schemas']['SconeV1ContactFormGetRequest']['properties']['requestSource']['enum'][143] RS_RISK_MANAGEMENT_AND_COMPLIANCE root['schemas']['SconeV1GetAvailableValuesForGraphRequest']['properties']['resultFrdIdentifierMask']['items']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['SconeV1GetAvailableValuesForGraphRequest']['properties']['resultFrdIdentifierMask']['items']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['SconeV1GetAvailableValuesForGraphRequest']['properties']['resultFrdIdentifierMask']['items']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['SconeV1GetAvailableValuesForGraphRequest']['properties']['resultFrdIdentifierMask']['items']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['SconeV1GetAvailableValuesForGraphRequest']['properties']['resultFrdIdentifierMask']['items']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['SconeV1GetAvailableValuesForGraphRequest']['properties']['resultFrdIdentifierMask']['items']['enumDescriptions'][66] b/400713111 root['schemas']['SconeV1GetAvailableValuesForGraphRequest']['properties']['resultFrdIdentifierMask']['items']['enumDescriptions'][154] b/399143770 root['schemas']['SconeV1GetAvailableValuesForGraphRequest']['properties']['resultFrdIdentifierMask']['items']['enumDescriptions'][277] b/397762924 root['schemas']['SconeV1GetAvailableValuesForGraphRequest']['properties']['resultFrdIdentifierMask']['items']['enumDescriptions'][372] b/399076775 root['schemas']['SconeV1GetAvailableValuesForGraphRequest']['properties']['resultFrdIdentifierMask']['items']['enumDescriptions'][727] b/399143094 root['schemas']['SconeV1RequestSource']['properties']['value']['enum'][143] RS_RISK_MANAGEMENT_AND_COMPLIANCE root['schemas']['SconeV1UserSpecificFrdValuesGetRequest']['properties']['frdIdentifier']['enum'][66] IDENTIFIER_ADS_JOINT_BUSINESS_PLAN_ID root['schemas']['SconeV1UserSpecificFrdValuesGetRequest']['properties']['frdIdentifier']['enum'][154] IDENTIFIER_ADVERTISER_SERVICE_CATEGORY root['schemas']['SconeV1UserSpecificFrdValuesGetRequest']['properties']['frdIdentifier']['enum'][277] IDENTIFIER_CASES_WHATSAPP_CONSENT root['schemas']['SconeV1UserSpecificFrdValuesGetRequest']['properties']['frdIdentifier']['enum'][372] IDENTIFIER_CS_TEAM_ID root['schemas']['SconeV1UserSpecificFrdValuesGetRequest']['properties']['frdIdentifier']['enum'][727] IDENTIFIER_MENU_OF_SERVICE_ORDER_ID root['schemas']['SconeV1UserSpecificFrdValuesGetRequest']['properties']['frdIdentifier']['enumDescriptions'][66] b/400713111 root['schemas']['SconeV1UserSpecificFrdValuesGetRequest']['properties']['frdIdentifier']['enumDescriptions'][154] b/399143770 root['schemas']['SconeV1UserSpecificFrdValuesGetRequest']['properties']['frdIdentifier']['enumDescriptions'][277] b/397762924 root['schemas']['SconeV1UserSpecificFrdValuesGetRequest']['properties']['frdIdentifier']['enumDescriptions'][372] b/399076775 root['schemas']['SconeV1UserSpecificFrdValuesGetRequest']['properties']['frdIdentifier']['enumDescriptions'][727] b/399143094
prod/searchresearcherresults-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/searchresearcherresults-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/semanticlocation-pa-	dictionary_item_added root['schemas']['GeostoreMedianProto'] root['schemas']['GeostoreMedianProtoSegmentLoopProto'] root['schemas']['GeostoreMedianProtoSegmentLoopProtoIndexedComponentProto'] root['schemas']['GeostoreCityObjectAttributesTrsAffineTransform']['description'] root['schemas']['GeostoreFeatureProto']['properties']['median'] root['schemas']['GeostoreRestrictionProto']['properties']['restrictionId'] root['schemas']['GeostoreSegmentProto']['properties']['relatedMedian'] root['schemas']['LocationPlacesPlacesserverPlaceInfoMobile']['properties']['transitCategory'] dictionary_item_removed root['schemas']['GeostoreAccessPointProto']['properties']['priority']['description'] root['schemas']['GeostoreBestLocaleProto']['properties']['metadata']['description'] root['schemas']['GeostoreRankSignalProto']['description'] root['schemas']['GeostoreRestrictionProto']['properties']['type']['description'] root['schemas']['GeostoreSegmentProto']['properties']['priority']['description'] root['schemas']['GeostoreSegmentProto']['properties']['surface']['description'] root['schemas']['GeostoreSegmentProto']['properties']['usage']['description'] root['schemas']['IndexingMoonshineHappyhourTypesLocation']['properties']['semanticType']['description'] values_changed root['revision'] new_value 20250303 old_value 20250210 root['schemas']['GeostoreAccessPointProto']['description'] new_value This class holds information about a single access point. An access point establishes a relationship between a feature (like a POI or building) and some other feature. For example, consider a TYPE_LOCALITY feature like Seattle. An access point might be the TYPE_AIRPORT feature for Seattle-Tacoma International Airport. The airport feature defines the access point to gain airplane-based access to Seattle. A feature like Seattle will typically have multiple access points. You can get to Seattle using airplanes, various forms of public transit, or by driving a car. Thus Seattle would have multiple access points. You may be able to get to Seattle by flying into SeaTac, or you might be able to fly into Boeing Field, or Paine Field in Everett. You could drive in from the North/South using I-5, or you could drive in from the East using I-90. Many access points are from the road network. Thus the access point for some building at 123 Main Street would likely be a segment that defines the 100-200 block of "Main Street". A feature at the corner of "Hollywood" and "Vine" streets might have access points from both named streets. Access points are an optional field. Data editors may ignore them when creating features or editing other fields. In these cases, other quality teams will synthesize and update them. Several fields are also optional, as they are derivable from other fields. Access points to non-TYPE_SEGMENT features should always have the following fields set: - feature_type - feature_id - point Location and reference fields: BASIC vs DERIVABLE Access points to TYPE_SEGMENT features must have all the following BASIC fields: - feature_type (of the segment, e.g. TYPE_ROAD or TYPE_VIRTUAL_SEGMENT) - point_off_segment (or point; see "fuzzy point" note below) - unsuitable_travel_mode (may be empty) - level (indoor access points only) The following are DERIVABLE fields, which should only be added if the supplier is confident about their accuracy: - feature_id - point_on_segment - segment_position Editing clients are encouraged to set all fields, but they may set only the BASIC fields, in which case quality teams may use the BASIC fields to snap to an appropriate segment and derive the remaining fields. Example: The segment is split, so that the portion that the access point is on has a new feature ID. Quality teams notice that the point_on_segment is no longer on the segment with feature_id, finds the new nearest segment based on feature_type and existing point_on_segment, and re-derives a new feature_id, point_on_segment, and segment_position, keeping other fields consistent. Fuzzy point special case If the editor does not have side-of-road information for access points or is otherwise unsure of the precise placement of the access point, it may supply the point field (and not point_off_segment) as basic data instead, in which case quality teams may generate the point_off_segment. Identity Access points are considered semantically equivalent if they have the same geometry, including derived fields, and the same references to other features (feature_id, level_feature_id). For the exact definition, see cs/symbol:geostore::AreAccessPointsEquivalent. old_value This class holds information about a single access point. An access point establishes a relationship between a feature (like a POI or building) and some other feature. For example, consider a TYPE_LOCALITY feature like Seattle. An access point might be the TYPE_AIRPORT feature for Seattle-Tacoma International Airport. The airport feature defines the access point to gain airplane-based access to Seattle. A feature like Seattle will typically have multiple access points. You can get to Seattle using airplanes, various forms of public transit, or by driving a car. Thus Seattle would have multiple access points. You may be able to get to Seattle by flying into SeaTac, or you might be able to fly into Boeing Field, or Paine Field in Everett. You could drive in from the North/South using I-5, or you could drive in from the East using I-90. Many access points are from the road network. Thus the access point for some building at 123 Main Street would likely be a segment that defines the 100-200 block of "Main Street". A feature at the corner of "Hollywood" and "Vine" streets might have access points from both named streets. Access points are an optional field. Data editors may ignore them when creating features or editing other fields. In these cases, other quality teams will synthesize and update them. Several fields are also optional, as they are derivable from other fields. Access points to non-TYPE_SEGMENT features should always have the following fields set: - feature_type - feature_id - point Location and reference fields: BASIC vs DERIVABLE Access points to TYPE_SEGMENT features must have all the following BASIC fields: - feature_type (of the segment, e.g. TYPE_ROAD or TYPE_VIRTUAL_SEGMENT) - point_off_segment (or point; see "fuzzy point" note below) - unsuitable_travel_mode (may be empty) - level (indoor access points only) The following are DERIVABLE fields, which should only be added if the supplier is confident about their accuracy: - feature_id - point_on_segment - segment_position Editing clients are encouraged to set all fields, but they may set only the BASIC fields, in which case quality teams may use the BASIC fields to snap to an appropriate segment and derive the remaining fields. Example: The segment is split, so that the portion that the access point is on has a new feature ID. Quality teams notice that the point_on_segment is no longer on the segment with feature_id, finds the new nearest segment based on feature_type and existing point_on_segment, and re-derives a new feature_id, point_on_segment, and segment_position, keeping other fields consistent. Fuzzy point special case If the editor does not have side-of-road information for access points or is otherwise unsure of the precise placement of the access point, it may supply the point field (and not point_off_segment) as basic data instead, in which case quality teams may generate the point_off_segment. Identity Access points are considered semantically equivalent if they have the same geometry, including derived fields, and the same references to other features (feature_id, level_feature_id). For the exact definition, see cs/symbol:geostore::AreAccessPointsEquivalent. Field definitions root['schemas']['GeostoreBestLocaleProto']['description'] new_value A BestLocaleProto holds information about the best-match locale for a feature. Clients may use this information to determine the appropriate local name of a feature. Field-level metadata for this best locale. old_value A BestLocaleProto holds information about the best-match locale for a feature. Clients may use this information to determine the appropriate local name of a feature. root['schemas']['GeostoreCityObjectAttributes']['properties']['trsAffineTransform']['description'] new_value A local-to-ECEF affine transform. In the local frame, +X/+Y/+Z represents left/up/forward. It is strongly recommended that clients read from and write to this field using either of the provided public: * Builder library: google3/geostore/base/cityjson/cityjsonproto_builder.h * Converter functions: google3/geostore/base/cityjson/affine/trs_affine_transform_converter.h old_value A local-to-ECEF affine transform. In the local frame, +X/+Y/+Z represents left/up/forward. It is strongly recommended that clients read from and write to this field using the provided public converter libraries. root['schemas']['GeostorePriceRangeProto']['description'] new_value This message represents a price range of an attribute. The meaning of the price bounds is domain specific. But mainly they are soft bounds for a normal usage. E.g. "restaurant prices" are subject to an higher level of "soft" bounds than "museum admission price" NOTE: In the future, it could be useful to have a 'factor' field. For example, if you get billed per 2 hours or per 30 minutes. old_value This message represents a price range of an attribute. The meaning of the price bounds is domain specific. But mainly they are soft bounds for a normal usage. E.g. "restaurant prices" are subject to an higher level of "soft" bounds than "museum admission price" root['schemas']['GeostoreRoadDisruptionProto']['description'] new_value A road disruption is any temporary deviation from the 'normal' state of the road network that impacts users' travel experience. The normal state means roads follow their specified sets of restrictions and allow safe driving at a relatively normal speed for the road. Disruptions may not always be negative, e.g. a road that is normally closed has been opened as an emergency evacuation route. Disruptions might have additional data depending on their types. Disruption types are mutually exclusive, so at most one of these might apply. old_value A road disruption is any temporary deviation from the 'normal' state of the road network that impacts users' travel experience. The normal state means roads follow their specified sets of restrictions and allow safe driving at a relatively normal speed for the road. Disruptions may not always be negative, e.g. a road that is normally closed has been opened as an emergency evacuation route. root['schemas']['GeostoreSegmentProto']['description'] new_value WARNING!! If you add new fields to SegmentProto (or submessages), you must: * Maybe update theSegmentSplitter, if there is special logic when a segment is split, e.g. to adjust fractional attributes; most straightforward attributes *should* be copied over automatically: java/com/google/geostore/base/SegmentSplitter.java * Update the SegmentMerger to correctly copy, update, or delete the fields upon a segmenet merge: java/com/google/geostore/base/SegmentMerger.java * Determine whether the fields are irrelevant for rendering high priority roads at far-out zoom levels, and if not clear them: ClearFeature() in maps/render/process-high-priority-roads.cc * Determine whether the fields are required for rendering, and if not clear them: StripFeature() in maps/render/bucketing-util.cc * Update the tests that ensure the above packages are aware of all SegmentProto fields, or the new fields will a) break the Versatile build and/or b) cause performance regressions due to segment merge failures: - process-high-priority-roads_test.cc - bucketing-util_test.cc LINT.IfChange old_value WARNING!! If you add new fields to SegmentProto (or submessages), you must: * Maybe update theSegmentSplitter, if there is special logic when a segment is split, e.g. to adjust fractional attributes; most straightforward attributes *should* be copied over automatically: java/com/google/geostore/base/SegmentSplitter.java * Update the SegmentMerger to correctly copy, update, or delete the fields upon a segmenet merge: java/com/google/geostore/base/SegmentMerger.java * Determine whether the fields are irrelevant for rendering high priority roads at far-out zoom levels, and if not clear them: ClearFeature() in maps/render/process-high-priority-roads.cc * Determine whether the fields are required for rendering, and if not clear them: StripFeature() in maps/render/bucketing-util.cc * Update the tests that ensure the above packages are aware of all SegmentProto fields, or the new fields will a) break the Versatile build and/or b) cause performance regressions due to segment merge failures: - process-high-priority-roads_test.cc - bucketing-util_test.cc LINT.IfChange() root['schemas']['GeostoreSegmentProto']['properties']['legalMinimumSpeed']['description'] new_value LINT.ThenChange( //depot/google3/geostore/base/internal/segment.cc:has_speed_limit ) old_value LINT.ThenChange(//depot/google3/geostore/base/internal/segment.cc:has_speed_limit) root['schemas']['GeostoreVehicleOccupancyRangeProto']['description'] new_value Describes the range of occupants in a vehicle. old_value Describes the range of occupants in a vehicle. The minimum number of occupants allowed in the vehicle, including the driver. Must be >= 0. root['schemas']['LocationPlacesPlacesserverPlaceInfoMobile']['description'] new_value Proto containing all the information about a particular place that is used by CSL and ODLH to compute features. Next tag: 40 old_value Proto containing all the information about a particular place that is used by ELSA to compute features. Next tag: 39 root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][274] new_value A vertical or nearly vertical slope. Includes escarpments. old_value A vertical or nearly vertical slope. Includes escarpments. An elevated place that is notable for having a good view. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][31] new_value Also called a "car transport", a ferry train is a rail service that carries passengers and their vehicles across undrivable terrain. The Channel Tunnel ("Chunnel") is the most famous example, but they are also common in the Alps where they connect neighboring valleys otherwise separated by impassable mountains. old_value Also called a "car transport", a ferry train is a rail service that carries passengers and their vehicles across undrivable terrain. The Channel Tunnel ("Chunnel") is the most famous example, but they are also common in the Alps where they connect neighboring valleys otherwise separated by impassable mountains. Any plausible 1-dimensional path through a 2+ dimensional space, for the purposes of making graph-search-based routing possible. Such segments can be used to model paths through parking lots, squares, floors of buildings and other areas. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][353] new_value This type has been replaced by TYPE_COMPOUND_BUILDING. For further details, see go/oyster-compounds old_value This type has been replaced by TYPE_COMPOUND_BUILDING. For further details, see go/oyster-compounds Establishment POIs can be referenced by TYPE_COMPOUND features using the RELATION_PRIMARILY_OCCUPIED_BY. This is the reciprocal relation of the RELATION_OCCUPIES. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][274] new_value A vertical or nearly vertical slope. Includes escarpments. old_value A vertical or nearly vertical slope. Includes escarpments. An elevated place that is notable for having a good view. root['schemas']['GeostoreRestrictionProto']['properties']['type']['enumDescriptions'][8] new_value Travel over this segment is prohibited because of signage indicating one-way directionality in the opposite direction. This restriction type may not be used for restrictions with non-empty subpaths. old_value Travel over this segment is prohibited because of signage indicating one-way directionality in the opposite direction. This restriction type may not be used for restrictions with non-empty subpaths. Segment is part of a road or area for which through-travel is restricted. This restriction allows for vehicles to be routed on a road only if the destination lies within the restricted area or there is no alternate connectivity to the destination. This restriction type may be used only for restrictions of STYLE_SINGLE. root['schemas']['GeostoreTransitLineProto']['properties']['vehicleType']['enumDescriptions'][16] new_value An aerial lift (colloquially called "gondola lift") is a means of cable transport in which cabins, cars, gondolas or open chairs are hauled above the ground by means of one or more cables. Examples: gondola lift, aerial tramway. old_value An aerial lift (colloquially called "gondola lift") is a means of cable transport in which cabins, cars, gondolas or open chairs are hauled above the ground by means of one or more cables. Examples: gondola lift, aerial tramway. Funicular is a cable railway in which a pair of tram-like vehicles use each other as counter balance to ascend and descend. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][248] new_value Includes overfalls. old_value Includes overfalls. A natural depression filled with water where animals come to drink. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][315] new_value An address template feature provides region-specific conventions for structuring addresses. These features aren't necessarily defined by physical geographic features, so they are classified as meta-features. old_value An address template feature provides region-specific conventions for structuring addresses. These features aren't necessarily defined by physical geographic features, so they are classified as meta-features. A transit line is a collection of transit legs, associated with some invariant properties of the trips that run over the legs. See also transitline.proto root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][31] new_value Also called a "car transport", a ferry train is a rail service that carries passengers and their vehicles across undrivable terrain. The Channel Tunnel ("Chunnel") is the most famous example, but they are also common in the Alps where they connect neighboring valleys otherwise separated by impassable mountains. old_value Also called a "car transport", a ferry train is a rail service that carries passengers and their vehicles across undrivable terrain. The Channel Tunnel ("Chunnel") is the most famous example, but they are also common in the Alps where they connect neighboring valleys otherwise separated by impassable mountains. Any plausible 1-dimensional path through a 2+ dimensional space, for the purposes of making graph-search-based routing possible. Such segments can be used to model paths through parking lots, squares, floors of buildings and other areas. root['schemas']['GeostoreRankSignalProto']['properties']['type']['enumDescriptions'][7] new_value This signal derived from the number of documents in DocJoin, which contains keywords of the source feature. For each raw feature, we extract keywords from the feature's name and address. We search the keywords in DocJoin (now only 4B) to get the number of webpages which contains all the keywords of the feature, eg, for Quanjude in Beijing which is a famous restaurant in China, we consider Beijing and Quanjude as its keywords, the page containing both Beijing and Quanjude will be counted in. The number will be mapped by logarithm function into [0, 1]. This signal is based on a simple assumption: the more the name appears in webpage, the more famous it is. old_value This signal derived from the number of documents in DocJoin, which contains keywords of the source feature. For each raw feature, we extract keywords from the feature's name and address. We search the keywords in DocJoin (now only 4B) to get the number of webpages which contains all the keywords of the feature, eg, for Quanjude in Beijing which is a famous restaurant in China, we consider Beijing and Quanjude as its keywords, the page containing both Beijing and Quanjude will be counted in. The number will be mapped by logarithm function into [0, 1]. This signal is based on a simple assumption: the more the name appears in webpage, the more famous it is. These signals are calculated by the Path Radius algorithm, using Pathfinder to figure out in how big a neighborhood this segment is used as a thoroughfare. The popularity is simply the fraction of all paths that use this segment. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][248] new_value Includes overfalls. old_value Includes overfalls. A natural depression filled with water where animals come to drink. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][313] new_value A phone number area code is a prefix which also coincides with the area code, or national destination code, of a particular region. old_value A phone number area code is a prefix which also coincides with the area code, or national destination code, of a particular region. A Business Corridor is a dense cluster of semantically similar establishments. TYPE_BUSINESS_CORRIDOR features are distinguished from TYPE_COLLOQUIAL_AREA features because the corridors are not under the political hierarchy, are allowed to be nameless, and may not correspond to well-known real world locations. For more details, see go/geo-corridors-schema. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][262] new_value A stretch of land projecting into water. Includes capes and spits. old_value A stretch of land projecting into water. Includes capes and spits. A strip of land connecting two larger land masses, such as continents. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][60] new_value TYPE_TRANSIT_AGENCY was moved to 0xC91. This enum value exists for debugging purposes only. old_value TYPE_TRANSIT_AGENCY was moved to 0xC91. This enum value exists for debugging purposes only. A transfer describes the opportunity to transfer from one station to another. See also transittransfer.proto root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][353] new_value This type has been replaced by TYPE_COMPOUND_BUILDING. For further details, see go/oyster-compounds old_value This type has been replaced by TYPE_COMPOUND_BUILDING. For further details, see go/oyster-compounds Establishment POIs can be referenced by TYPE_COMPOUND features using the RELATION_PRIMARILY_OCCUPIED_BY. This is the reciprocal relation of the RELATION_OCCUPIES. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][364] new_value e.g. single family dwelling, office building. old_value e.g. single family dwelling, office building. e.g. suite, room, hallway, cubicle. root['schemas']['GeostoreRoadSignComponentProto']['properties']['semanticType']['enumDescriptions'][0] new_value Default value. old_value clang-format off Default value. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][62] new_value A segment path is a short path through a set of segments. They differ from routes in several ways. First, these paths are typically very short (a handful of segments). Second, these paths list the segments in a specific order. Third, these paths list segments but don't typically include the siblings of the segments. old_value A segment path is a short path through a set of segments. They differ from routes in several ways. First, these paths are typically very short (a handful of segments). Second, these paths list the segments in a specific order. Third, these paths list segments but don't typically include the siblings of the segments. Road sign features have names, point geometry, etc. They also have segment_path data (see below) which lists the segments that refer to the sign. See segment.proto for the reference from the segment to the road sign. root['schemas']['GeostoreRankSignalProto']['properties']['type']['enumDescriptions'][5] new_value This signal will be set on all routes and is derived by the value of the priority of all segments composing the route. It is a "derived" signal instead of a canonical one because it is not only about inheriting some child segment's priority. We actually take into consideration the priorities of all children segments to come up with a raw value for this signal. old_value This signal will be set on all routes and is derived by the value of the priority of all segments composing the route. It is a "derived" signal instead of a canonical one because it is not only about inheriting some child segment's priority. We actually take into consideration the priorities of all children segments to come up with a raw value for this signal. Derived from the number of POI that use this feature as an address component. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][262] new_value A stretch of land projecting into water. Includes capes and spits. old_value A stretch of land projecting into water. Includes capes and spits. A strip of land connecting two larger land masses, such as continents. root['schemas']['GeostoreRankSignalProto']['properties']['type']['enumDescriptions'][2] new_value Magnitude for features with polygonal geometry. old_value Magnitude for features with polygonal geometry. Derived from the number of other features that use this feature as an address component. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][364] new_value e.g. single family dwelling, office building. old_value e.g. single family dwelling, office building. e.g. suite, room, hallway, cubicle. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][315] new_value An address template feature provides region-specific conventions for structuring addresses. These features aren't necessarily defined by physical geographic features, so they are classified as meta-features. old_value An address template feature provides region-specific conventions for structuring addresses. These features aren't necessarily defined by physical geographic features, so they are classified as meta-features. A transit line is a collection of transit legs, associated with some invariant properties of the trips that run over the legs. See also transitline.proto root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][62] new_value A segment path is a short path through a set of segments. They differ from routes in several ways. First, these paths are typically very short (a handful of segments). Second, these paths list the segments in a specific order. Third, these paths list segments but don't typically include the siblings of the segments. old_value A segment path is a short path through a set of segments. They differ from routes in several ways. First, these paths are typically very short (a handful of segments). Second, these paths list the segments in a specific order. Third, these paths list segments but don't typically include the siblings of the segments. Road sign features have names, point geometry, etc. They also have segment_path data (see below) which lists the segments that refer to the sign. See segment.proto for the reference from the segment to the road sign. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][313] new_value A phone number area code is a prefix which also coincides with the area code, or national destination code, of a particular region. old_value A phone number area code is a prefix which also coincides with the area code, or national destination code, of a particular region. A Business Corridor is a dense cluster of semantically similar establishments. TYPE_BUSINESS_CORRIDOR features are distinguished from TYPE_COLLOQUIAL_AREA features because the corridors are not under the political hierarchy, are allowed to be nameless, and may not correspond to well-known real world locations. For more details, see go/geo-corridors-schema. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][60] new_value TYPE_TRANSIT_AGENCY was moved to 0xC91. This enum value exists for debugging purposes only. old_value TYPE_TRANSIT_AGENCY was moved to 0xC91. This enum value exists for debugging purposes only. A transfer describes the opportunity to transfer from one station to another. See also transittransfer.proto root['schemas']['GeostorePriceRangeProto']['properties']['units']['enumDescriptions'][0] new_value ABSTRACT old_value ABSTRACT The root of the hierarchy. It's an abstract value and shouldn't be present in the repository. iterable_item_added root['schemas']['GeostoreDataSourceProto']['properties']['provider']['enum'][743] PROVIDER_PULSE_ENERGY root['schemas']['GeostoreDataSourceProto']['properties']['provider']['enum'][744] PROVIDER_NUMOCITY root['schemas']['GeostoreDataSourceProto']['properties']['provider']['enumDescriptions'][744] Note: Next available value is 0x127E. root['schemas']['GeostoreFeaturePropertyIdProto']['properties']['fieldType']['enum'][83] MEDIAN_GEOMETRY_SEGMENT_LOOP root['schemas']['GeostoreFeaturePropertyIdProto']['properties']['fieldType']['enum'][150] SEGMENT_RELATED_MEDIAN root['schemas']['GeostoreInternalSourceSummaryProto']['properties']['provider']['enum'][743] PROVIDER_PULSE_ENERGY root['schemas']['GeostoreInternalSourceSummaryProto']['properties']['provider']['enum'][744] PROVIDER_NUMOCITY root['schemas']['GeostoreInternalSourceSummaryProto']['properties']['provider']['enumDescriptions'][744] Note: Next available value is 0x127E. root['schemas']['GeostoreOntologyRawGConceptInstanceProto']['properties']['provider']['enum'][743] PROVIDER_PULSE_ENERGY root['schemas']['GeostoreOntologyRawGConceptInstanceProto']['properties']['provider']['enum'][744] PROVIDER_NUMOCITY root['schemas']['GeostoreOntologyRawGConceptInstanceProto']['properties']['provider']['enumDescriptions'][744] Note: Next available value is 0x127E. root['schemas']['GeostoreProvenanceProto']['properties']['provider']['enum'][743] PROVIDER_PULSE_ENERGY root['schemas']['GeostoreProvenanceProto']['properties']['provider']['enum'][744] PROVIDER_NUMOCITY root['schemas']['GeostoreProvenanceProto']['properties']['provider']['enumDescriptions'][744] Note: Next available value is 0x127E. root['schemas']['GeostoreSpeedLimitProto']['properties']['category']['enum'][4] STATUTORY root['schemas']['GeostoreSpeedLimitProto']['properties']['category']['enumDescriptions'][4] Speed limits that are set by statute for a given area (and may also be influenced by various road attributes). iterable_item_removed root['schemas']['GeostoreDataSourceProto']['properties']['provider']['enumDescriptions'][742] Note: Next available value is 0x127C. root['schemas']['GeostoreInternalSourceSummaryProto']['properties']['provider']['enumDescriptions'][742] Note: Next available value is 0x127C. root['schemas']['GeostoreOntologyRawGConceptInstanceProto']['properties']['provider']['enumDescriptions'][742] Note: Next available value is 0x127C. root['schemas']['GeostoreProvenanceProto']['properties']['provider']['enumDescriptions'][742] Note: Next available value is 0x127C. root['schemas']['GeostoreRankSignalProto']['properties']['type']['enumDescriptions'][3] DEPRECATED Derived from the number of local business listings that, once reverse-geocoded, have this feature as an address component. root['schemas']['GeostoreRankSignalProto']['properties']['type']['enumDescriptions'][37] Rank derived from feature popularity asserted by users. Higher rank values are almost always moderated to verify accuracy, hence reliable. root['schemas']['GeostoreRankSignalProto']['properties']['type']['enumDescriptions'][64] DEPRECATED Signal for buildings in Japan. This signal is a scale of the map this building label should be rendered. root['schemas']['GeostoreRankSignalProto']['properties']['type']['enumDescriptions'][65] DEPRECATED Signal for peaks in Japan. This signal is a scale of the map this peak label should be rendered. root['schemas']['GeostoreSegmentProto']['properties']['barrier']['enumDescriptions'][0] Some barrier which prevents turns in the middle of a segment, but the details are not known (or the tester doesn't care to distinguish between legal and physical barriers). root['schemas']['GeostoreTransitLineProto']['properties']['vehicleType']['enumDescriptions'][1] ABSTRACT Metropolitan railway transport, mostly for local transit. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][0] ABSTRACT The root of all types. Not a meaningful label of a feature and likewise should never be present in a geostore repository. Useful in that InCategory(t, TYPE_ANY) for all t. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][1] ABSTRACT Feature types that together define a transportation network (routes, segments, and intersections). root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][2] A route is any section of road (or rails, etc.) that has a name. This includes city streets as well as highways. Road segments can belong to multiple routes (e.g. El Camino, CA-82). root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][3] DEPRECATED This type used to have country-specific highway types but has been DEPRECATED long ago in favor of the country-agnostic subtypes of the TYPE_HIGHWAY hierarchy below. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][14] A designated bicycle route, whose segments may consist of any combination of bicycle paths, bicycle lanes, or city streets. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][15] A designated trail, which may consist of paved walkways, dirt paths, fire road, streets or highways, etc. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][32] An intersection consists of a collection of segments that terminate at the same location. This is topological definition: it may not match what a typical user would think of as an "intersection". See TYPE_INTERSECTION_GROUP, below, for more information. Each segment terminating at an intersection has an "endpoint type" that specifies how that segment is terminated: stop sign, yield sign, three-way light, etc. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][63] Our TYPE_INTERSECTION feature, above, models the point where one or more segments terminate. This is topological definition: it may not match what a typical user would think of as an "intersection". Consider the intersections where Hayes, Market, Larkin, and 9th Street meet near (37.77765, -122.41638) in San Francisco. Most people would probably consider this a single feature, even though we model it as four separate TYPE_INTERSECTION features. This TYPE_INTERSECTION_GROUP is used to model the user's concept of a complex intersection. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][64] A Pathway describes a physical pathway in between two features. See also pathway.proto root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][65] A restriction group describes a set of segment restrictions that belong together and have a name or an associated event. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][66] A toll cluster is either a single point on a segment (represented as a point at the end of the segment that has ENDPOINT_TOLL_BOOTH set) or a group of points on various road segments in MapFacts that represents one or more lanes passing through a toll fixture that all go to the same routing destination. Each toll cluster should have at most a single price per payment method. E.g. {CASH = $5, PASS = $1}. Note: If a toll fixture has different prices for multiple routing destinations, drivers need to be in the correct lane before passing through the toll fixture and hence such a fixture is represented by multiple toll clusters. A toll cluster does not necessarily represent a real-world entity, e.g. a particular plaza/structure as perceived by humans. This is because a plaza can be represented by more than one toll cluster. We require toll clusters to have names, but they might be non-unique. For example, a plaza might be represented by multiple toll clusters that may have the same plaza name. For further details, please see go/toll-cluster-schema. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][84] e.g. Silicon Valley root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][86] In countries where localities are not more structured (e.g. US and CA), we don't bother with subcategories. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][91] An entity widely considered to be a city, that is itself made up of several smaller entities, some of which are cities themselves. For example, Sydney, Australia is comprised of many smaller cities, and is colloquially regarded as a city itself. New York City, on the other hand, contains boroughs, but not other cities. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][111] Eventually we'll have more data for disputed areas (e.g., who makes claims on the area, who has de facto control, etc.). For the moment, we just define a type so we can simply mark areas as disputed. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][112] Boundaries representing the jurisdiction of a particular police station. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][113] An area used for aggregating statistical data, eg, a census region. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][114] RESERVED Constituencies that will go into effect at a future start date. They have unique geometries informative to constituents, politicians, and advertisers. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][173] RESERVED Non-logical point, line, or polygon data to draw on a map. This was introduced by the Japan team to make the maps look more pretty. This is a hack we don't want to extend, so this is marked as reserved even though it appears in Zenrin data (whitelisted). root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][189] A line representing the boundary between two features. See border.proto for details. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][191] An association of a point with an address, with no other information. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][208] A flat expanse of salt left by the evaporation of a body of salt water. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][249] DEPRECATED This type is incorrectly under TYPE_TECTONIC instead of TYPE_WATER. This was a mistake and is in the the process of being fixed. b/6537580 root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][282] An area containing numerous geologically related mountains. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][297] A feature representing a group or chain of islands. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][298] ABSTRACT Types which are used only as portions of postal addresses. TYPE_POSTAL is concrete in Saudi Arabia but abstract everywhere else. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][299] This is the type for postal codes which are complete and independent enough that there should be a feature for it (e.g. US 5-digit ZIP codes). For even more detailed suffixes that further subdivide a postal code (such as the +4 component in US ZIP codes), store the information in a TYPE_POSTAL_CODE_SUFFIX address component. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][300] A prefix portion of a postal code which does not meet the requirements for TYPE_POSTAL_CODE, but which is useful to search for, for example UK outcodes. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][301] A premise is a location at smaller than street granularity. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][304] The term "post town" is used for a locality-like-entity that is only used for postal addresses. It would not make sense to show such an entity on the map, but it may be searched for and may be in the address of other features. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][305] A named delivery route. For example, in NZ rural addresses take the form "Delivery Route Number, Posttown, Postcode, NZ" root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][316] RESERVED A feature whose geometry is planned to replace the geometry on another feature. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][321] RESERVED A temporary feature that is only used internally to a single application. These features should not be written to Oyster repositories or presented to clients. If the application wishes to use multiple transient types, it is responsible for differentiating them using the temporary_data field or other mechanism. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][322] A portal of entry or exit to another feature. Examples: - Subway station entrance. - Parking lot entrance. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][354] RESERVED Represents service-only establishments (those without a storefront location). NOTE(tcain): Using value 0xD441, since we could find ourselves with a need to differentiate service areas from online-only at this level in the future, but still benefit from being able to group those under a common parent, disjoint from TYPE_ESTABLISHMENT_POI. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][355] The root of types of features that are in the sky, rather than on the earth. There will eventually be a hierarchy of types here. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][356] Features responsible for monitoring traffic on roads (usually for speed). Includes cameras at particular points as well as monitors that cover larger spans. Features of this type should have a corresponding gcid that specifies the correct subtype (e.g. gcid:road_camera or gcid:speed_camera_zone). This type was originally named as TYPE_ROAD_CAMERA. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][360] A feature used to represent a logical level, e.g. floor. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][365] RESERVED A terminal point represents a good location for a user to meet a taxi, ridesharing vehicle, or general driver. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][366] An area controlled in some way by an authoritative source, such as a government-designated COVID containment zone. Features of this type should have one or more gcids corresponding to their specific regulation. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][369] RESERVED A fake feature type so we can csearch for automatically generated files that use the FeatureProto types hierarchy. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][370] A feature of completely unknown type. This should only be used when absolutely necessary. One example in which this type is useful is in the Chinese importer, which must heuristically segment addresses into components - it often does not know what types to make those components. Please note that the Oyster address formatter does not currently support address components of TYPE_UNKNOWN well. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][0] ABSTRACT The root of all types. Not a meaningful label of a feature and likewise should never be present in a geostore repository. Useful in that InCategory(t, TYPE_ANY) for all t. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][1] ABSTRACT Feature types that together define a transportation network (routes, segments, and intersections). root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][2] A route is any section of road (or rails, etc.) that has a name. This includes city streets as well as highways. Road segments can belong to multiple routes (e.g. El Camino, CA-82). root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][3] DEPRECATED This type used to have country-specific highway types but has been DEPRECATED long ago in favor of the country-agnostic subtypes of the TYPE_HIGHWAY hierarchy below. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][14] A designated bicycle route, whose segments may consist of any combination of bicycle paths, bicycle lanes, or city streets. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][15] A designated trail, which may consist of paved walkways, dirt paths, fire road, streets or highways, etc. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][32] An intersection consists of a collection of segments that terminate at the same location. This is topological definition: it may not match what a typical user would think of as an "intersection". See TYPE_INTERSECTION_GROUP, below, for more information. Each segment terminating at an intersection has an "endpoint type" that specifies how that segment is terminated: stop sign, yield sign, three-way light, etc. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][63] Our TYPE_INTERSECTION feature, above, models the point where one or more segments terminate. This is topological definition: it may not match what a typical user would think of as an "intersection". Consider the intersections where Hayes, Market, Larkin, and 9th Street meet near (37.77765, -122.41638) in San Francisco. Most people would probably consider this a single feature, even though we model it as four separate TYPE_INTERSECTION features. This TYPE_INTERSECTION_GROUP is used to model the user's concept of a complex intersection. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][64] A Pathway describes a physical pathway in between two features. See also pathway.proto root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][65] A restriction group describes a set of segment restrictions that belong together and have a name or an associated event. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][66] A toll cluster is either a single point on a segment (represented as a point at the end of the segment that has ENDPOINT_TOLL_BOOTH set) or a group of points on various road segments in MapFacts that represents one or more lanes passing through a toll fixture that all go to the same routing destination. Each toll cluster should have at most a single price per payment method. E.g. {CASH = $5, PASS = $1}. Note: If a toll fixture has different prices for multiple routing destinations, drivers need to be in the correct lane before passing through the toll fixture and hence such a fixture is represented by multiple toll clusters. A toll cluster does not necessarily represent a real-world entity, e.g. a particular plaza/structure as perceived by humans. This is because a plaza can be represented by more than one toll cluster. We require toll clusters to have names, but they might be non-unique. For example, a plaza might be represented by multiple toll clusters that may have the same plaza name. For further details, please see go/toll-cluster-schema. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][84] e.g. Silicon Valley root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][86] In countries where localities are not more structured (e.g. US and CA), we don't bother with subcategories. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][91] An entity widely considered to be a city, that is itself made up of several smaller entities, some of which are cities themselves. For example, Sydney, Australia is comprised of many smaller cities, and is colloquially regarded as a city itself. New York City, on the other hand, contains boroughs, but not other cities. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][111] Eventually we'll have more data for disputed areas (e.g., who makes claims on the area, who has de facto control, etc.). For the moment, we just define a type so we can simply mark areas as disputed. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][112] Boundaries representing the jurisdiction of a particular police station. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][113] An area used for aggregating statistical data, eg, a census region. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][114] RESERVED Constituencies that will go into effect at a future start date. They have unique geometries informative to constituents, politicians, and advertisers. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][173] RESERVED Non-logical point, line, or polygon data to draw on a map. This was introduced by the Japan team to make the maps look more pretty. This is a hack we don't want to extend, so this is marked as reserved even though it appears in Zenrin data (whitelisted). root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][189] A line representing the boundary between two features. See border.proto for details. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][191] An association of a point with an address, with no other information. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][208] A flat expanse of salt left by the evaporation of a body of salt water. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][249] DEPRECATED This type is incorrectly under TYPE_TECTONIC instead of TYPE_WATER. This was a mistake and is in the the process of being fixed. b/6537580 root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][282] An area containing numerous geologically related mountains. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][297] A feature representing a group or chain of islands. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][298] ABSTRACT Types which are used only as portions of postal addresses. TYPE_POSTAL is concrete in Saudi Arabia but abstract everywhere else. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][299] This is the type for postal codes which are complete and independent enough that there should be a feature for it (e.g. US 5-digit ZIP codes). For even more detailed suffixes that further subdivide a postal code (such as the +4 component in US ZIP codes), store the information in a TYPE_POSTAL_CODE_SUFFIX address component. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][300] A prefix portion of a postal code which does not meet the requirements for TYPE_POSTAL_CODE, but which is useful to search for, for example UK outcodes. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][301] A premise is a location at smaller than street granularity. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][304] The term "post town" is used for a locality-like-entity that is only used for postal addresses. It would not make sense to show such an entity on the map, but it may be searched for and may be in the address of other features. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][305] A named delivery route. For example, in NZ rural addresses take the form "Delivery Route Number, Posttown, Postcode, NZ" root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][316] RESERVED A feature whose geometry is planned to replace the geometry on another feature. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][321] RESERVED A temporary feature that is only used internally to a single application. These features should not be written to Oyster repositories or presented to clients. If the application wishes to use multiple transient types, it is responsible for differentiating them using the temporary_data field or other mechanism. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][322] A portal of entry or exit to another feature. Examples: - Subway station entrance. - Parking lot entrance. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][354] RESERVED Represents service-only establishments (those without a storefront location). NOTE(tcain): Using value 0xD441, since we could find ourselves with a need to differentiate service areas from online-only at this level in the future, but still benefit from being able to group those under a common parent, disjoint from TYPE_ESTABLISHMENT_POI. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][355] The root of types of features that are in the sky, rather than on the earth. There will eventually be a hierarchy of types here. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][356] Features responsible for monitoring traffic on roads (usually for speed). Includes cameras at particular points as well as monitors that cover larger spans. Features of this type should have a corresponding gcid that specifies the correct subtype (e.g. gcid:road_camera or gcid:speed_camera_zone). This type was originally named as TYPE_ROAD_CAMERA. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][360] A feature used to represent a logical level, e.g. floor. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][365] RESERVED A terminal point represents a good location for a user to meet a taxi, ridesharing vehicle, or general driver. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][366] An area controlled in some way by an authoritative source, such as a government-designated COVID containment zone. Features of this type should have one or more gcids corresponding to their specific regulation. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][369] RESERVED A fake feature type so we can csearch for automatically generated files that use the FeatureProto types hierarchy. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][370] A feature of completely unknown type. This should only be used when absolutely necessary. One example in which this type is useful is in the Chinese importer, which must heuristically segment addresses into components - it often does not know what types to make those components. Please note that the Oyster address formatter does not currently support address components of TYPE_UNKNOWN well.
prod/semanticlocation-pa-v1	dictionary_item_added root['schemas']['GeostoreMedianProto'] root['schemas']['GeostoreMedianProtoSegmentLoopProto'] root['schemas']['GeostoreMedianProtoSegmentLoopProtoIndexedComponentProto'] root['schemas']['GeostoreCityObjectAttributesTrsAffineTransform']['description'] root['schemas']['GeostoreFeatureProto']['properties']['median'] root['schemas']['GeostoreRestrictionProto']['properties']['restrictionId'] root['schemas']['GeostoreSegmentProto']['properties']['relatedMedian'] root['schemas']['LocationPlacesPlacesserverPlaceInfoMobile']['properties']['transitCategory'] dictionary_item_removed root['schemas']['GeostoreAccessPointProto']['properties']['priority']['description'] root['schemas']['GeostoreBestLocaleProto']['properties']['metadata']['description'] root['schemas']['GeostoreRankSignalProto']['description'] root['schemas']['GeostoreRestrictionProto']['properties']['type']['description'] root['schemas']['GeostoreSegmentProto']['properties']['priority']['description'] root['schemas']['GeostoreSegmentProto']['properties']['surface']['description'] root['schemas']['GeostoreSegmentProto']['properties']['usage']['description'] root['schemas']['IndexingMoonshineHappyhourTypesLocation']['properties']['semanticType']['description'] values_changed root['revision'] new_value 20250303 old_value 20250210 root['schemas']['GeostoreAccessPointProto']['description'] new_value This class holds information about a single access point. An access point establishes a relationship between a feature (like a POI or building) and some other feature. For example, consider a TYPE_LOCALITY feature like Seattle. An access point might be the TYPE_AIRPORT feature for Seattle-Tacoma International Airport. The airport feature defines the access point to gain airplane-based access to Seattle. A feature like Seattle will typically have multiple access points. You can get to Seattle using airplanes, various forms of public transit, or by driving a car. Thus Seattle would have multiple access points. You may be able to get to Seattle by flying into SeaTac, or you might be able to fly into Boeing Field, or Paine Field in Everett. You could drive in from the North/South using I-5, or you could drive in from the East using I-90. Many access points are from the road network. Thus the access point for some building at 123 Main Street would likely be a segment that defines the 100-200 block of "Main Street". A feature at the corner of "Hollywood" and "Vine" streets might have access points from both named streets. Access points are an optional field. Data editors may ignore them when creating features or editing other fields. In these cases, other quality teams will synthesize and update them. Several fields are also optional, as they are derivable from other fields. Access points to non-TYPE_SEGMENT features should always have the following fields set: - feature_type - feature_id - point Location and reference fields: BASIC vs DERIVABLE Access points to TYPE_SEGMENT features must have all the following BASIC fields: - feature_type (of the segment, e.g. TYPE_ROAD or TYPE_VIRTUAL_SEGMENT) - point_off_segment (or point; see "fuzzy point" note below) - unsuitable_travel_mode (may be empty) - level (indoor access points only) The following are DERIVABLE fields, which should only be added if the supplier is confident about their accuracy: - feature_id - point_on_segment - segment_position Editing clients are encouraged to set all fields, but they may set only the BASIC fields, in which case quality teams may use the BASIC fields to snap to an appropriate segment and derive the remaining fields. Example: The segment is split, so that the portion that the access point is on has a new feature ID. Quality teams notice that the point_on_segment is no longer on the segment with feature_id, finds the new nearest segment based on feature_type and existing point_on_segment, and re-derives a new feature_id, point_on_segment, and segment_position, keeping other fields consistent. Fuzzy point special case If the editor does not have side-of-road information for access points or is otherwise unsure of the precise placement of the access point, it may supply the point field (and not point_off_segment) as basic data instead, in which case quality teams may generate the point_off_segment. Identity Access points are considered semantically equivalent if they have the same geometry, including derived fields, and the same references to other features (feature_id, level_feature_id). For the exact definition, see cs/symbol:geostore::AreAccessPointsEquivalent. old_value This class holds information about a single access point. An access point establishes a relationship between a feature (like a POI or building) and some other feature. For example, consider a TYPE_LOCALITY feature like Seattle. An access point might be the TYPE_AIRPORT feature for Seattle-Tacoma International Airport. The airport feature defines the access point to gain airplane-based access to Seattle. A feature like Seattle will typically have multiple access points. You can get to Seattle using airplanes, various forms of public transit, or by driving a car. Thus Seattle would have multiple access points. You may be able to get to Seattle by flying into SeaTac, or you might be able to fly into Boeing Field, or Paine Field in Everett. You could drive in from the North/South using I-5, or you could drive in from the East using I-90. Many access points are from the road network. Thus the access point for some building at 123 Main Street would likely be a segment that defines the 100-200 block of "Main Street". A feature at the corner of "Hollywood" and "Vine" streets might have access points from both named streets. Access points are an optional field. Data editors may ignore them when creating features or editing other fields. In these cases, other quality teams will synthesize and update them. Several fields are also optional, as they are derivable from other fields. Access points to non-TYPE_SEGMENT features should always have the following fields set: - feature_type - feature_id - point Location and reference fields: BASIC vs DERIVABLE Access points to TYPE_SEGMENT features must have all the following BASIC fields: - feature_type (of the segment, e.g. TYPE_ROAD or TYPE_VIRTUAL_SEGMENT) - point_off_segment (or point; see "fuzzy point" note below) - unsuitable_travel_mode (may be empty) - level (indoor access points only) The following are DERIVABLE fields, which should only be added if the supplier is confident about their accuracy: - feature_id - point_on_segment - segment_position Editing clients are encouraged to set all fields, but they may set only the BASIC fields, in which case quality teams may use the BASIC fields to snap to an appropriate segment and derive the remaining fields. Example: The segment is split, so that the portion that the access point is on has a new feature ID. Quality teams notice that the point_on_segment is no longer on the segment with feature_id, finds the new nearest segment based on feature_type and existing point_on_segment, and re-derives a new feature_id, point_on_segment, and segment_position, keeping other fields consistent. Fuzzy point special case If the editor does not have side-of-road information for access points or is otherwise unsure of the precise placement of the access point, it may supply the point field (and not point_off_segment) as basic data instead, in which case quality teams may generate the point_off_segment. Identity Access points are considered semantically equivalent if they have the same geometry, including derived fields, and the same references to other features (feature_id, level_feature_id). For the exact definition, see cs/symbol:geostore::AreAccessPointsEquivalent. Field definitions root['schemas']['GeostoreBestLocaleProto']['description'] new_value A BestLocaleProto holds information about the best-match locale for a feature. Clients may use this information to determine the appropriate local name of a feature. Field-level metadata for this best locale. old_value A BestLocaleProto holds information about the best-match locale for a feature. Clients may use this information to determine the appropriate local name of a feature. root['schemas']['GeostoreCityObjectAttributes']['properties']['trsAffineTransform']['description'] new_value A local-to-ECEF affine transform. In the local frame, +X/+Y/+Z represents left/up/forward. It is strongly recommended that clients read from and write to this field using either of the provided public: * Builder library: google3/geostore/base/cityjson/cityjsonproto_builder.h * Converter functions: google3/geostore/base/cityjson/affine/trs_affine_transform_converter.h old_value A local-to-ECEF affine transform. In the local frame, +X/+Y/+Z represents left/up/forward. It is strongly recommended that clients read from and write to this field using the provided public converter libraries. root['schemas']['GeostorePriceRangeProto']['description'] new_value This message represents a price range of an attribute. The meaning of the price bounds is domain specific. But mainly they are soft bounds for a normal usage. E.g. "restaurant prices" are subject to an higher level of "soft" bounds than "museum admission price" NOTE: In the future, it could be useful to have a 'factor' field. For example, if you get billed per 2 hours or per 30 minutes. old_value This message represents a price range of an attribute. The meaning of the price bounds is domain specific. But mainly they are soft bounds for a normal usage. E.g. "restaurant prices" are subject to an higher level of "soft" bounds than "museum admission price" root['schemas']['GeostoreRoadDisruptionProto']['description'] new_value A road disruption is any temporary deviation from the 'normal' state of the road network that impacts users' travel experience. The normal state means roads follow their specified sets of restrictions and allow safe driving at a relatively normal speed for the road. Disruptions may not always be negative, e.g. a road that is normally closed has been opened as an emergency evacuation route. Disruptions might have additional data depending on their types. Disruption types are mutually exclusive, so at most one of these might apply. old_value A road disruption is any temporary deviation from the 'normal' state of the road network that impacts users' travel experience. The normal state means roads follow their specified sets of restrictions and allow safe driving at a relatively normal speed for the road. Disruptions may not always be negative, e.g. a road that is normally closed has been opened as an emergency evacuation route. root['schemas']['GeostoreSegmentProto']['description'] new_value WARNING!! If you add new fields to SegmentProto (or submessages), you must: * Maybe update theSegmentSplitter, if there is special logic when a segment is split, e.g. to adjust fractional attributes; most straightforward attributes *should* be copied over automatically: java/com/google/geostore/base/SegmentSplitter.java * Update the SegmentMerger to correctly copy, update, or delete the fields upon a segmenet merge: java/com/google/geostore/base/SegmentMerger.java * Determine whether the fields are irrelevant for rendering high priority roads at far-out zoom levels, and if not clear them: ClearFeature() in maps/render/process-high-priority-roads.cc * Determine whether the fields are required for rendering, and if not clear them: StripFeature() in maps/render/bucketing-util.cc * Update the tests that ensure the above packages are aware of all SegmentProto fields, or the new fields will a) break the Versatile build and/or b) cause performance regressions due to segment merge failures: - process-high-priority-roads_test.cc - bucketing-util_test.cc LINT.IfChange old_value WARNING!! If you add new fields to SegmentProto (or submessages), you must: * Maybe update theSegmentSplitter, if there is special logic when a segment is split, e.g. to adjust fractional attributes; most straightforward attributes *should* be copied over automatically: java/com/google/geostore/base/SegmentSplitter.java * Update the SegmentMerger to correctly copy, update, or delete the fields upon a segmenet merge: java/com/google/geostore/base/SegmentMerger.java * Determine whether the fields are irrelevant for rendering high priority roads at far-out zoom levels, and if not clear them: ClearFeature() in maps/render/process-high-priority-roads.cc * Determine whether the fields are required for rendering, and if not clear them: StripFeature() in maps/render/bucketing-util.cc * Update the tests that ensure the above packages are aware of all SegmentProto fields, or the new fields will a) break the Versatile build and/or b) cause performance regressions due to segment merge failures: - process-high-priority-roads_test.cc - bucketing-util_test.cc LINT.IfChange() root['schemas']['GeostoreSegmentProto']['properties']['legalMinimumSpeed']['description'] new_value LINT.ThenChange( //depot/google3/geostore/base/internal/segment.cc:has_speed_limit ) old_value LINT.ThenChange(//depot/google3/geostore/base/internal/segment.cc:has_speed_limit) root['schemas']['GeostoreVehicleOccupancyRangeProto']['description'] new_value Describes the range of occupants in a vehicle. old_value Describes the range of occupants in a vehicle. The minimum number of occupants allowed in the vehicle, including the driver. Must be >= 0. root['schemas']['LocationPlacesPlacesserverPlaceInfoMobile']['description'] new_value Proto containing all the information about a particular place that is used by CSL and ODLH to compute features. Next tag: 40 old_value Proto containing all the information about a particular place that is used by ELSA to compute features. Next tag: 39 root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][274] new_value A vertical or nearly vertical slope. Includes escarpments. old_value A vertical or nearly vertical slope. Includes escarpments. An elevated place that is notable for having a good view. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][31] new_value Also called a "car transport", a ferry train is a rail service that carries passengers and their vehicles across undrivable terrain. The Channel Tunnel ("Chunnel") is the most famous example, but they are also common in the Alps where they connect neighboring valleys otherwise separated by impassable mountains. old_value Also called a "car transport", a ferry train is a rail service that carries passengers and their vehicles across undrivable terrain. The Channel Tunnel ("Chunnel") is the most famous example, but they are also common in the Alps where they connect neighboring valleys otherwise separated by impassable mountains. Any plausible 1-dimensional path through a 2+ dimensional space, for the purposes of making graph-search-based routing possible. Such segments can be used to model paths through parking lots, squares, floors of buildings and other areas. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][353] new_value This type has been replaced by TYPE_COMPOUND_BUILDING. For further details, see go/oyster-compounds old_value This type has been replaced by TYPE_COMPOUND_BUILDING. For further details, see go/oyster-compounds Establishment POIs can be referenced by TYPE_COMPOUND features using the RELATION_PRIMARILY_OCCUPIED_BY. This is the reciprocal relation of the RELATION_OCCUPIES. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][274] new_value A vertical or nearly vertical slope. Includes escarpments. old_value A vertical or nearly vertical slope. Includes escarpments. An elevated place that is notable for having a good view. root['schemas']['GeostoreRestrictionProto']['properties']['type']['enumDescriptions'][8] new_value Travel over this segment is prohibited because of signage indicating one-way directionality in the opposite direction. This restriction type may not be used for restrictions with non-empty subpaths. old_value Travel over this segment is prohibited because of signage indicating one-way directionality in the opposite direction. This restriction type may not be used for restrictions with non-empty subpaths. Segment is part of a road or area for which through-travel is restricted. This restriction allows for vehicles to be routed on a road only if the destination lies within the restricted area or there is no alternate connectivity to the destination. This restriction type may be used only for restrictions of STYLE_SINGLE. root['schemas']['GeostoreTransitLineProto']['properties']['vehicleType']['enumDescriptions'][16] new_value An aerial lift (colloquially called "gondola lift") is a means of cable transport in which cabins, cars, gondolas or open chairs are hauled above the ground by means of one or more cables. Examples: gondola lift, aerial tramway. old_value An aerial lift (colloquially called "gondola lift") is a means of cable transport in which cabins, cars, gondolas or open chairs are hauled above the ground by means of one or more cables. Examples: gondola lift, aerial tramway. Funicular is a cable railway in which a pair of tram-like vehicles use each other as counter balance to ascend and descend. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][248] new_value Includes overfalls. old_value Includes overfalls. A natural depression filled with water where animals come to drink. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][315] new_value An address template feature provides region-specific conventions for structuring addresses. These features aren't necessarily defined by physical geographic features, so they are classified as meta-features. old_value An address template feature provides region-specific conventions for structuring addresses. These features aren't necessarily defined by physical geographic features, so they are classified as meta-features. A transit line is a collection of transit legs, associated with some invariant properties of the trips that run over the legs. See also transitline.proto root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][31] new_value Also called a "car transport", a ferry train is a rail service that carries passengers and their vehicles across undrivable terrain. The Channel Tunnel ("Chunnel") is the most famous example, but they are also common in the Alps where they connect neighboring valleys otherwise separated by impassable mountains. old_value Also called a "car transport", a ferry train is a rail service that carries passengers and their vehicles across undrivable terrain. The Channel Tunnel ("Chunnel") is the most famous example, but they are also common in the Alps where they connect neighboring valleys otherwise separated by impassable mountains. Any plausible 1-dimensional path through a 2+ dimensional space, for the purposes of making graph-search-based routing possible. Such segments can be used to model paths through parking lots, squares, floors of buildings and other areas. root['schemas']['GeostoreRankSignalProto']['properties']['type']['enumDescriptions'][7] new_value This signal derived from the number of documents in DocJoin, which contains keywords of the source feature. For each raw feature, we extract keywords from the feature's name and address. We search the keywords in DocJoin (now only 4B) to get the number of webpages which contains all the keywords of the feature, eg, for Quanjude in Beijing which is a famous restaurant in China, we consider Beijing and Quanjude as its keywords, the page containing both Beijing and Quanjude will be counted in. The number will be mapped by logarithm function into [0, 1]. This signal is based on a simple assumption: the more the name appears in webpage, the more famous it is. old_value This signal derived from the number of documents in DocJoin, which contains keywords of the source feature. For each raw feature, we extract keywords from the feature's name and address. We search the keywords in DocJoin (now only 4B) to get the number of webpages which contains all the keywords of the feature, eg, for Quanjude in Beijing which is a famous restaurant in China, we consider Beijing and Quanjude as its keywords, the page containing both Beijing and Quanjude will be counted in. The number will be mapped by logarithm function into [0, 1]. This signal is based on a simple assumption: the more the name appears in webpage, the more famous it is. These signals are calculated by the Path Radius algorithm, using Pathfinder to figure out in how big a neighborhood this segment is used as a thoroughfare. The popularity is simply the fraction of all paths that use this segment. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][248] new_value Includes overfalls. old_value Includes overfalls. A natural depression filled with water where animals come to drink. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][313] new_value A phone number area code is a prefix which also coincides with the area code, or national destination code, of a particular region. old_value A phone number area code is a prefix which also coincides with the area code, or national destination code, of a particular region. A Business Corridor is a dense cluster of semantically similar establishments. TYPE_BUSINESS_CORRIDOR features are distinguished from TYPE_COLLOQUIAL_AREA features because the corridors are not under the political hierarchy, are allowed to be nameless, and may not correspond to well-known real world locations. For more details, see go/geo-corridors-schema. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][262] new_value A stretch of land projecting into water. Includes capes and spits. old_value A stretch of land projecting into water. Includes capes and spits. A strip of land connecting two larger land masses, such as continents. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][60] new_value TYPE_TRANSIT_AGENCY was moved to 0xC91. This enum value exists for debugging purposes only. old_value TYPE_TRANSIT_AGENCY was moved to 0xC91. This enum value exists for debugging purposes only. A transfer describes the opportunity to transfer from one station to another. See also transittransfer.proto root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][353] new_value This type has been replaced by TYPE_COMPOUND_BUILDING. For further details, see go/oyster-compounds old_value This type has been replaced by TYPE_COMPOUND_BUILDING. For further details, see go/oyster-compounds Establishment POIs can be referenced by TYPE_COMPOUND features using the RELATION_PRIMARILY_OCCUPIED_BY. This is the reciprocal relation of the RELATION_OCCUPIES. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][364] new_value e.g. single family dwelling, office building. old_value e.g. single family dwelling, office building. e.g. suite, room, hallway, cubicle. root['schemas']['GeostoreRoadSignComponentProto']['properties']['semanticType']['enumDescriptions'][0] new_value Default value. old_value clang-format off Default value. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][62] new_value A segment path is a short path through a set of segments. They differ from routes in several ways. First, these paths are typically very short (a handful of segments). Second, these paths list the segments in a specific order. Third, these paths list segments but don't typically include the siblings of the segments. old_value A segment path is a short path through a set of segments. They differ from routes in several ways. First, these paths are typically very short (a handful of segments). Second, these paths list the segments in a specific order. Third, these paths list segments but don't typically include the siblings of the segments. Road sign features have names, point geometry, etc. They also have segment_path data (see below) which lists the segments that refer to the sign. See segment.proto for the reference from the segment to the road sign. root['schemas']['GeostoreRankSignalProto']['properties']['type']['enumDescriptions'][5] new_value This signal will be set on all routes and is derived by the value of the priority of all segments composing the route. It is a "derived" signal instead of a canonical one because it is not only about inheriting some child segment's priority. We actually take into consideration the priorities of all children segments to come up with a raw value for this signal. old_value This signal will be set on all routes and is derived by the value of the priority of all segments composing the route. It is a "derived" signal instead of a canonical one because it is not only about inheriting some child segment's priority. We actually take into consideration the priorities of all children segments to come up with a raw value for this signal. Derived from the number of POI that use this feature as an address component. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][262] new_value A stretch of land projecting into water. Includes capes and spits. old_value A stretch of land projecting into water. Includes capes and spits. A strip of land connecting two larger land masses, such as continents. root['schemas']['GeostoreRankSignalProto']['properties']['type']['enumDescriptions'][2] new_value Magnitude for features with polygonal geometry. old_value Magnitude for features with polygonal geometry. Derived from the number of other features that use this feature as an address component. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][364] new_value e.g. single family dwelling, office building. old_value e.g. single family dwelling, office building. e.g. suite, room, hallway, cubicle. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][315] new_value An address template feature provides region-specific conventions for structuring addresses. These features aren't necessarily defined by physical geographic features, so they are classified as meta-features. old_value An address template feature provides region-specific conventions for structuring addresses. These features aren't necessarily defined by physical geographic features, so they are classified as meta-features. A transit line is a collection of transit legs, associated with some invariant properties of the trips that run over the legs. See also transitline.proto root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][62] new_value A segment path is a short path through a set of segments. They differ from routes in several ways. First, these paths are typically very short (a handful of segments). Second, these paths list the segments in a specific order. Third, these paths list segments but don't typically include the siblings of the segments. old_value A segment path is a short path through a set of segments. They differ from routes in several ways. First, these paths are typically very short (a handful of segments). Second, these paths list the segments in a specific order. Third, these paths list segments but don't typically include the siblings of the segments. Road sign features have names, point geometry, etc. They also have segment_path data (see below) which lists the segments that refer to the sign. See segment.proto for the reference from the segment to the road sign. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][313] new_value A phone number area code is a prefix which also coincides with the area code, or national destination code, of a particular region. old_value A phone number area code is a prefix which also coincides with the area code, or national destination code, of a particular region. A Business Corridor is a dense cluster of semantically similar establishments. TYPE_BUSINESS_CORRIDOR features are distinguished from TYPE_COLLOQUIAL_AREA features because the corridors are not under the political hierarchy, are allowed to be nameless, and may not correspond to well-known real world locations. For more details, see go/geo-corridors-schema. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][60] new_value TYPE_TRANSIT_AGENCY was moved to 0xC91. This enum value exists for debugging purposes only. old_value TYPE_TRANSIT_AGENCY was moved to 0xC91. This enum value exists for debugging purposes only. A transfer describes the opportunity to transfer from one station to another. See also transittransfer.proto root['schemas']['GeostorePriceRangeProto']['properties']['units']['enumDescriptions'][0] new_value ABSTRACT old_value ABSTRACT The root of the hierarchy. It's an abstract value and shouldn't be present in the repository. iterable_item_added root['schemas']['GeostoreDataSourceProto']['properties']['provider']['enum'][743] PROVIDER_PULSE_ENERGY root['schemas']['GeostoreDataSourceProto']['properties']['provider']['enum'][744] PROVIDER_NUMOCITY root['schemas']['GeostoreDataSourceProto']['properties']['provider']['enumDescriptions'][744] Note: Next available value is 0x127E. root['schemas']['GeostoreFeaturePropertyIdProto']['properties']['fieldType']['enum'][83] MEDIAN_GEOMETRY_SEGMENT_LOOP root['schemas']['GeostoreFeaturePropertyIdProto']['properties']['fieldType']['enum'][150] SEGMENT_RELATED_MEDIAN root['schemas']['GeostoreInternalSourceSummaryProto']['properties']['provider']['enum'][743] PROVIDER_PULSE_ENERGY root['schemas']['GeostoreInternalSourceSummaryProto']['properties']['provider']['enum'][744] PROVIDER_NUMOCITY root['schemas']['GeostoreInternalSourceSummaryProto']['properties']['provider']['enumDescriptions'][744] Note: Next available value is 0x127E. root['schemas']['GeostoreOntologyRawGConceptInstanceProto']['properties']['provider']['enum'][743] PROVIDER_PULSE_ENERGY root['schemas']['GeostoreOntologyRawGConceptInstanceProto']['properties']['provider']['enum'][744] PROVIDER_NUMOCITY root['schemas']['GeostoreOntologyRawGConceptInstanceProto']['properties']['provider']['enumDescriptions'][744] Note: Next available value is 0x127E. root['schemas']['GeostoreProvenanceProto']['properties']['provider']['enum'][743] PROVIDER_PULSE_ENERGY root['schemas']['GeostoreProvenanceProto']['properties']['provider']['enum'][744] PROVIDER_NUMOCITY root['schemas']['GeostoreProvenanceProto']['properties']['provider']['enumDescriptions'][744] Note: Next available value is 0x127E. root['schemas']['GeostoreSpeedLimitProto']['properties']['category']['enum'][4] STATUTORY root['schemas']['GeostoreSpeedLimitProto']['properties']['category']['enumDescriptions'][4] Speed limits that are set by statute for a given area (and may also be influenced by various road attributes). iterable_item_removed root['schemas']['GeostoreDataSourceProto']['properties']['provider']['enumDescriptions'][742] Note: Next available value is 0x127C. root['schemas']['GeostoreInternalSourceSummaryProto']['properties']['provider']['enumDescriptions'][742] Note: Next available value is 0x127C. root['schemas']['GeostoreOntologyRawGConceptInstanceProto']['properties']['provider']['enumDescriptions'][742] Note: Next available value is 0x127C. root['schemas']['GeostoreProvenanceProto']['properties']['provider']['enumDescriptions'][742] Note: Next available value is 0x127C. root['schemas']['GeostoreRankSignalProto']['properties']['type']['enumDescriptions'][3] DEPRECATED Derived from the number of local business listings that, once reverse-geocoded, have this feature as an address component. root['schemas']['GeostoreRankSignalProto']['properties']['type']['enumDescriptions'][37] Rank derived from feature popularity asserted by users. Higher rank values are almost always moderated to verify accuracy, hence reliable. root['schemas']['GeostoreRankSignalProto']['properties']['type']['enumDescriptions'][64] DEPRECATED Signal for buildings in Japan. This signal is a scale of the map this building label should be rendered. root['schemas']['GeostoreRankSignalProto']['properties']['type']['enumDescriptions'][65] DEPRECATED Signal for peaks in Japan. This signal is a scale of the map this peak label should be rendered. root['schemas']['GeostoreSegmentProto']['properties']['barrier']['enumDescriptions'][0] Some barrier which prevents turns in the middle of a segment, but the details are not known (or the tester doesn't care to distinguish between legal and physical barriers). root['schemas']['GeostoreTransitLineProto']['properties']['vehicleType']['enumDescriptions'][1] ABSTRACT Metropolitan railway transport, mostly for local transit. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][0] ABSTRACT The root of all types. Not a meaningful label of a feature and likewise should never be present in a geostore repository. Useful in that InCategory(t, TYPE_ANY) for all t. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][1] ABSTRACT Feature types that together define a transportation network (routes, segments, and intersections). root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][2] A route is any section of road (or rails, etc.) that has a name. This includes city streets as well as highways. Road segments can belong to multiple routes (e.g. El Camino, CA-82). root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][3] DEPRECATED This type used to have country-specific highway types but has been DEPRECATED long ago in favor of the country-agnostic subtypes of the TYPE_HIGHWAY hierarchy below. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][14] A designated bicycle route, whose segments may consist of any combination of bicycle paths, bicycle lanes, or city streets. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][15] A designated trail, which may consist of paved walkways, dirt paths, fire road, streets or highways, etc. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][32] An intersection consists of a collection of segments that terminate at the same location. This is topological definition: it may not match what a typical user would think of as an "intersection". See TYPE_INTERSECTION_GROUP, below, for more information. Each segment terminating at an intersection has an "endpoint type" that specifies how that segment is terminated: stop sign, yield sign, three-way light, etc. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][63] Our TYPE_INTERSECTION feature, above, models the point where one or more segments terminate. This is topological definition: it may not match what a typical user would think of as an "intersection". Consider the intersections where Hayes, Market, Larkin, and 9th Street meet near (37.77765, -122.41638) in San Francisco. Most people would probably consider this a single feature, even though we model it as four separate TYPE_INTERSECTION features. This TYPE_INTERSECTION_GROUP is used to model the user's concept of a complex intersection. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][64] A Pathway describes a physical pathway in between two features. See also pathway.proto root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][65] A restriction group describes a set of segment restrictions that belong together and have a name or an associated event. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][66] A toll cluster is either a single point on a segment (represented as a point at the end of the segment that has ENDPOINT_TOLL_BOOTH set) or a group of points on various road segments in MapFacts that represents one or more lanes passing through a toll fixture that all go to the same routing destination. Each toll cluster should have at most a single price per payment method. E.g. {CASH = $5, PASS = $1}. Note: If a toll fixture has different prices for multiple routing destinations, drivers need to be in the correct lane before passing through the toll fixture and hence such a fixture is represented by multiple toll clusters. A toll cluster does not necessarily represent a real-world entity, e.g. a particular plaza/structure as perceived by humans. This is because a plaza can be represented by more than one toll cluster. We require toll clusters to have names, but they might be non-unique. For example, a plaza might be represented by multiple toll clusters that may have the same plaza name. For further details, please see go/toll-cluster-schema. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][84] e.g. Silicon Valley root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][86] In countries where localities are not more structured (e.g. US and CA), we don't bother with subcategories. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][91] An entity widely considered to be a city, that is itself made up of several smaller entities, some of which are cities themselves. For example, Sydney, Australia is comprised of many smaller cities, and is colloquially regarded as a city itself. New York City, on the other hand, contains boroughs, but not other cities. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][111] Eventually we'll have more data for disputed areas (e.g., who makes claims on the area, who has de facto control, etc.). For the moment, we just define a type so we can simply mark areas as disputed. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][112] Boundaries representing the jurisdiction of a particular police station. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][113] An area used for aggregating statistical data, eg, a census region. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][114] RESERVED Constituencies that will go into effect at a future start date. They have unique geometries informative to constituents, politicians, and advertisers. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][173] RESERVED Non-logical point, line, or polygon data to draw on a map. This was introduced by the Japan team to make the maps look more pretty. This is a hack we don't want to extend, so this is marked as reserved even though it appears in Zenrin data (whitelisted). root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][189] A line representing the boundary between two features. See border.proto for details. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][191] An association of a point with an address, with no other information. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][208] A flat expanse of salt left by the evaporation of a body of salt water. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][249] DEPRECATED This type is incorrectly under TYPE_TECTONIC instead of TYPE_WATER. This was a mistake and is in the the process of being fixed. b/6537580 root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][282] An area containing numerous geologically related mountains. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][297] A feature representing a group or chain of islands. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][298] ABSTRACT Types which are used only as portions of postal addresses. TYPE_POSTAL is concrete in Saudi Arabia but abstract everywhere else. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][299] This is the type for postal codes which are complete and independent enough that there should be a feature for it (e.g. US 5-digit ZIP codes). For even more detailed suffixes that further subdivide a postal code (such as the +4 component in US ZIP codes), store the information in a TYPE_POSTAL_CODE_SUFFIX address component. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][300] A prefix portion of a postal code which does not meet the requirements for TYPE_POSTAL_CODE, but which is useful to search for, for example UK outcodes. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][301] A premise is a location at smaller than street granularity. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][304] The term "post town" is used for a locality-like-entity that is only used for postal addresses. It would not make sense to show such an entity on the map, but it may be searched for and may be in the address of other features. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][305] A named delivery route. For example, in NZ rural addresses take the form "Delivery Route Number, Posttown, Postcode, NZ" root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][316] RESERVED A feature whose geometry is planned to replace the geometry on another feature. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][321] RESERVED A temporary feature that is only used internally to a single application. These features should not be written to Oyster repositories or presented to clients. If the application wishes to use multiple transient types, it is responsible for differentiating them using the temporary_data field or other mechanism. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][322] A portal of entry or exit to another feature. Examples: - Subway station entrance. - Parking lot entrance. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][354] RESERVED Represents service-only establishments (those without a storefront location). NOTE(tcain): Using value 0xD441, since we could find ourselves with a need to differentiate service areas from online-only at this level in the future, but still benefit from being able to group those under a common parent, disjoint from TYPE_ESTABLISHMENT_POI. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][355] The root of types of features that are in the sky, rather than on the earth. There will eventually be a hierarchy of types here. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][356] Features responsible for monitoring traffic on roads (usually for speed). Includes cameras at particular points as well as monitors that cover larger spans. Features of this type should have a corresponding gcid that specifies the correct subtype (e.g. gcid:road_camera or gcid:speed_camera_zone). This type was originally named as TYPE_ROAD_CAMERA. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][360] A feature used to represent a logical level, e.g. floor. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][365] RESERVED A terminal point represents a good location for a user to meet a taxi, ridesharing vehicle, or general driver. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][366] An area controlled in some way by an authoritative source, such as a government-designated COVID containment zone. Features of this type should have one or more gcids corresponding to their specific regulation. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][369] RESERVED A fake feature type so we can csearch for automatically generated files that use the FeatureProto types hierarchy. root['schemas']['IndexingMoonshineHappyhourTypesGeostoreTypedFeatureId']['properties']['type']['enumDescriptions'][370] A feature of completely unknown type. This should only be used when absolutely necessary. One example in which this type is useful is in the Chinese importer, which must heuristically segment addresses into components - it often does not know what types to make those components. Please note that the Oyster address formatter does not currently support address components of TYPE_UNKNOWN well. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][0] ABSTRACT The root of all types. Not a meaningful label of a feature and likewise should never be present in a geostore repository. Useful in that InCategory(t, TYPE_ANY) for all t. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][1] ABSTRACT Feature types that together define a transportation network (routes, segments, and intersections). root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][2] A route is any section of road (or rails, etc.) that has a name. This includes city streets as well as highways. Road segments can belong to multiple routes (e.g. El Camino, CA-82). root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][3] DEPRECATED This type used to have country-specific highway types but has been DEPRECATED long ago in favor of the country-agnostic subtypes of the TYPE_HIGHWAY hierarchy below. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][14] A designated bicycle route, whose segments may consist of any combination of bicycle paths, bicycle lanes, or city streets. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][15] A designated trail, which may consist of paved walkways, dirt paths, fire road, streets or highways, etc. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][32] An intersection consists of a collection of segments that terminate at the same location. This is topological definition: it may not match what a typical user would think of as an "intersection". See TYPE_INTERSECTION_GROUP, below, for more information. Each segment terminating at an intersection has an "endpoint type" that specifies how that segment is terminated: stop sign, yield sign, three-way light, etc. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][63] Our TYPE_INTERSECTION feature, above, models the point where one or more segments terminate. This is topological definition: it may not match what a typical user would think of as an "intersection". Consider the intersections where Hayes, Market, Larkin, and 9th Street meet near (37.77765, -122.41638) in San Francisco. Most people would probably consider this a single feature, even though we model it as four separate TYPE_INTERSECTION features. This TYPE_INTERSECTION_GROUP is used to model the user's concept of a complex intersection. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][64] A Pathway describes a physical pathway in between two features. See also pathway.proto root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][65] A restriction group describes a set of segment restrictions that belong together and have a name or an associated event. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][66] A toll cluster is either a single point on a segment (represented as a point at the end of the segment that has ENDPOINT_TOLL_BOOTH set) or a group of points on various road segments in MapFacts that represents one or more lanes passing through a toll fixture that all go to the same routing destination. Each toll cluster should have at most a single price per payment method. E.g. {CASH = $5, PASS = $1}. Note: If a toll fixture has different prices for multiple routing destinations, drivers need to be in the correct lane before passing through the toll fixture and hence such a fixture is represented by multiple toll clusters. A toll cluster does not necessarily represent a real-world entity, e.g. a particular plaza/structure as perceived by humans. This is because a plaza can be represented by more than one toll cluster. We require toll clusters to have names, but they might be non-unique. For example, a plaza might be represented by multiple toll clusters that may have the same plaza name. For further details, please see go/toll-cluster-schema. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][84] e.g. Silicon Valley root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][86] In countries where localities are not more structured (e.g. US and CA), we don't bother with subcategories. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][91] An entity widely considered to be a city, that is itself made up of several smaller entities, some of which are cities themselves. For example, Sydney, Australia is comprised of many smaller cities, and is colloquially regarded as a city itself. New York City, on the other hand, contains boroughs, but not other cities. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][111] Eventually we'll have more data for disputed areas (e.g., who makes claims on the area, who has de facto control, etc.). For the moment, we just define a type so we can simply mark areas as disputed. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][112] Boundaries representing the jurisdiction of a particular police station. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][113] An area used for aggregating statistical data, eg, a census region. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][114] RESERVED Constituencies that will go into effect at a future start date. They have unique geometries informative to constituents, politicians, and advertisers. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][173] RESERVED Non-logical point, line, or polygon data to draw on a map. This was introduced by the Japan team to make the maps look more pretty. This is a hack we don't want to extend, so this is marked as reserved even though it appears in Zenrin data (whitelisted). root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][189] A line representing the boundary between two features. See border.proto for details. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][191] An association of a point with an address, with no other information. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][208] A flat expanse of salt left by the evaporation of a body of salt water. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][249] DEPRECATED This type is incorrectly under TYPE_TECTONIC instead of TYPE_WATER. This was a mistake and is in the the process of being fixed. b/6537580 root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][282] An area containing numerous geologically related mountains. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][297] A feature representing a group or chain of islands. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][298] ABSTRACT Types which are used only as portions of postal addresses. TYPE_POSTAL is concrete in Saudi Arabia but abstract everywhere else. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][299] This is the type for postal codes which are complete and independent enough that there should be a feature for it (e.g. US 5-digit ZIP codes). For even more detailed suffixes that further subdivide a postal code (such as the +4 component in US ZIP codes), store the information in a TYPE_POSTAL_CODE_SUFFIX address component. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][300] A prefix portion of a postal code which does not meet the requirements for TYPE_POSTAL_CODE, but which is useful to search for, for example UK outcodes. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][301] A premise is a location at smaller than street granularity. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][304] The term "post town" is used for a locality-like-entity that is only used for postal addresses. It would not make sense to show such an entity on the map, but it may be searched for and may be in the address of other features. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][305] A named delivery route. For example, in NZ rural addresses take the form "Delivery Route Number, Posttown, Postcode, NZ" root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][316] RESERVED A feature whose geometry is planned to replace the geometry on another feature. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][321] RESERVED A temporary feature that is only used internally to a single application. These features should not be written to Oyster repositories or presented to clients. If the application wishes to use multiple transient types, it is responsible for differentiating them using the temporary_data field or other mechanism. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][322] A portal of entry or exit to another feature. Examples: - Subway station entrance. - Parking lot entrance. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][354] RESERVED Represents service-only establishments (those without a storefront location). NOTE(tcain): Using value 0xD441, since we could find ourselves with a need to differentiate service areas from online-only at this level in the future, but still benefit from being able to group those under a common parent, disjoint from TYPE_ESTABLISHMENT_POI. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][355] The root of types of features that are in the sky, rather than on the earth. There will eventually be a hierarchy of types here. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][356] Features responsible for monitoring traffic on roads (usually for speed). Includes cameras at particular points as well as monitors that cover larger spans. Features of this type should have a corresponding gcid that specifies the correct subtype (e.g. gcid:road_camera or gcid:speed_camera_zone). This type was originally named as TYPE_ROAD_CAMERA. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][360] A feature used to represent a logical level, e.g. floor. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][365] RESERVED A terminal point represents a good location for a user to meet a taxi, ridesharing vehicle, or general driver. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][366] An area controlled in some way by an authoritative source, such as a government-designated COVID containment zone. Features of this type should have one or more gcids corresponding to their specific regulation. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][369] RESERVED A fake feature type so we can csearch for automatically generated files that use the FeatureProto types hierarchy. root['schemas']['IndexingMoonshineHappyhourTypesLocationGeoLocationProperties']['properties']['typeCategory']['enumDescriptions'][370] A feature of completely unknown type. This should only be used when absolutely necessary. One example in which this type is useful is in the Chinese importer, which must heuristically segment addresses into components - it often does not know what types to make those components. Please note that the Oyster address formatter does not currently support address components of TYPE_UNKNOWN well.
prod/shoppingdataintegration-	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/shoppingdataintegration-v1	values_changed root['revision'] new_value 20250312 old_value 20250310
prod/southamerica-east1-containerfilesystem-	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/southamerica-east1-containerfilesystem-v1	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/southamerica-east1-dataproccontrol-	values_changed root['revision'] new_value 20250311 old_value 20250224
prod/southamerica-east1-dataproccontrol-v1	values_changed root['revision'] new_value 20250311 old_value 20250224
prod/staging-identitytoolkit.sandbox-v1	values_changed root['revision'] new_value 20250312 old_value 20250311
prod/staging-identitytoolkit.sandbox-v2	values_changed root['revision'] new_value 20250312 old_value 20250311
prod/staging-identitytoolkit.sandbox-v2alpha1	values_changed root['revision'] new_value 20250312 old_value 20250311
prod/staging-identitytoolkit.sandbox-v2beta1	values_changed root['revision'] new_value 20250312 old_value 20250311
prod/staging-keep-pa-	dictionary_item_added root['schemas']['GetNoteInfoResponse']['properties']['type']['enumDeprecated'] root['schemas']['Note']['properties']['quillNote']['deprecated'] values_changed root['revision'] new_value 20250311 old_value 20250213 root['schemas']['Note']['properties']['quillNote']['description'] new_value A quillNote is a note with an empty message. old_value A quillNote is a note with an empty message.
prod/staging-keep-pa-v1	dictionary_item_added root['schemas']['GetNoteInfoResponse']['properties']['type']['enumDeprecated'] root['schemas']['Note']['properties']['quillNote']['deprecated'] values_changed root['revision'] new_value 20250311 old_value 20250213 root['schemas']['Note']['properties']['quillNote']['description'] new_value A quillNote is a note with an empty message. old_value A quillNote is a note with an empty message.
prod/staging-notifications-pa.sandbox-	dictionary_item_added root['schemas']['GmmNotifications__GmmClientGunsExtension']['properties']['inboxCapabilities'] root['schemas']['GoogleInternalTapandpayV1PassesTemplates__AddContentData']['properties']['isPreviousAmount'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['deprecated'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['description'] root['schemas']['NotificationsBackendCommonMessage_AndroidMessageHint_NotificationBehavior']['properties']['silentOnReplacement'] root['schemas']['NotificationsBackendCommonMessage__IosMessageHint']['properties']['silentOnReplacement'] root['schemas']['NotificationsFrontendData_RenderContext_DeviceInfo']['properties']['iosSdkGeneration'] root['schemas']['PhotosEffects__HdrGainmapEffectParams']['properties']['gainMapEditStrategy'] root['schemas']['PhotosEffects__HdrGainmapEffectParams']['properties']['gainmapState']['description'] values_changed root['revision'] new_value 20250313 old_value 20250311 root['schemas']['NotificationsBackendCommonMessage__IosMessageHint']['description'] new_value IosMessageHint can be included with the GenericMessage proto to achieve customizations of the generic message specifically for iOS devices. Any fields in IosMessageHint that overlap with fields in GenericMessage will be resolved in favor of the IosMessageHint. Next ID: 36 old_value IosMessageHint can be included with the GenericMessage proto to achieve customizations of the generic message specifically for iOS devices. Any fields in IosMessageHint that overlap with fields in GenericMessage will be resolved in favor of the IosMessageHint. Next ID: 35 root['schemas']['Proto2Bridge__MessageSet']['description'] new_value LINT.ThenChange( //depot/google3/third_party/protobuf/github/src/google/protobuf/bridge/message_set.proto ) This is proto2's version of MessageSet. old_value This is proto2's version of MessageSet. root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][274] new_value go/follow related Pickers. String-only pickers. old_value go/follow related Pickers. iterable_item_added root['schemas']['GaiaData__AccountNotificationEvent']['properties']['eventType']['enum'][304] OAUTH_TOKEN_EXPIRATION_NOTIFICATION_UNICORN_EMAIL root['schemas']['GaiaData__AccountNotificationEvent']['properties']['eventType']['enumDescriptions'][304] Send email notifications to Unicorn users to notify them about their expiring app access. root['schemas']['GoogleLogsTapandpayAndroid__DynamicAidRegistrationEvent']['properties']['registrationReason']['enum'][13] ACCOUNT_CHANGED root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][277] UPSELL_CREATOR_PICKER root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][609] WEBKICK_UGC_CONTENT root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][276] Creator Picker root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][278] Sports team picker root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][609] Need bundle type for UGC content in Discover. go/discover-ugc-content-retrieval root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][903] CONTENT_EXPLORATION_WEB root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1071] HOME_STACK_UTILITY_FOLLOW_MANAGEMENT root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1072] COMMUNITY_DISCUSSIONS root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1474] WEBKICK_INTEREST_UGC root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1539] DEPRECATED_UCP_DELAYED_NOTES_CREATION_PROMPT_CARD root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enumDescriptions'][1474] Next available Cardmaker tag: 60078 iterable_item_removed root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][543] UCP_DELAYED_NOTES_CREATION_PROMPT_CARD root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][543] Need bundle type for Modern Creators & Formats (go/mcf-pulse) delayed notes creation prompt card. go/link-notes-delayed-creation-in-discover-dd. root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][549] Need bundle type for upselling a query picker to users more likely to follow queries. root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1000] UCP_DELAYED_NOTES_CREATION_PROMPT_CARD
prod/staging-notifications-pa.sandbox-v1	dictionary_item_added root['schemas']['GmmNotifications__GmmClientGunsExtension']['properties']['inboxCapabilities'] root['schemas']['GoogleInternalTapandpayV1PassesTemplates__AddContentData']['properties']['isPreviousAmount'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['deprecated'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['description'] root['schemas']['NotificationsBackendCommonMessage_AndroidMessageHint_NotificationBehavior']['properties']['silentOnReplacement'] root['schemas']['NotificationsBackendCommonMessage__IosMessageHint']['properties']['silentOnReplacement'] root['schemas']['NotificationsFrontendData_RenderContext_DeviceInfo']['properties']['iosSdkGeneration'] root['schemas']['PhotosEffects__HdrGainmapEffectParams']['properties']['gainMapEditStrategy'] root['schemas']['PhotosEffects__HdrGainmapEffectParams']['properties']['gainmapState']['description'] values_changed root['revision'] new_value 20250313 old_value 20250311 root['schemas']['NotificationsBackendCommonMessage__IosMessageHint']['description'] new_value IosMessageHint can be included with the GenericMessage proto to achieve customizations of the generic message specifically for iOS devices. Any fields in IosMessageHint that overlap with fields in GenericMessage will be resolved in favor of the IosMessageHint. Next ID: 36 old_value IosMessageHint can be included with the GenericMessage proto to achieve customizations of the generic message specifically for iOS devices. Any fields in IosMessageHint that overlap with fields in GenericMessage will be resolved in favor of the IosMessageHint. Next ID: 35 root['schemas']['Proto2Bridge__MessageSet']['description'] new_value LINT.ThenChange( //depot/google3/third_party/protobuf/github/src/google/protobuf/bridge/message_set.proto ) This is proto2's version of MessageSet. old_value This is proto2's version of MessageSet. root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][274] new_value go/follow related Pickers. String-only pickers. old_value go/follow related Pickers. iterable_item_added root['schemas']['GaiaData__AccountNotificationEvent']['properties']['eventType']['enum'][304] OAUTH_TOKEN_EXPIRATION_NOTIFICATION_UNICORN_EMAIL root['schemas']['GaiaData__AccountNotificationEvent']['properties']['eventType']['enumDescriptions'][304] Send email notifications to Unicorn users to notify them about their expiring app access. root['schemas']['GoogleLogsTapandpayAndroid__DynamicAidRegistrationEvent']['properties']['registrationReason']['enum'][13] ACCOUNT_CHANGED root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][277] UPSELL_CREATOR_PICKER root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][609] WEBKICK_UGC_CONTENT root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][276] Creator Picker root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][278] Sports team picker root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][609] Need bundle type for UGC content in Discover. go/discover-ugc-content-retrieval root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][903] CONTENT_EXPLORATION_WEB root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1071] HOME_STACK_UTILITY_FOLLOW_MANAGEMENT root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1072] COMMUNITY_DISCUSSIONS root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1474] WEBKICK_INTEREST_UGC root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1539] DEPRECATED_UCP_DELAYED_NOTES_CREATION_PROMPT_CARD root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enumDescriptions'][1474] Next available Cardmaker tag: 60078 iterable_item_removed root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][543] UCP_DELAYED_NOTES_CREATION_PROMPT_CARD root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][543] Need bundle type for Modern Creators & Formats (go/mcf-pulse) delayed notes creation prompt card. go/link-notes-delayed-creation-in-discover-dd. root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][549] Need bundle type for upselling a query picker to users more likely to follow queries. root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1000] UCP_DELAYED_NOTES_CREATION_PROMPT_CARD
prod/staging-qual-qa-notifications-pa.sandbox-	dictionary_item_added root['schemas']['GmmNotifications__GmmClientGunsExtension']['properties']['inboxCapabilities'] root['schemas']['GoogleInternalTapandpayV1PassesTemplates__AddContentData']['properties']['isPreviousAmount'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['deprecated'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['description'] root['schemas']['NotificationsBackendCommonMessage_AndroidMessageHint_NotificationBehavior']['properties']['silentOnReplacement'] root['schemas']['NotificationsBackendCommonMessage__IosMessageHint']['properties']['silentOnReplacement'] root['schemas']['NotificationsFrontendData_RenderContext_DeviceInfo']['properties']['iosSdkGeneration'] root['schemas']['PhotosEffects__HdrGainmapEffectParams']['properties']['gainMapEditStrategy'] root['schemas']['PhotosEffects__HdrGainmapEffectParams']['properties']['gainmapState']['description'] values_changed root['revision'] new_value 20250313 old_value 20250311 root['schemas']['NotificationsBackendCommonMessage__IosMessageHint']['description'] new_value IosMessageHint can be included with the GenericMessage proto to achieve customizations of the generic message specifically for iOS devices. Any fields in IosMessageHint that overlap with fields in GenericMessage will be resolved in favor of the IosMessageHint. Next ID: 36 old_value IosMessageHint can be included with the GenericMessage proto to achieve customizations of the generic message specifically for iOS devices. Any fields in IosMessageHint that overlap with fields in GenericMessage will be resolved in favor of the IosMessageHint. Next ID: 35 root['schemas']['Proto2Bridge__MessageSet']['description'] new_value LINT.ThenChange( //depot/google3/third_party/protobuf/github/src/google/protobuf/bridge/message_set.proto ) This is proto2's version of MessageSet. old_value This is proto2's version of MessageSet. root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][274] new_value go/follow related Pickers. String-only pickers. old_value go/follow related Pickers. iterable_item_added root['schemas']['GaiaData__AccountNotificationEvent']['properties']['eventType']['enum'][304] OAUTH_TOKEN_EXPIRATION_NOTIFICATION_UNICORN_EMAIL root['schemas']['GaiaData__AccountNotificationEvent']['properties']['eventType']['enumDescriptions'][304] Send email notifications to Unicorn users to notify them about their expiring app access. root['schemas']['GoogleLogsTapandpayAndroid__DynamicAidRegistrationEvent']['properties']['registrationReason']['enum'][13] ACCOUNT_CHANGED root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][277] UPSELL_CREATOR_PICKER root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][609] WEBKICK_UGC_CONTENT root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][276] Creator Picker root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][278] Sports team picker root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][609] Need bundle type for UGC content in Discover. go/discover-ugc-content-retrieval root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][903] CONTENT_EXPLORATION_WEB root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1071] HOME_STACK_UTILITY_FOLLOW_MANAGEMENT root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1072] COMMUNITY_DISCUSSIONS root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1474] WEBKICK_INTEREST_UGC root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1539] DEPRECATED_UCP_DELAYED_NOTES_CREATION_PROMPT_CARD root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enumDescriptions'][1474] Next available Cardmaker tag: 60078 iterable_item_removed root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][543] UCP_DELAYED_NOTES_CREATION_PROMPT_CARD root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][543] Need bundle type for Modern Creators & Formats (go/mcf-pulse) delayed notes creation prompt card. go/link-notes-delayed-creation-in-discover-dd. root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][549] Need bundle type for upselling a query picker to users more likely to follow queries. root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1000] UCP_DELAYED_NOTES_CREATION_PROMPT_CARD
prod/staging-qual-qa-notifications-pa.sandbox-v1	dictionary_item_added root['schemas']['GmmNotifications__GmmClientGunsExtension']['properties']['inboxCapabilities'] root['schemas']['GoogleInternalTapandpayV1PassesTemplates__AddContentData']['properties']['isPreviousAmount'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['deprecated'] root['schemas']['GoogleLogsTapandpayAndroid_ClosedLoopEvent_TopupMetadata']['properties']['amountSelected']['description'] root['schemas']['NotificationsBackendCommonMessage_AndroidMessageHint_NotificationBehavior']['properties']['silentOnReplacement'] root['schemas']['NotificationsBackendCommonMessage__IosMessageHint']['properties']['silentOnReplacement'] root['schemas']['NotificationsFrontendData_RenderContext_DeviceInfo']['properties']['iosSdkGeneration'] root['schemas']['PhotosEffects__HdrGainmapEffectParams']['properties']['gainMapEditStrategy'] root['schemas']['PhotosEffects__HdrGainmapEffectParams']['properties']['gainmapState']['description'] values_changed root['revision'] new_value 20250313 old_value 20250311 root['schemas']['NotificationsBackendCommonMessage__IosMessageHint']['description'] new_value IosMessageHint can be included with the GenericMessage proto to achieve customizations of the generic message specifically for iOS devices. Any fields in IosMessageHint that overlap with fields in GenericMessage will be resolved in favor of the IosMessageHint. Next ID: 36 old_value IosMessageHint can be included with the GenericMessage proto to achieve customizations of the generic message specifically for iOS devices. Any fields in IosMessageHint that overlap with fields in GenericMessage will be resolved in favor of the IosMessageHint. Next ID: 35 root['schemas']['Proto2Bridge__MessageSet']['description'] new_value LINT.ThenChange( //depot/google3/third_party/protobuf/github/src/google/protobuf/bridge/message_set.proto ) This is proto2's version of MessageSet. old_value This is proto2's version of MessageSet. root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][274] new_value go/follow related Pickers. String-only pickers. old_value go/follow related Pickers. iterable_item_added root['schemas']['GaiaData__AccountNotificationEvent']['properties']['eventType']['enum'][304] OAUTH_TOKEN_EXPIRATION_NOTIFICATION_UNICORN_EMAIL root['schemas']['GaiaData__AccountNotificationEvent']['properties']['eventType']['enumDescriptions'][304] Send email notifications to Unicorn users to notify them about their expiring app access. root['schemas']['GoogleLogsTapandpayAndroid__DynamicAidRegistrationEvent']['properties']['registrationReason']['enum'][13] ACCOUNT_CHANGED root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][277] UPSELL_CREATOR_PICKER root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][609] WEBKICK_UGC_CONTENT root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][276] Creator Picker root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][278] Sports team picker root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][609] Need bundle type for UGC content in Discover. go/discover-ugc-content-retrieval root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][903] CONTENT_EXPLORATION_WEB root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1071] HOME_STACK_UTILITY_FOLLOW_MANAGEMENT root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1072] COMMUNITY_DISCUSSIONS root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1474] WEBKICK_INTEREST_UGC root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1539] DEPRECATED_UCP_DELAYED_NOTES_CREATION_PROMPT_CARD root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enumDescriptions'][1474] Next available Cardmaker tag: 60078 iterable_item_removed root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enum'][543] UCP_DELAYED_NOTES_CREATION_PROMPT_CARD root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][543] Need bundle type for Modern Creators & Formats (go/mcf-pulse) delayed notes creation prompt card. go/link-notes-delayed-creation-in-discover-dd. root['schemas']['Sidekick__ClusterMetadata']['properties']['needBundleType']['enumDescriptions'][549] Need bundle type for upselling a query picker to users more likely to follow queries. root['schemas']['Sidekick__SemanticProperties']['properties']['cardCategory']['enum'][1000] UCP_DELAYED_NOTES_CREATION_PROMPT_CARD
prod/staging-userlocation.sandbox-	values_changed root['revision'] new_value 20250311 old_value 20250304
prod/staging-userlocation.sandbox-v1	values_changed root['revision'] new_value 20250311 old_value 20250304
prod/subscribewithgoogle-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/subscribewithgoogle-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/takeout-pa-	values_changed root['revision'] new_value 20250310 old_value 20250227
prod/takeout-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250227
prod/takeout-pa-v2	values_changed root['revision'] new_value 20250310 old_value 20250227
prod/tasks-pa-	values_changed root['revision'] new_value 20250311 old_value 20250307
prod/tasks-pa-v1	values_changed root['revision'] new_value 20250311 old_value 20250307
prod/tenor-	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/tenor-v1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/tenor-v2	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/tile-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/tile-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/transferappliance-v1alpha1	values_changed root['revision'] new_value 20250306 old_value 20250227
prod/travelpartnerprices-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/travelpartnerprices-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/ulp1p-pa-	values_changed root['revision'] new_value 20250313 old_value 20250213 iterable_item_added root['resources']['languagePreferences']['resources']['version']['methods']['get']['parameters']['userLocation.metadata.internal.sourceSummary.provider']['enum'][743] PROVIDER_PULSE_ENERGY root['resources']['languagePreferences']['resources']['version']['methods']['get']['parameters']['userLocation.metadata.internal.sourceSummary.provider']['enum'][744] PROVIDER_NUMOCITY root['resources']['languagePreferences']['resources']['version']['methods']['get']['parameters']['userLocation.metadata.internal.sourceSummary.provider']['enumDescriptions'][744] Note: Next available value is 0x127E. root['schemas']['IncludeDataSource']['properties']['allowedUlsOverrideAppIds']['items']['enum'][718] CODE_ASSIST root['schemas']['IncludeDataSource']['properties']['allowedUlsOverrideAppIds']['items']['enum'][719] CUSTOMER_ENGAGEMENT_AI root['schemas']['IncludeDataSource']['properties']['allowedUlsOverrideAppIds']['items']['enumDescriptions'][718] go/crescendo-ux root['schemas']['IncludeDataSource']['properties']['allowedUlsOverrideAppIds']['items']['enumDescriptions'][719] go/connect-ai-agent root['schemas']['InternalSourceSummaryProto']['properties']['provider']['enum'][743] PROVIDER_PULSE_ENERGY root['schemas']['InternalSourceSummaryProto']['properties']['provider']['enum'][744] PROVIDER_NUMOCITY root['schemas']['InternalSourceSummaryProto']['properties']['provider']['enumDescriptions'][744] Note: Next available value is 0x127E. root['schemas']['LanguagePreferenceParams']['properties']['appId']['enum'][718] CODE_ASSIST root['schemas']['LanguagePreferenceParams']['properties']['appId']['enum'][719] CUSTOMER_ENGAGEMENT_AI root['schemas']['LanguagePreferenceParams']['properties']['appId']['enumDescriptions'][718] go/crescendo-ux root['schemas']['LanguagePreferenceParams']['properties']['appId']['enumDescriptions'][719] go/connect-ai-agent iterable_item_removed root['resources']['languagePreferences']['resources']['version']['methods']['get']['parameters']['userLocation.metadata.internal.sourceSummary.provider']['enumDescriptions'][742] Note: Next available value is 0x127C. root['schemas']['InternalSourceSummaryProto']['properties']['provider']['enumDescriptions'][742] Note: Next available value is 0x127C.
prod/ulp1p-pa-v1	values_changed root['revision'] new_value 20250313 old_value 20250213 iterable_item_added root['resources']['languagePreferences']['resources']['version']['methods']['get']['parameters']['userLocation.metadata.internal.sourceSummary.provider']['enum'][743] PROVIDER_PULSE_ENERGY root['resources']['languagePreferences']['resources']['version']['methods']['get']['parameters']['userLocation.metadata.internal.sourceSummary.provider']['enum'][744] PROVIDER_NUMOCITY root['resources']['languagePreferences']['resources']['version']['methods']['get']['parameters']['userLocation.metadata.internal.sourceSummary.provider']['enumDescriptions'][744] Note: Next available value is 0x127E. root['schemas']['IncludeDataSource']['properties']['allowedUlsOverrideAppIds']['items']['enum'][718] CODE_ASSIST root['schemas']['IncludeDataSource']['properties']['allowedUlsOverrideAppIds']['items']['enum'][719] CUSTOMER_ENGAGEMENT_AI root['schemas']['IncludeDataSource']['properties']['allowedUlsOverrideAppIds']['items']['enumDescriptions'][718] go/crescendo-ux root['schemas']['IncludeDataSource']['properties']['allowedUlsOverrideAppIds']['items']['enumDescriptions'][719] go/connect-ai-agent root['schemas']['InternalSourceSummaryProto']['properties']['provider']['enum'][743] PROVIDER_PULSE_ENERGY root['schemas']['InternalSourceSummaryProto']['properties']['provider']['enum'][744] PROVIDER_NUMOCITY root['schemas']['InternalSourceSummaryProto']['properties']['provider']['enumDescriptions'][744] Note: Next available value is 0x127E. root['schemas']['LanguagePreferenceParams']['properties']['appId']['enum'][718] CODE_ASSIST root['schemas']['LanguagePreferenceParams']['properties']['appId']['enum'][719] CUSTOMER_ENGAGEMENT_AI root['schemas']['LanguagePreferenceParams']['properties']['appId']['enumDescriptions'][718] go/crescendo-ux root['schemas']['LanguagePreferenceParams']['properties']['appId']['enumDescriptions'][719] go/connect-ai-agent iterable_item_removed root['resources']['languagePreferences']['resources']['version']['methods']['get']['parameters']['userLocation.metadata.internal.sourceSummary.provider']['enumDescriptions'][742] Note: Next available value is 0x127C. root['schemas']['InternalSourceSummaryProto']['properties']['provider']['enumDescriptions'][742] Note: Next available value is 0x127C.
prod/us-alpha-vision-	values_changed root['revision'] new_value 20250312 old_value 20250228
prod/us-alpha-vision-v1	values_changed root['revision'] new_value 20250312 old_value 20250228
prod/us-alpha-vision-v1p1beta1	values_changed root['revision'] new_value 20250312 old_value 20250228
prod/us-alpha-vision-v1p2beta1	values_changed root['revision'] new_value 20250312 old_value 20250228
prod/us-alpha-vision-v1p3beta1	values_changed root['revision'] new_value 20250312 old_value 20250228
prod/us-alpha-vision-v1p4beta1	values_changed root['revision'] new_value 20250312 old_value 20250228
prod/us-chronicle-	values_changed root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['get']['parameters']['name']['description'] new_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{region}/instances/{instance} root['revision'] new_value 20250310 old_value 20250227 root['schemas'] new_value AIOverview description AI generated overview for the search results. id AIOverview properties aiSummary description AI summary for the search results. Markdown formatted. type string complete description Whether AI overview generation is complete. type boolean suggestions description Suggested actions to continue the investigation in chat. items $ref Action type array type object Action description Action represents an action that can be performed in the host UI. id Action properties actionType description Output only. Type of action. enum ACTION_TYPE_UNSPECIFIED FOLLOW_UP NAVIGATION EXECUTION enumDescriptions The action type is unspecified. The action is a follow up action. The action is a navigation action. The action is an execution action. readOnly True type string displayText description Output only. The text that'll be displayed to the user if this is rendered in the UI as a suggested action. readOnly True type string execution $ref Execution description Metadata for execution action. followUp $ref FollowUp description Metadata for follow up action. navigation $ref Navigation description Metadata for navigation action. useCaseId description Output only. The use case ID of the action. It's used internally to identify in which context the action is used. readOnly True type string type object AlertFieldAggregation id AlertFieldAggregation properties alertCount format int32 type integer allValues items $ref AlertFieldValueCount type array baselineAlertCount format int32 type integer bottomValues items $ref AlertFieldValueCount type array fieldName type string tooManyValues type boolean topValues items $ref AlertFieldValueCount type array valueCount format int32 type integer type object AlertFieldAggregations id AlertFieldAggregations properties fields items $ref AlertFieldAggregation type array type object AlertFieldValue id AlertFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string stringValue type string uint32Value format uint32 type integer uint64Value format uint64 type string type object AlertFieldValueCount id AlertFieldValueCount properties alertCount format int32 type integer baselineAlertCount format int32 type integer value $ref AlertFieldValue type object AnalystVerdict description Verdict provided by the human analyst. These fields are used to model Mandiant sources. id AnalystVerdict properties confidenceScore description Confidence score of the verdict. format int32 type integer verdictResponse description Details of the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp at which the verdict was generated. format google-datetime type string type object AnalyticsMetadata description Stores information about an analytics metric used in a rule. id AnalyticsMetadata properties analytic description Name of the analytic. type string type object Annotation description Extra parameters that don't fit anywhere else, captured as key/value. For example "VendorID/42" in BlackBerry user agents. The following keys are modified with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference): * "Chrome" (see `browser_version`) * "ChromiumBrowser" (unavailable) * "ChromeWebview" (unavailable) * "OS_VERSION" (see `os`) * "Rest" (unavailable) * "misc" (see `device`) id Annotation properties key type string value type string type object Artifact description Information about an artifact. The artifact can only be an IP. id Artifact properties anonymous description Whether the VPN tunnels are configured for anonymous browsing or not. type boolean artifactClient $ref ArtifactClient description Entity or software accessing or utilizing network resources. asOwner description Owner of the Autonomous System to which the IP address belongs. type string asn description Autonomous System Number to which the IP address belongs. format int64 type string firstSeenTime description First seen timestamp of the IP in the customer's environment. format google-datetime type string ip description IP address of the artifact. This field can be used as an entity indicator for an external destination IP entity. type string jarm description The JARM hash for the IP address. (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a). type string lastHttpsCertificate $ref SSLCertificate description SSL certificate information about the IP address. lastHttpsCertificateDate description Most recent date for the certificate in VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the IP address in the customer's environment. format google-datetime type string location $ref Location description Location of the Artifact's IP address. network $ref Network description Network information related to the Artifact's IP address. prevalence $ref Prevalence description The prevalence of the artifact within the customer's environment. regionalInternetRegistry description RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC). type string risks description This field lists potential risks associated with the network activity. items type string type array tags description Identification attributes items type string type array tunnels description VPN tunnels. items $ref Tunnels type array whois description WHOIS information as returned from the pertinent WHOIS server. type string whoisDate description Date of the last update of the WHOIS record in VirusTotal. format google-datetime type string type object ArtifactClient description Entity or software accessing or utilizing network resources. id ArtifactClient properties behaviors description The behaviors of the client accessing the network. items type string type array proxies description The type of proxies used by the client. items type string type array type object Asset description Information about a compute asset such as a workstation, laptop, phone, virtual desktop, or VM. id Asset properties assetId description The asset ID. Value must contain the ':' character. For example, cs:abcdd23434. This field can be used as an entity indicator for asset entities. type string attribute $ref Attribute description Generic entity metadata attributes of the asset. category description The category of the asset (e.g. "End User Asset", "Workstation", "Server"). type string creationTime deprecated True description Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. format google-datetime type string deploymentStatus description The deployment status of the asset for device lifecycle purposes. enum DEPLOYMENT_STATUS_UNSPECIFIED ACTIVE PENDING_DECOMISSION DECOMISSIONED enumDescriptions Unspecified deployment status. Asset is active, functional and deployed. Asset is pending decommission and no longer deployed. Asset is decommissioned. type string firstDiscoverTime description Time the asset was first discovered (by asset management/discoverability software). format google-datetime type string firstSeenTime description The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string hardware description The asset hardware specifications. items $ref Hardware type array hostname description Asset hostname or domain name field. This field can be used as an entity indicator for asset entities. type string ip description A list of IP addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array labels deprecated True description Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata. items $ref Label type array lastBootTime description Time the asset was last boot started. format google-datetime type string lastDiscoverTime description Time the asset was last discovered (by asset management/discoverability software). format google-datetime type string location $ref Location description Location of the asset. mac description List of MAC addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array natIp description List of NAT IP addresses associated with an asset. items type string type array networkDomain description The network domain of the asset (e.g. "corp.acme.com") type string platformSoftware $ref PlatformSoftware description The asset operating system platform software. productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID or similar). This field can be used as an entity indicator for asset entities. type string software description The asset software details. items $ref Software type array systemLastUpdateTime description Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a VM), use Attribute.last_update_time. format google-datetime type string type description The type of the asset (e.g. workstation or laptop or server). enum ROLE_UNSPECIFIED WORKSTATION LAPTOP IOT NETWORK_ATTACHED_STORAGE PRINTER SCANNER SERVER TAPE_LIBRARY MOBILE enumDescriptions Unspecified asset role. A workstation or desktop. A laptop computer. An IOT asset. A network attached storage device. A printer. A scanner. A server. A tape library device. A mobile device such as a mobile phone or PDA. type string vulnerabilities description Vulnerabilities discovered on asset. items $ref Vulnerability type array type object Association description Associations represents different metadata about malware and threat actors involved with an IoC. id Association properties alias description Different aliases of the threat actor given by different sources. items $ref AssociationAlias type array associatedActors description List of associated threat actors for a malware. Not applicable for threat actors. items $ref Association type array countryCode description Country from which the threat actor/ malware is originated. items type string type array description description Human readable description about the association. type string firstReferenceTime description First time the threat actor was referenced or seen. format google-datetime type string id description Unique association id generated by mandiant. type string industriesAffected description List of industries the threat actor affects. items type string type array lastReferenceTime description Last time the threat actor was referenced or seen. format google-datetime type string name description Name of the threat actor/malware. type string regionCode $ref Location description Name of the country, the threat is originating from. role description Role of the malware. Not applicable for threat actor. type string sourceCountry deprecated True description Name of the country the threat originated from. type string sponsorRegion $ref Location description Sponsor region of the threat actor. tags description Tags. items type string type array targetedRegions description Targeted regions. items $ref Location type array type description Signifies the type of association. enum ASSOCIATION_TYPE_UNSPECIFIED THREAT_ACTOR MALWARE enumDescriptions The default Association Type. Association type Threat actor. Association type Malware. type string type object AssociationAlias description Association Alias used to represent Mandiant Threat Intelligence. id AssociationAlias properties company description Name of the provider who gave the association's name. type string name description Name of the alias. type string type object AttackDetails description MITRE ATT&CK details. id AttackDetails properties tactics description Tactics employed. items $ref Tactic type array techniques description Techniques employed. items $ref Technique type array version description ATT&CK version (e.g. 12.1). type string type object Attribute description Attribute is a container for generic entity attributes including common attributes across core entities (such as, user or asset). For example, Cloud is a generic entity attribute since it can apply to an asset (for example, a VM) or a user (for example, an identity service account). id Attribute properties cloud $ref Cloud description Cloud metadata attributes such as project ID, account ID, or organizational hierarchy. creationTime description Time the resource or entity was created or provisioned. format google-datetime type string labels description Set of labels for the entity. Should only be used for product labels (for example, Google Cloud resource labels or Azure AD sensitivity labels. Should not be used for arbitrary key-value mappings. items $ref Label type array lastUpdateTime description Time the resource or entity was last updated. format google-datetime type string permissions description System permissions for IAM entity (human principal, service account, group). items $ref Permission type array roles description System IAM roles to be assumed by resources to use the role's permissions for access control. items $ref Role type array type object Authentication description The Authentication extension captures details specific to authentication events. General guidelines for authentication events: * Details about the source of the authentication event (for example, client IP or hostname), should be captured in principal. The principal may be empty if we have no details about the source of the login. * Details about the target of the authentication event (for example, details about the machine that is being logged into or logged out of) should be captured in target. * Some authentication events may involve a third-party. For example, a user logs into a cloud service (for example, Chronicle) via their company's SSO (the event is logged by their SSO solution). In this case, the principal captures information about the user's device, the target captures details about the cloud service they logged into, and the intermediary captures details about the SSO solution. id Authentication properties authDetails description The vendor defined details of the authentication. type string mechanism description The authentication mechanism. items enum MECHANISM_UNSPECIFIED USERNAME_PASSWORD OTP HARDWARE_KEY LOCAL REMOTE REMOTE_INTERACTIVE MECHANISM_OTHER BADGE_READER NETWORK BATCH SERVICE UNLOCK NETWORK_CLEAR_TEXT NEW_CREDENTIALS INTERACTIVE CACHED_INTERACTIVE CACHED_REMOTE_INTERACTIVE CACHED_UNLOCK BIOMETRIC WEARABLE enumDescriptions The default mechanism. Username + password authentication. OTP authentication. Hardware key authentication. Local authentication. Remote authentication. RDP, Terminal Services, or VNC. Some other mechanism that is not defined here. Badge reader authentication Network authentication. Batch authentication. Service authentication Direct human-interactive unlock authentication. Network clear text authentication. Authentication with new credentials. Interactive authentication. Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Biometric device such as a fingerprint reader. Wearable such as an Apple Watch. type string type array type description The type of authentication. enum AUTHTYPE_UNSPECIFIED MACHINE SSO VPN PHYSICAL TACACS enumDescriptions The default type. A machine authentication. An SSO authentication. A VPN authentication. A Physical authentication (e.g. "Badge reader"). A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+). type string type object AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. id AuthorityKeyId properties keyid description Key hexdump. type string serialNumber description Serial number hexdump. type string type object BackstoryEntity description An Entity provides additional context about an item in a UDM event. For example, a PROCESS_LAUNCH event describes that user 'abc@example.corp' launched process 'shady.exe'. The event does not include information that user 'abc@example.com' is a recently terminated employee who administers a server storing finance data. Information stored in one or more Entities can add this additional context. id BackstoryEntity properties additional additionalProperties description Properties of the object. type any description Important entity data that cannot be adequately represented within the formal sections of the Entity. type object entity $ref Noun description Noun in the UDM event that this entity represents. metadata $ref EntityMetadata description Entity metadata such as timestamp, product, etc. metric $ref Metric description Stores statistical metrics about the entity. Used if metadata.entity_type is METRIC. relations description One or more relationships between the entity (a) and other entities, including the relationship type and related entity. items $ref Relation type array riskScore $ref EntityRisk description Stores information related to the entity's risk score. type object BackstoryFile description Information about a file. id BackstoryFile properties ahash deprecated True description Deprecated. Use authentihash instead. type string authentihash description Authentihash of the file. type string capabilitiesTags description Capabilities tags. items type string type array createTime description Timestamp when the file was created. format google-datetime type string embeddedDomains description Embedded domains found in the file. items type string type array embeddedIps description Embedded IP addresses found in the file. items type string type array embeddedUrls description Embedded urls found in the file. items type string type array exifInfo $ref ExifInfo description Exif metadata from different file formats extracted by exiftool. fileMetadata $ref FileMetadata deprecated True description Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File. fileType description FileType field. enum FILE_TYPE_UNSPECIFIED FILE_TYPE_PE_EXE FILE_TYPE_PE_DLL FILE_TYPE_MSI FILE_TYPE_NE_EXE FILE_TYPE_NE_DLL FILE_TYPE_DOS_EXE FILE_TYPE_DOS_COM FILE_TYPE_COFF FILE_TYPE_ELF FILE_TYPE_LINUX_KERNEL FILE_TYPE_RPM FILE_TYPE_LINUX FILE_TYPE_MACH_O FILE_TYPE_JAVA_BYTECODE FILE_TYPE_DMG FILE_TYPE_DEB FILE_TYPE_PKG FILE_TYPE_PYC FILE_TYPE_LNK FILE_TYPE_DESKTOP_ENTRY FILE_TYPE_JPEG FILE_TYPE_TIFF FILE_TYPE_GIF FILE_TYPE_PNG FILE_TYPE_BMP FILE_TYPE_GIMP FILE_TYPE_IN_DESIGN FILE_TYPE_PSD FILE_TYPE_TARGA FILE_TYPE_XWD FILE_TYPE_DIB FILE_TYPE_JNG FILE_TYPE_ICO FILE_TYPE_FPX FILE_TYPE_EPS FILE_TYPE_SVG FILE_TYPE_EMF FILE_TYPE_WEBP FILE_TYPE_DWG FILE_TYPE_DXF FILE_TYPE_THREEDS FILE_TYPE_OGG FILE_TYPE_FLC FILE_TYPE_FLI FILE_TYPE_MP3 FILE_TYPE_FLAC FILE_TYPE_WAV FILE_TYPE_MIDI FILE_TYPE_AVI FILE_TYPE_MPEG FILE_TYPE_QUICKTIME FILE_TYPE_ASF FILE_TYPE_DIVX FILE_TYPE_FLV FILE_TYPE_WMA FILE_TYPE_WMV FILE_TYPE_RM FILE_TYPE_MOV FILE_TYPE_MP4 FILE_TYPE_T3GP FILE_TYPE_WEBM FILE_TYPE_MKV FILE_TYPE_PDF FILE_TYPE_PS FILE_TYPE_DOC FILE_TYPE_DOCX FILE_TYPE_PPT FILE_TYPE_PPTX FILE_TYPE_XLS FILE_TYPE_XLSX FILE_TYPE_RTF FILE_TYPE_PPSX FILE_TYPE_ODP FILE_TYPE_ODS FILE_TYPE_ODT FILE_TYPE_HWP FILE_TYPE_GUL FILE_TYPE_ODF FILE_TYPE_ODG FILE_TYPE_ONE_NOTE FILE_TYPE_OOXML FILE_TYPE_SLK FILE_TYPE_EBOOK FILE_TYPE_LATEX FILE_TYPE_TTF FILE_TYPE_EOT FILE_TYPE_WOFF FILE_TYPE_CHM FILE_TYPE_ZIP FILE_TYPE_GZIP FILE_TYPE_BZIP FILE_TYPE_RZIP FILE_TYPE_DZIP FILE_TYPE_SEVENZIP FILE_TYPE_CAB FILE_TYPE_JAR FILE_TYPE_RAR FILE_TYPE_MSCOMPRESS FILE_TYPE_ACE FILE_TYPE_ARC FILE_TYPE_ARJ FILE_TYPE_ASD FILE_TYPE_BLACKHOLE FILE_TYPE_KGB FILE_TYPE_ZLIB FILE_TYPE_TAR FILE_TYPE_ZST FILE_TYPE_LZFSE FILE_TYPE_PYTHON_WHL FILE_TYPE_PYTHON_PKG FILE_TYPE_MSIX FILE_TYPE_TEXT FILE_TYPE_SCRIPT FILE_TYPE_PHP FILE_TYPE_PYTHON FILE_TYPE_PERL FILE_TYPE_RUBY FILE_TYPE_C FILE_TYPE_CPP FILE_TYPE_JAVA FILE_TYPE_SHELLSCRIPT FILE_TYPE_PASCAL FILE_TYPE_AWK FILE_TYPE_DYALOG FILE_TYPE_FORTRAN FILE_TYPE_JAVASCRIPT FILE_TYPE_POWERSHELL FILE_TYPE_VBA FILE_TYPE_M4 FILE_TYPE_OBJETIVEC FILE_TYPE_JMOD FILE_TYPE_MAKEFILE FILE_TYPE_INI FILE_TYPE_CLJ FILE_TYPE_PDB FILE_TYPE_SQL FILE_TYPE_NEKO FILE_TYPE_WER FILE_TYPE_GOLANG FILE_TYPE_M3U FILE_TYPE_BAT FILE_TYPE_MSC FILE_TYPE_RDP FILE_TYPE_SYMBIAN FILE_TYPE_PALMOS FILE_TYPE_WINCE FILE_TYPE_ANDROID FILE_TYPE_IPHONE FILE_TYPE_HTML FILE_TYPE_XML FILE_TYPE_SWF FILE_TYPE_FLA FILE_TYPE_COOKIE FILE_TYPE_TORRENT FILE_TYPE_EMAIL_TYPE FILE_TYPE_OUTLOOK FILE_TYPE_SGML FILE_TYPE_JSON FILE_TYPE_CSV FILE_TYPE_HTA FILE_TYPE_INTERNET_SHORTCUT FILE_TYPE_CAP FILE_TYPE_ISOIMAGE FILE_TYPE_SQUASHFS FILE_TYPE_VHD FILE_TYPE_APPLE FILE_TYPE_MACINTOSH FILE_TYPE_APPLESINGLE FILE_TYPE_APPLEDOUBLE FILE_TYPE_MACINTOSH_HFS FILE_TYPE_APPLE_PLIST FILE_TYPE_MACINTOSH_LIB FILE_TYPE_APPLESCRIPT FILE_TYPE_APPLESCRIPT_COMPILED FILE_TYPE_CRX FILE_TYPE_XPI FILE_TYPE_ROM FILE_TYPE_IPS FILE_TYPE_PEM FILE_TYPE_PGP FILE_TYPE_CRT enumDescriptions File type is UNSPECIFIED. File type is PE_EXE. Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL. File type is MSI. File type is NE_EXE. File type is NE_DLL. File type is DOS_EXE. File type is DOS_COM. File type is COFF. File type is ELF. File type is LINUX_KERNEL. File type is RPM. File type is LINUX. File type is MACH_O. File type is JAVA_BYTECODE. File type is DMG. File type is DEB. File type is PKG. File type is PYC. File type is LNK. File type is DESKTOP_ENTRY. File type is JPEG. File type is TIFF. File type is GIF. File type is PNG. File type is BMP. File type is GIMP. File type is Adobe InDesign. File type is PSD. Adobe Photoshop. File type is TARGA. File type is XWD. File type is DIB. File type is JNG. File type is ICO. File type is FPX. File type is EPS. File type is SVG. File type is EMF. File type is WEBP. File type is DWG. File type is DXF. File type is 3DS. File type is OGG. File type is FLC. File type is FLI. File type is MP3. File type is FLAC. File type is WAV. File type is MIDI. File type is AVI. File type is MPEG. File type is QUICKTIME. File type is ASF. File type is DIVX. File type is FLV. File type is WMA. File type is WMV. File type is RM. RealMedia type. File type is MOV. File type is MP4. File type is T3GP. File type is WEBM. File type is MKV. File type is PDF. File type is PS. File type is DOC. File type is DOCX. File type is PPT. File type is PPTX. File type is XLS. File type is XLSX. File type is RTF. File type is PPSX. File type is ODP. File type is ODS. File type is ODT. File type is HWP. File type is GUL. File type is ODF. File type is ODG. File type is ONE_NOTE. File type is OOXML. File type is SLK. File type is EBOOK. File type is LATEX. File type is TTF. File type is EOT. File type is WOFF. File type is CHM. File type is ZIP. File type is GZIP. File type is BZIP. File type is RZIP. File type is DZIP. File type is SEVENZIP. File type is CAB. File type is JAR. File type is RAR. File type is MSCOMPRESS. File type is ACE. File type is ARC. File type is ARJ. File type is ASD. File type is BLACKHOLE. File type is KGB. File type is ZLIB. File type is TAR. File type is ZST. File type is LZFSE. File type is PYTHON_WHL. File type is PYTHON_PKG. File type is MSIX, new Windows app package format. File type is TEXT. File type is SCRIPT. File type is PHP. File type is PYTHON. File type is PERL. File type is RUBY. File type is C. File type is CPP. File type is JAVA. File type is SHELLSCRIPT. File type is PASCAL. File type is AWK. File type is DYALOG. File type is FORTRAN. File type is JAVASCRIPT. File type is POWERSHELL. File type is VBA. File type is M4. File type is OBJETIVEC. File type is JMOD. File type is MAKEFILE. File type is INI. File type is CLJ. File type is PDB. File type is SQL. File type is NEKO. File type is WER. File type is GOLANG. File type is M3U. File type is BAT, Windows .bat/.cmd (old files are tagged as SHELLSCRIPT). File type is MSC, Microsoft Management Console (MMC). File type is RDP, Microsoft Remote Desktop Protocol (RDP) file. File type is SYMBIAN. File type is PALMOS. File type is WINCE. File type is ANDROID. File type is IPHONE. File type is HTML. File type is XML. File type is SWF. File type is FLA. File type is COOKIE. File type is TORRENT. File type is EMAIL_TYPE. File type is OUTLOOK. File type is SGML. File type is JSON. File type is CSV. File type is HTA (HTML Application). File type is MSHTML .url. File type is CAP. File type is ISOIMAGE. File type is SQUASHFS. File type is VHD. File type is APPLE. File type is MACINTOSH. File type is APPLESINGLE. File type is APPLEDOUBLE. File type is MACINTOSH_HFS. File type is APPLE_PLIST. File type is MACINTOSH_LIB. File type is APPLESCRIPT. File type is APPLESCRIPT_COMPILED . File type is CRX. File type is XPI. File type is ROM. File type is IPS. File type is PEM. File type is PGP. File type is CRT. type string firstSeenTime description Timestamp the file was first seen in the customer's environment. format google-datetime type string firstSubmissionTime description First submission time of the file. format google-datetime type string fullPath description The full path identifying the location of the file on the system. This field can be used as an entity indicator for file entities. type string lastAccessTime description Timestamp when the file was accessed. format google-datetime type string lastAnalysisTime description Timestamp the file was last analysed. format google-datetime type string lastModificationTime description Timestamp when the file was last updated. format google-datetime type string lastSeenTime description Timestamp the file was last seen in the customer's environment. format google-datetime type string lastSubmissionTime description Last submission time of the file. format google-datetime type string mainIcon $ref Favicon description Icon's relevant hashes. md5 description The MD5 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string mimeType description The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script". type string names description Names fields. items type string type array ntfs $ref NtfsFileMetadata description NTFS metadata. pdfInfo $ref PDFInfo description Information about the PDF file structure. peFile $ref FileMetadataPE description Metadata about the Portable Executable (PE) file. prevalence $ref Prevalence description Prevalence of the file hash in the customer's environment. securityResult $ref SecurityResult description Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata. sha1 description The SHA1 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string sha256 description The SHA256 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string signatureInfo $ref SignatureInfo description File signature information extracted from different tools. size description The size of the file in bytes. format uint64 type string ssdeep description Ssdeep of the file type string statDev description The file system identifier to which the object belongs. format uint64 type string statFlags description User defined flags for file. format uint32 type integer statInode description The file identifier. Unique identifier of object within a file system. format uint64 type string statMode description The mode of the file. A bit string indicating the permissions and privileges of the file. format uint64 type string statNlink description Number of links to file. format uint64 type string symhash description SymHash of the file. Used for Mach-O (e.g. MacOS) binaries, to identify similar files based on their symbol table. type string tags description Tags for the file. items type string type array vhash description Vhash of the file. type string type object BoolSequence description BoolSequence represents a sequence of bools. id BoolSequence properties boolVals description bool sequence. items type boolean type array type object BytesSequence description BytesSequence represents a sequence of bytes. id BytesSequence properties bytesVals description bytes sequence. items format byte type string type array type object CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CertSignature description Certificate's signature and algorithm. id CertSignature properties signature description Signature. type string signatureAlgorithm description Algorithm. type string type object Certificate description Certificate information id Certificate properties issuer description Issuer of the certificate. type string md5 description The MD5 hash of the certificate, as a hex-encoded string. type string notAfter description Indicates when the certificate is no longer valid. format google-datetime type string notBefore description Indicates when the certificate is first valid. format google-datetime type string serial description Certificate serial number. type string sha1 description The SHA1 hash of the certificate, as a hex-encoded string. type string sha256 description The SHA256 hash of the certificate, as a hex-encoded string. type string subject description Subject of the certificate. type string version description Certificate version. type string type object Chip id Chip properties text type string type enum UNSPECIFIED ALERT NETWORK_CONNECTION EDR UNPARSED_RAW_LOG LOGIN_EVENT EMAIL_EVENT GENERIC TELEMETRY enumDescriptions type string type object Client description Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash). id Client properties certificate $ref Certificate description Client certificate. ja3 description JA3 hash from the TLS ClientHello, as a hex-encoded string. type string serverName description Host name of the server, that the client is connecting to. type string supportedCiphers description Ciphers supported by the client during client hello. items type string type array type object Cloud description Metadata related to the cloud environment. id Cloud properties availabilityZone description The cloud environment availability zone (different from region which is location.name). type string environment description The Cloud environment. enum UNSPECIFIED_CLOUD_ENVIRONMENT GOOGLE_CLOUD_PLATFORM AMAZON_WEB_SERVICES MICROSOFT_AZURE enumDescriptions Default. Google Cloud Platform. Amazon Web Services. Microsoft Azure. type string project $ref Resource deprecated True description The cloud environment project information. Deprecated: Use Resource.resource_ancestors vpc $ref Resource deprecated True description The cloud environment VPC. Deprecated. type object Collection description Collection represents a container of objects (such as events, entity context metadata, detection finding metadata) and state (such as investigation details). BEGIN GOOGLE-INTERNAL See go/udm:collections for additional details. END GOOGLE-INTERNAL An example use case for Collection is to model a detection and investigation from detection finding metadata to investigative state collected in the course of the investigation. For more complex investigation and response workflows a Collection could represent an incident consisting of multiple child findings or incidents. This can be expanded on to model remediation elements of a full detection and response workflow. NEXT TAG: 20 id Collection properties caseName description The resource name of the Case that this collection belongs to. Example: projects/{project id}/locations/{region}/chronicle/cases/{internal_case_id} type string collectionElements description Constituent elements of the collection. Each element shares an association that groups it together and is a component of the overall collection. For example, a detection collection may have several constituent elements that each share a correlation association that together represent a particular pattern or behavior. items $ref Element type array createdTime description Time the collection was created. format google-datetime type string dataAccessScope description The resource name of the DataAccessScope of this collection. BEGIN GOOGLE-INTERNAL We may change this name based on the final resource design of the scope. END GOOGLE-INTERNAL type string detection description Detection metadata for findings that represent detections, can include rule details, machine learning model metadata, and indicators implicated in the detection (using the .about field). items $ref SecurityResult type array detectionTime description Timestamp within the time_window related to the time of the collection_elements. For Rule Detections, this timestamp is the end of the the time_window for multi-event rules or the time of the event for single event rules. For late-arriving events that trigger new alerts, the detection_time will be the event time of the event. format google-datetime type string feedbackHistory description The history of feedback submitted by analysts for this finding, in descending order by timestamp. This field is limited to the most recent 1000 feedback events. The primary feedback will also be included in this list. items $ref Feedback type array feedbackSummary $ref Feedback description The current primary analyst feedback. This does not include the history of feedback given, which may be supplied in `feedback`. id description Unique ID for the collection. The ID is specific to the type of collection. For example, with rule detections this is the detection ID. type string idNamespace description The ID namespace used for the Collection. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string investigation $ref Investigation description Consolidated investigation details (categorization, status, etc) typically for collections that begin as detection findings and then evolve with analyst action and feedback into investigations around the detection output. lastUpdatedTime description Time the collection was last updated. format google-datetime type string responsePlatformInfo $ref ResponsePlatformInfo description Alert related info of this same alert in customer's SOAR platform. soarAlert description A boolean field indicating that the alert is present in SOAR. type boolean soarAlertMetadata $ref SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems via SOAR. tags description Tags set by UC/DSML/RE for the Finding during creation. items type string type array timeWindow $ref Interval description Time interval that the collection represents. type description What the collection represents. enum COLLECTION_TYPE_UNSPECIFIED TELEMETRY_ALERT GCTI_FINDING UPPERCASE_ALERT RULE_DETECTION MACHINE_INTELLIGENCE_ALERT SOAR_ALERT enumDescriptions An unspecified collection type. An alert reported in customer telemetry. A finding from the Uppercase team. A detection found by applying a rule. An alert generated by Chronicle machine learning models. An alert coming from other SIEMs via Chronicle SOAR. type string type object ColumnNames id ColumnNames properties names items type string type array type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DNSRecord description DNS record. id DNSRecord properties expire description Expire. format google-duration type string minimum description Minimum. format google-duration type string priority description Priority. format int64 type string refresh description Refresh. format google-duration type string retry description Retry. format int64 type string rname description Rname. type string serial description Serial. format int64 type string ttl description Time to live. format google-duration type string type description Type. type string value description Value. type string type object DataAccessIngestionLabel id DataAccessIngestionLabel properties key description The key. type string value description The value. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessLabels id DataAccessLabels properties allowScopedAccess description Are the labels ready for scoped access type boolean customLabels description All the complex labels (UDM search syntax based). items type string type array ingestionKvLabels description All the ingestion labels (key/value pairs). items $ref DataAccessIngestionLabel type array ingestionLabels deprecated True description All the ingestion labels. items type string type array logTypes description All the LogType labels. items type string type array namespaces description All the namespaces. items type string type array type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Date description Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values. * A month and day, with a zero year (for example, an anniversary). * A year on its own, with a zero month and a zero day. * A year and month, with a zero day (for example, a credit card expiration date). Related types: * google.type.TimeOfDay * google.type.DateTime * google.protobuf.Timestamp id Date properties day description Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. format int32 type integer month description Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. format int32 type integer year description Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. format int32 type integer type object Detections id Detections properties baselineAlertsCount format int32 type integer complete type boolean detectionFieldAggregations $ref AlertFieldAggregations detections items $ref Collection type array filteredAlertsCount format int32 type integer tooManyDetections type boolean validSnapshotQuery type boolean type object Dhcp description DHCP information. id Dhcp properties chaddr description Client hardware address (chaddr). type string ciaddr description Client IP address (ciaddr). type string clientHostname description Client hostname. See RFC2132, section 3.14. type string clientIdentifier description Client identifier. See RFC2132, section 9.14. Note: Make sure to update the client_identifier_string field as well if you update this field. format byte type string clientIdentifierString description Client identifier as string. See RFC2132, section 9.14. This field holds the string value of the client_identifier. type string file description Boot image filename. type string flags description Flags. format uint32 type integer giaddr description Relay agent IP address (giaddr). type string hlen description Hardware address length. format uint32 type integer hops description Hardware ops. format uint32 type integer htype description Hardware address type. format uint32 type integer leaseTimeSeconds description Lease time in seconds. See RFC2132, section 9.2. format uint32 type integer opcode description The BOOTP op code. enum UNKNOWN_OPCODE BOOTREQUEST BOOTREPLY enumDescriptions Default opcode. Request. Reply. type string options description List of DHCP options. items $ref Option type array requestedAddress description Requested IP address. See RFC2132, section 9.1. type string seconds description Seconds elapsed since client began address acquisition/renewal process. format uint32 type integer siaddr description IP address of the next bootstrap server. type string sname description Server name that the client wishes to boot from. type string transactionId description Transaction ID. format uint32 type integer type description DHCP message type. enum UNKNOWN_MESSAGE_TYPE DISCOVER OFFER REQUEST DECLINE ACK NAK RELEASE INFORM WIN_DELETED WIN_EXPIRED enumDescriptions Default message type. DHCPDISCOVER. DHCPOFFER. DHCPREQUEST. DHCPDECLINE. DHCPACK. DHCPNAK. DHCPRELEASE. DHCPINFORM. Microsoft Windows DHCP "lease deleted". Microsoft Windows DHCP "lease expired". type string yiaddr description Your IP address (yiaddr). type string type object Dns description DNS information. id Dns properties additional description A list of additional domain name servers that can be used to verify the answer to the domain. items $ref ResourceRecord type array answers description A list of answers to the domain name query. items $ref ResourceRecord type array authoritative description Other DNS header flags. See RFC1035, section 4.1.1. type boolean authority description A list of domain name servers which verified the answers to the domain name queries. items $ref ResourceRecord type array id description DNS query id. format uint32 type integer opcode description The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS). format uint32 type integer questions description A list of domain protocol message questions. items $ref Question type array recursionAvailable description Whether a recursive DNS lookup is available. type boolean recursionDesired description Whether a recursive DNS lookup is desired. type boolean response description Set to true if the event is a DNS response. See QR field from RFC1035. type boolean responseCode description Response code. See RCODE from RFC1035. format uint32 type integer truncated description Whether the DNS response was truncated. type boolean type object Domain description Information about a domain. id Domain properties admin $ref User description Parsed contact information for the administrative contact for the domain. auditUpdateTime description Audit updated time. format google-datetime type string billing $ref User description Parsed contact information for the billing contact of the domain. categories description Categories assign to the domain as retrieved from VirusTotal. items type string type array contactEmail description Contact email address. type string creationTime description Domain creation time. format google-datetime type string expirationTime description Expiration time. format google-datetime type string favicon $ref Favicon description Includes difference hash and MD5 hash of the domain's favicon. firstSeenTime description First seen timestamp of the domain in the customer's environment. format google-datetime type string ianaRegistrarId description IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml format int32 type integer jarm description Domain's JARM hash. type string lastDnsRecords description Domain's DNS records from the last scan. items $ref DNSRecord type array lastDnsRecordsTime description Date when the DNS records list was retrieved by VirusTotal. format google-datetime type string lastHttpsCertificate $ref SSLCertificate description SSL certificate object retrieved last time the domain was analyzed. lastHttpsCertificateTime description When the certificate was retrieved by VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the domain in the customer's environment. format google-datetime type string name description The domain name. This field can be used as an entity indicator for Domain entities. type string nameServer description Repeated list of name servers. items type string type array popularityRanks description Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc items $ref PopularityRank type array prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. privateRegistration description Indicates whether the domain appears to be using a private registration service to mask the owner's contact information. type boolean registrant $ref User description Parsed contact information for the registrant of the domain. registrar description Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM". type string registryDataRawText description Registry Data raw text. format byte type string status description Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values type string tags description List of representative attributes. items type string type array tech $ref User description Parsed contact information for the technical contact for the domain updateTime description Last updated time. format google-datetime type string whoisRecordRawText description WHOIS raw text. format byte type string whoisServer description Whois server name. type string whoisTime description Date of the last update of the WHOIS record. format google-datetime type string zone $ref User description Parsed contact information for the zone. type object DoubleSequence description DoubleSequence represents a sequence of doubles. id DoubleSequence properties doubleVals description double sequence. items format double type number type array type object EC description EC public key information. id EC properties oid description Curve name. type string pub description Public key hexdump. type string type object Element description NEXT TAG: 5 id Element properties association $ref SecurityResult description Metadata that provides the relevant association for the references in the element. For a detection, this can be the correlated aspect of the references that contributed to the overall detection. For example, may include sub-rule condition, machine learning model metadata, and/or indicators implicated in this component of the detection (using the .about field). label description A name that labels the entire references group. type string references description References to model primatives including events and entities that share a common association. Even though a reference can have both UDM and entity, a collection of references (of a single element) will only have one type of message in it (either UDM / Entity). items $ref Reference type array referencesSampled description Copied from the detection event_sample.too_many_event_samples field. If true, the number of references will be capped at the sample limit (set at rule service). This is applicable to both UDM references and Entity references. type boolean type object Email description Email info. id Email properties bcc description A list of 'bcc' addresses. items type string type array bounceAddress description The envelope from address. https://en.wikipedia.org/wiki/Bounce_address type string cc description A list of 'cc' addresses. items type string type array from description The 'from' address. type string mailId description The mail (or message) ID. type string replyTo description The 'reply to' address. type string subject description The subject line(s) of the email. items type string type array to description A list of 'to' addresses. items type string type array type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityChangedCountTimelineBucket id EntityChangedCountTimelineBucket properties entityChangedInfo items $ref EntityChangedInfo type array totalChangedEntitiesCount format int32 type integer type object EntityChangedInfo id EntityChangedInfo properties artifacts $ref FieldAndValue entityCount format int32 type integer type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityMetadata description Information about the Entity and the product where the entity was created. Next Tag: 17 id EntityMetadata properties collectedTimestamp description GMT timestamp when the entity information was collected by the vendor's local collection infrastructure. format google-datetime type string creationTimestamp description GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected. format google-datetime type string description description Human-readable description of the entity. type string entityType description Entity type. If an entity has multiple possible types, this specifies the most specific type. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string eventMetadata $ref Metadata description Metadata field from the event. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object feed description Vendor feed name for a threat indicator feed. type string interval $ref Interval description Valid existence time range for the version of the entity represented by this entity data. productEntityId description A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar). type string productName description Product name that produced the entity information. type string productVersion description Version of the product that produced the entity information. type string sourceLabels description Entity source metadata labels. items $ref Label type array sourceType description The source of the entity. enum SOURCE_TYPE_UNSPECIFIED ENTITY_CONTEXT DERIVED_CONTEXT GLOBAL_CONTEXT enumDescriptions Default source type Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT) Entities derived from customer data such as prevalence, artifact first/last seen, or asset/user first seen stats. Global contextual entities such as WHOIS or Safe Browsing. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Structured fields extracted from the log. type object threat description Metadata provided by a threat intelligence feed that identified the entity as malicious. items $ref SecurityResult type array vendorName description Vendor name of the product that produced the entity information. type string type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object EntityRisk description Stores information related to the risk score of an entity. Next ID: 15 id EntityRisk properties DEPRECATEDRiskScore deprecated True description Deprecated risk score. format int32 type integer detailUri description Link to the Google Security Operations UI with information about the entity risk score. If the SecOps instance has multiple frontend paths configured, this will be a relative path that can be used to construct the full URL. type string detectionsCount description Number of detections that make up the risk score within the time window. format int32 type integer firstDetectionTime description Timestamp of the first detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastDetectionTime description Timestamp of the last detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastResetTime description Timestamp for UEBA risk score reset based deduplication. Used specifically for risk based meta rules. format google-datetime type string normalizedRiskScore description Normalized risk score for the entity. This value is between 0-1000. format int32 type integer rawRiskDelta $ref RiskDelta description Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window. riskDelta $ref RiskDelta description Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window. riskScore description Raw risk score for the entity. format float type number riskVersion description Version of the risk score calculation algorithm. type string riskWindow $ref Interval description Time window used when computing the risk score for an entity, for example 24 hours or 7 days. riskWindowHasNewDetections description Whether there are new detections for the risk window. type boolean riskWindowSize description Risk window duration for the entity. format google-duration type string type object ErrorMessage id ErrorMessage properties errorText type string type enum UNDEFINED_ERROR_TYPE INVALID_QUERY_TYPE INVALID_FIELD_PATH_TYPE UNCLOSED_BRACKET_TYPE BACKEND_ERROR_TYPE UNCLOSED_QUOTES_TYPE QUERY_TOO_LARGE_TYPE enumDescriptions type string type object EventCountTimeline id EventCountTimeline properties buckets items $ref EventCountTimelineBucket type array sizeOfBucketMs format int64 type string type object EventCountTimelineBucket id EventCountTimelineBucket properties alertCount format int32 type integer baselineAlertCount format int32 type integer baselineEventCount format int32 type integer baselineTimedEntityCount format int32 type integer entityChangedCount $ref EntityChangedCountTimelineBucket eventCount format int32 type integer filteredTimedEntityCount format int32 type integer type object Execution description Execution can be used to store metadata required for what action the UI should execute. id Execution properties metadata additionalProperties type string description Output only. The payload to use when executing the action. readOnly True type object type object ExifInfo description Exif information. id ExifInfo properties company description company name. type string compilationTime description Compilation time. format google-datetime type string entryPoint description entry point. format int64 type string fileDescription description description of a file. type string originalFile description original file name. type string product description product name. type string type object Extension description Certificate's extensions. id Extension properties authorityKeyId $ref AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. ca description Whether the subject acts as a certificate authority (CA) or not. type boolean caInfoAccess description Authority information access locations are URLs that are added to a certificate in its authority information access extension. type string certTemplateNameDc description BMP data value "DomainController". See MS Q291010. type string certificatePolicies description Different certificate policies will relate to different applications which may use the certified key. type string crlDistributionPoints description CRL distribution points to which a certificate user should refer to ascertain if the certificate has been revoked. type string extendedKeyUsage description One or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field. type string keyUsage description The purpose for which the certified public key is used. type string netscapeCertComment description Used to include free-form text comments inside certificates. type string netscapeCertificate description Identify whether the certificate subject is an SSL client, an SSL server, or a CA. type boolean oldAuthorityKeyId description Whether the certificate has an old authority key identifier extension. type boolean peLogotype description Whether the certificate includes a logotype. type boolean subjectAlternativeName description Contains one or more alternative names, using any of a variety of name forms, for the entity that is bound by the CA to the certified public key. type string subjectKeyId description Identifies the public key being certified. type string type object Extensions description Extensions to a UDM event. id Extensions properties auth $ref Authentication description An authentication extension. entityRisk $ref EntityRisk description An entity risk change extension. vulns $ref Vulnerabilities description A vulnerability extension. type object Favicon description Difference hash and MD5 hash of the domain's favicon. id Favicon properties dhash description Difference hash. type string rawMd5 description Favicon's MD5 hash. type string type object Feedback id Feedback properties comment description Optional. type string confidenceScore format int32 type integer createdTime format google-datetime type string disregarded type boolean idpUserId type string priority description Optional. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string priorityDisplay description Optional. type string reason description Optional. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore format int32 type integer rootCause description Optional. type string severity format int32 type integer severityDisplay description Optional. type string status description Optional. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object FieldAndValue id FieldAndValue properties entityNamespace type string fieldPath type string kvalueType enum UNKNOWN COLLECTOR_ID EVENT_SHARD ASSET_IP_ADDRESS MAC HOSTNAME PRODUCT_SPECIFIC_ID NAMESPACE DOMAIN_NAME RESOLVED_IP_ADDRESS STEMMED_DOMAIN_NAME PROCESS_ID FULL_COMMAND_LINE FILE_NAME FILE_PATH HASH_MD5 HASH_SHA256 HASH_SHA1 RAW_PID PARENT_PROCESS_ID EMAIL USERNAME WINDOWS_SID EMPLOYEE_ID PRODUCT_OBJECT_ID USER_DISPLAY_NAME CLOUD_RESOURCE_NAME REGISTRY_KEY REGISTRY_VALUE_DATA REGISTRY_VALUE_NAME enumDescriptions type string value type string type object FileMetadata description Metadata about a file. Place metadata about different file types here, for example data from the Microsoft Windows VersionInfo block or digital signer details. Use a different sub-message per file type. id FileMetadata properties pe $ref PeFileMetadata deprecated True description Metadata for Microsoft Windows PE files. Deprecate PeFileMetadata in favor of single File proto. type object FileMetadataCodesign description File metadata from the codesign utility. id FileMetadataCodesign properties compilationTime description Code sign timestamp format google-datetime type string format description Code sign format. type string id description Code sign identifier. type string teamId description The assigned team identifier of the developer who signed the application. type string type object FileMetadataImports description File metadata imports. id FileMetadataImports properties functions description Function field. items type string type array library description Library field. type string type object FileMetadataPE description Metadata about the Portable Executable (PE) file. id FileMetadataPE properties compilationExiftoolTime description info.exiftool.TimeStamp. format google-datetime type string compilationTime description info.pe-timestamp. format google-datetime type string entryPoint description info.pe-entry-point. format int64 type string entryPointExiftool description info.exiftool.EntryPoint. format int64 type string imphash description Imphash of the file. type string imports description FilemetadataImports fields. items $ref FileMetadataImports type array resource description FilemetadataPeResourceInfo fields. items $ref FileMetadataPeResourceInfo type array resourcesLanguageCount deprecated True description Deprecated: use resources_language_count_str. items $ref StringToInt64MapEntry type array resourcesLanguageCountStr description Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10 items $ref Label type array resourcesTypeCount deprecated True description Deprecated: use resources_type_count_str. items $ref StringToInt64MapEntry type array resourcesTypeCountStr description Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5 items $ref Label type array section description FilemetadataSection fields. items $ref FileMetadataSection type array signatureInfo $ref FileMetadataSignatureInfo deprecated True description FilemetadataSignatureInfo field. deprecated, user File.signature_info instead. type object FileMetadataPeResourceInfo description File metadata for PE resource. id FileMetadataPeResourceInfo properties entropy description Entropy of the resource. format double type number fileType description File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum. type string filetypeMagic description Type of resource content, as identified by the magic Python module. type string languageCode description Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US | type string sha256Hex description SHA256_hex field.. type string type object FileMetadataSection description File metadata section. id FileMetadataSection properties entropy description Entropy of the section. format double type number md5Hex description MD5 hex of the file. type string name description Name of the section. type string rawSizeBytes description Raw file size in bytes. format int64 type string virtualSizeBytes description Virtual file size in bytes. format int64 type string type object FileMetadataSignatureInfo description Signature information. id FileMetadataSignatureInfo properties signer deprecated True description Deprecated: use signers field. items type string type array signers description File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority. items $ref SignerInfo type array verificationMessage description Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found. type string verified description True if verification_message == "Signed" type boolean x509 description List of certificates. items $ref X509 type array type object FilterProperties id FilterProperties properties hidden type boolean stringProperties additionalProperties $ref StringValues type object type object FindingVariable description A structure that holds the value and associated metadata for values extracted while producing a Finding. id FindingVariable properties boolSeq $ref BoolSequence description The value in boolsequence format. boolVal description The value in boolean format. type boolean bytesSeq $ref BytesSequence description The value in bytessequence format. bytesVal description The value in bytes format. format byte type string doubleSeq $ref DoubleSequence description The value in doublesequence format. doubleVal description The value in double format. format double type number int64Seq $ref Int64Sequence description The value in int64sequence format. int64Val description The value in int64 format. format int64 type string nullVal description Whether the value is null. type boolean sourcePath description The UDM field path for the field which this value was derived from. Example: `principal.user.username` type string stringSeq $ref StringSequence description The value in stringsequence format. stringVal description The value in string format. Enum values are returned as strings. type string type description The type of the variable. enum TYPE_UNSPECIFIED MATCH OUTCOME enumDescriptions An unspecified variable type. A variable coming from the match conditions. A variable representing significant data that was found in the detection logic. type string uint64Seq $ref Uint64Sequence description The value in uint64sequence format. uint64Val description The value in uint64 format. format uint64 type string value description The value in string form. type string type object FollowUp description FollowUp can be used to store metadata required to send a follow up message by the UI. id FollowUp properties followUp description Output only. The text to use as input when generating the follow up message. readOnly True type string type object Ftp description FTP info. id Ftp properties command description The FTP command. type string type object FunctionResponse id FunctionResponse properties rows items $ref FunctionResponseRow type array tooManyRows type boolean type object FunctionResponseRow id FunctionResponseRow properties values items $ref UdmFieldValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description LINT.IfChange(stats_data) Stats results when the query is for statistics NEXT TAG = 6; id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats properties dataQueryExpression description Expression that represent the subset of the requested query used to filter data. The expression will be used to enable features such as drill-down from stats results to UDM events. In that case, the new query will be composed by this expression and the expression related to a stats result. type string results description Result rows that are queried. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData type array sortOrder description Indicates the columns used for sorting and the order in which they are sorted. If no ORDER section is specified in the query, this will be empty. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort type array tooManyResults description If true, there are too many results to return and some have been omitted. type boolean totalResults description The total number of results returned. format int32 type integer type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData description Represents a single column in the set of columns returned as the stats query result. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData properties column description Used to store column names. type string filterExpression description Expression used to compose a query for filtering/drill-downs related to the data in this column. type string filterable description To identify if the column can be used for filtering/drill-downs. type boolean values description To store store column data. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort description Contains the column name and which direction the column is sorted (ascending or descenging). id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort properties descending description Whether the column is sorted in descending order (ascending by default); type boolean name description Name of the column. type string type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType description Singular vs list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType properties list $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description List of values in a column e.g. IPs value $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Single value in a column. type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description Store list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList properties values description List of values in one cell of the column. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Value of the column based on data type id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue properties boolVal description Boolean value. type boolean bytesVal description Bytes value. format byte type string dateVal $ref Date description Date values. doubleVal description Double value. format double type number int64Val description Integer value (signed). format int64 type string nullVal description True if the value is NULL. type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any description For any proto values that are not any of the above. type object stringVal description String value. Enum values are returned as strings. type string timestampVal description Timestamp values. format google-datetime type string uint64Val description Un-signed integer value. format uint64 type string type object Group description Information about an organizational group. id Group properties attribute $ref Attribute description Generic entity metadata attributes of the group. creationTime deprecated True description Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata. format google-datetime type string emailAddresses description Email addresses of the group. items type string type array groupDisplayName description Group display name. e.g. "Finance". type string productObjectId description Product globally unique user object identifier, such as an LDAP Object Identifier. type string windowsSid description Microsoft Windows SID of the group. type string type object GroupAggregationByField id GroupAggregationByField properties baselineEventCount format int32 type integer eventCount format int32 type integer fieldName type string fieldValue $ref UdmFieldValue fields items $ref UdmFieldAggregation type array valueCount format int32 type integer type object Hardware description Hardware specification details for a resource, including both physical and virtual hardware. id Hardware properties cpuClockSpeed description Clock speed of the hardware CPU in MHz. format uint64 type string cpuMaxClockSpeed description Maximum possible clock speed of the hardware CPU in MHz. format uint64 type string cpuModel description Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5"). type string cpuNumberCores description Number of CPU cores. format uint64 type string cpuPlatform description Platform of the hardware CPU (e.g. "Intel Broadwell"). type string manufacturer description Hardware manufacturer. type string model description Hardware model. type string ram description Amount of the hardware ramdom access memory (RAM) in Mb. format uint64 type string serialNumber description Hardware serial number. type string type object Http description Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target". id Http properties method description The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE"). type string parsedUserAgent $ref UserAgentProto description The parsed user_agent string. referralUrl description The URL for the HTTP referer. type string responseCode description The response status code, for example 200, 302, 404, or 500. format int32 type integer userAgent description The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent. type string type object Id description Identifier to identify a UDM object like a UDM event, Entity, Collection. The full identifier for persistence is created by setting the 32 most significant bits as the Id.Namespace enum and the rest according to go/udm:ids. This is a convenience wrapper to define the id space enum values and provide an easy interface for RPCs, most persistence use cases should use a denormalized form. See go/udm:ids for background and details. id Id properties id description Full raw ID. format byte type string namespace description Namespace the id belongs to. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string stringId description Some ids are stored as strings that are not able to be translated to bytes, so store these separately. Ex. detection id of the form de_aaaaaaaa-aaaa... type string type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{location}/instances/{instance} readOnly True type string type object InstanceUdmSearchResponse id InstanceUdmSearchResponse properties baselineEventsCount format int32 type integer complete type boolean detections $ref Detections filteredEventsCount format int32 type integer instanceId type string prevalence $ref UdmPrevalenceResponse progress format double type number runtimeErrors $ref RuntimeError timeline $ref EventCountTimeline tooManyEvents type boolean type object Int64Sequence description Int64Sequence represents a sequence of int64s. id Int64Sequence properties int64Vals description int64 sequence. items format int64 type string type array type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object Investigation description Represents the aggregated state of an investigation such as categorization, severity, and status. Can be expanded to include analyst assignment details and more. id Investigation properties comments description Comment added by the Analyst. items type string type array priority description Priority of the Alert or Finding set by analyst. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string reason description Reason for closing the Case or Alert. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation description Describes whether a finding was useful or not-useful. enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore description Risk score for a finding set by an analyst. format uint32 type integer rootCause description Root cause of the Alert or Finding set by analyst. type string severityScore description Severity score for a finding set by an analyst. format uint32 type integer status description Describes the workflow status of a finding. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict description Describes reason a finding investigation was resolved. enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object IoCStats description Information about the threat intelligence source. These fields are used to model Mandiant sources. id IoCStats properties benignCount description Count of responses where the IoC was identified as benign. format int32 type integer firstLevelSource description Name of first level IoC source, for example Mandiant or a third-party. type string iocStatsType description Describes the source of the IoCStat. enum UNSPECIFIED_IOC_STATS_TYPE MANDIANT_SOURCES THIRD_PARTY_SOURCES THREAT_INTELLIGENCE_IOC_STATS enumDescriptions IoCStat source is unidentified. IoCStat is from a Mandiant Source. IoCStat is from a third-party source. IoCStat is from a threat intelligence feed. type string maliciousCount description Count of responses where the IoC was identified as malicious. format int32 type integer quality description Level of confidence in the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total number of response from the source. format int32 type integer secondLevelSource description Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph. type string sourceCount description Number of sources from which information was extracted. format int32 type integer type object Label description Key value labels. id Label properties key description The key. type string rbacEnabled description Indicates whether this label can be used for Data RBAC type boolean source description Where the label is derived from. type string value description The value. type string type object LatLng description An object that represents a latitude/longitude pair. This is expressed as a pair of doubles to represent degrees latitude and degrees longitude. Unless specified otherwise, this object must conform to the WGS84 standard. Values must be within normalized ranges. id LatLng properties latitude description The latitude in degrees. It must be in the range [-90.0, +90.0]. format double type number longitude description The longitude in degrees. It must be in the range [-180.0, +180.0]. format double type number type object LegacyFederatedUdmSearchViewResponse description Response to a Federated UDM Search query. This will be used by StreamSearchOperation RPC to return the results of a federated search operation. id LegacyFederatedUdmSearchViewResponse properties activityTimeline $ref EventCountTimeline description Timeline of event counts broken into hourly/daily buckets to identify activity. aiOverview $ref AIOverview description LINT.ThenChange( //depot/google3/google/cloud/chronicle/v1main/dashboard_query.proto:data_sources, //depot/google3/googlex/security/malachite/proto/udm_search.proto:data_sources ) AI generated overview for the search results. Only populated if the AI features are enabled for the customer and generate_ai_overview is set to true in the request. baselineEventsCount description The number of events in the baseline query. format int32 type integer complete description Streaming for this response is done. There will be no additional updates. type boolean dataSources description Datasource of the query and results in case of a statistics query items enum SEARCH_DATA_SOURCE_UNSPECIFIED SEARCH_UDM SEARCH_ENTITY SEARCH_RULE_DETECTIONS SEARCH_RULESETS enumDescriptions Unspecified data source. Events Entities To be used for detections data source. To be used for ruleset with detections datasource. type string type array detectionFieldAggregations $ref AlertFieldAggregations description List of detection fields with aggregated values. This enabled filtering in the Alerts panel for federated search. events $ref UdmEventList description List of UDM events. NOTE: After complete is set to true, the `UdmEventList` message will be omitted from the response. The latest message should be used as reference. If the `UdmEventList` message is returned again, then it should replace the previous value. fieldAggregations $ref UdmFieldAggregations description List of UDM fields with aggregated values. filteredEventsCount description The number of events in the snapshot that match the snapshot_query. This is <= `baseline_events_count`. If the snapshot query is empty this will be equivalent to `baseline_events_count`. format int32 type integer groupedFieldAggregations $ref UdmFieldAggregations description List of grouped fields with aggregated values. instanceAggregations $ref UdmFieldAggregations description Instance aggregations for the search results. Provides information on the number of events per instance for the aggregations panel in the UI. This allows users to easily drill-down into the individual instances. instanceUdmSearchResponses description All the instance specific UDM search responses. items $ref InstanceUdmSearchResponse type array operation description The name of the operation resource representing the UDM Search operation. This can be passed to `StreamSearchOperation` to fetch stored results or stream the results of an in-progress operation. The metadata type of the operation is `UdmSearchMetadata`. The response type is `LegacyFetchUdmSearchViewResponse`. Format: projects/{project}/locations/{location}/instances/{instance}/operations/{operation} type string progress description Progress of the query represented as a double between 0 and 1. format double type number queryValidationErrors description Parse error for the baseline_query and/or the snapshot_query. items $ref ErrorMessage type array runtimeErrors description Runtime errors. items $ref RuntimeError type array stats $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description Stats results when the query is for statistics statsFunctionParameterValidationErrorMessage description If the request's stats_function_parameter` is invalid, this field will contain the detailed error message. type string statsFunctionResponse $ref FunctionResponse description Result for statistical function. timeline $ref EventCountTimeline description Timeline of event counts broken into buckets. This populates the trend-over-time chart in the UI. tooLargeResponse description If true, the response to be returned to the UI is too large and some events have been omitted. type boolean tooManyEvents description If true, there are too many events to return and some have been omitted. type boolean validBaselineQuery description Indicates whether the request baseline_query is a valid structured query or not. If not, `query_validation_errors` will include the parse error. type boolean validSnapshotQuery description Indicates whether the request baseline and snapshot queries are valid. If not, `query_validation_errors` will include the parse error. type boolean type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Location description Information about a location. id Location properties city description The city. type string countryOrRegion description The country or region. type string deskName description Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D"). type string floorName description Floor name, number or a combination of the two for a building. (e.g. "1-A"). type string name description Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2"). type string regionCoordinates $ref LatLng description Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. regionLatitude deprecated True description Deprecated: use region_coordinates. format float type number regionLongitude deprecated True description Deprecated: use region_coordinates. format float type number state description The state. type string type object Manual description Entities are added manually. id Manual properties type object Measure description Describes the precomputed measure. id Measure properties aggregateFunction description Function used to calculate the aggregated measure. enum AGGREGATE_FUNCTION_UNSPECIFIED MIN MAX COUNT SUM AVG STDDEV enumDescriptions Default value. Minimum. Maximum. Count. Sum. Average. Standard Deviation. type string value description Value of the aggregated measure. format double type number type object Metadata description General information associated with a UDM event. id Metadata properties baseLabels $ref DataAccessLabels description Data access labels on the base event. collectedTimestamp description The GMT timestamp when the event was collected by the vendor's local collection infrastructure. format google-datetime type string description description A human-readable unparsable description of the event. type string enrichmentLabels $ref DataAccessLabels description Data access labels from all the contextual events used to enrich the base event. enrichmentState description The enrichment state. enum ENRICHMENT_STATE_UNSPECIFIED ENRICHED UNENRICHED enumDescriptions Unspecified. The event has been enriched by Chronicle. The event has not been enriched by Chronicle. type string eventTimestamp description The GMT timestamp when the event was generated. format google-datetime type string eventType description The event type. If an event has multiple possible types, this specifies the most specific type. enum EVENTTYPE_UNSPECIFIED PROCESS_UNCATEGORIZED PROCESS_LAUNCH PROCESS_INJECTION PROCESS_PRIVILEGE_ESCALATION PROCESS_TERMINATION PROCESS_OPEN PROCESS_MODULE_LOAD REGISTRY_UNCATEGORIZED REGISTRY_CREATION REGISTRY_MODIFICATION REGISTRY_DELETION SETTING_UNCATEGORIZED SETTING_CREATION SETTING_MODIFICATION SETTING_DELETION MUTEX_UNCATEGORIZED MUTEX_CREATION FILE_UNCATEGORIZED FILE_CREATION FILE_DELETION FILE_MODIFICATION FILE_READ FILE_COPY FILE_OPEN FILE_MOVE FILE_SYNC USER_UNCATEGORIZED USER_LOGIN USER_LOGOUT USER_CREATION USER_CHANGE_PASSWORD USER_CHANGE_PERMISSIONS USER_STATS USER_BADGE_IN USER_DELETION USER_RESOURCE_CREATION USER_RESOURCE_UPDATE_CONTENT USER_RESOURCE_UPDATE_PERMISSIONS USER_COMMUNICATION USER_RESOURCE_ACCESS USER_RESOURCE_DELETION GROUP_UNCATEGORIZED GROUP_CREATION GROUP_DELETION GROUP_MODIFICATION EMAIL_UNCATEGORIZED EMAIL_TRANSACTION EMAIL_URL_CLICK NETWORK_UNCATEGORIZED NETWORK_FLOW NETWORK_CONNECTION NETWORK_FTP NETWORK_DHCP NETWORK_DNS NETWORK_HTTP NETWORK_SMTP STATUS_UNCATEGORIZED STATUS_HEARTBEAT STATUS_STARTUP STATUS_SHUTDOWN STATUS_UPDATE SCAN_UNCATEGORIZED SCAN_FILE SCAN_PROCESS_BEHAVIORS SCAN_PROCESS SCAN_HOST SCAN_VULN_HOST SCAN_VULN_NETWORK SCAN_NETWORK SCHEDULED_TASK_UNCATEGORIZED SCHEDULED_TASK_CREATION SCHEDULED_TASK_DELETION SCHEDULED_TASK_ENABLE SCHEDULED_TASK_DISABLE SCHEDULED_TASK_MODIFICATION SYSTEM_AUDIT_LOG_UNCATEGORIZED SYSTEM_AUDIT_LOG_WIPE SERVICE_UNSPECIFIED SERVICE_CREATION SERVICE_DELETION SERVICE_START SERVICE_STOP SERVICE_MODIFICATION GENERIC_EVENT RESOURCE_CREATION RESOURCE_DELETION RESOURCE_PERMISSIONS_CHANGE RESOURCE_READ RESOURCE_WRITTEN DEVICE_FIRMWARE_UPDATE DEVICE_CONFIG_UPDATE DEVICE_PROGRAM_UPLOAD DEVICE_PROGRAM_DOWNLOAD ANALYST_UPDATE_VERDICT ANALYST_UPDATE_REPUTATION ANALYST_UPDATE_SEVERITY_SCORE ANALYST_UPDATE_STATUS ANALYST_ADD_COMMENT ANALYST_UPDATE_PRIORITY ANALYST_UPDATE_ROOT_CAUSE ANALYST_UPDATE_REASON ANALYST_UPDATE_RISK_SCORE ENTITY_RISK_CHANGE enumDeprecated False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False enumDescriptions Default event type Activity related to a process which does not match any other event types. Process launch. Process injecting into another process. Process privilege escalation. Process termination. Process being opened. Process loading a module. Registry event which does not match any of the other event types. Registry creation. Registry modification. Registry deletion. Settings-related event which does not match any of the other event types. Setting creation. Setting modification. Setting deletion. Any mutex event other than creation. Mutex creation. File event which does not match any of the other event types. File created. File deleted. File modified. File read. File copied. Used for file copies, for example, to a thumb drive. File opened. File moved or renamed. File synced (for example, Google Drive, Dropbox, backup). User activity which does not match any of the other event types. User login. User logout. User creation. User password change event. Change in user permissions. Deprecated. Used to update user info for an LDAP dump. User physically badging into a location. User deletion. User creating a virtual resource. This is equivalent to RESOURCE_CREATION. User updating content of a virtual resource. This is equivalent to RESOURCE_WRITTEN. User updating permissions of a virtual resource. This is equivalent to RESOURCE_PERMISSIONS_CHANGE. User initiating communication through a medium (for example, video). User accessing a virtual resource. This is equivalent to RESOURCE_READ. User deleting a virtual resource. This is equivalent to RESOURCE_DELETION. A group activity that does not fall into one of the other event types. A group creation. A group deletion. A group modification. Email messages An email transaction. Deprecated: use NETWORK_HTTP instead. An email URL click event. A network event that does not fit into one of the other event types. Aggregated flow stats like netflow. Network connection details like from a FW. FTP telemetry. DHCP payload. DNS payload. HTTP telemetry. SMTP telemetry. A status message that does not fit into one of the other event types. Heartbeat indicating product is alive. An agent startup. An agent shutdown. A software or fingerprint update. Scan item that does not fit into one of the other event types. A file scan. Scan process behaviors. Please use SCAN_PROCESS instead. Scan process. Scan results from scanning an entire host device for threats/sensitive documents. Vulnerability scan logs about host vulnerabilities (e.g., out of date software) and network vulnerabilities (e.g., unprotected service detected via a network scan). Vulnerability scan logs about network vulnerabilities. Scan network for suspicious activity Scheduled task event that does not fall into one of the other event types. Scheduled task creation. Scheduled task deletion. Scheduled task being enabled. Scheduled task being disabled. Scheduled task being modified. A system audit log event that is not a wipe. A system audit log wipe. Service event that does not fit into one of the other event types. A service creation. A service deletion. A service start. A service stop. A service modification. Operating system events that are not described by any of the other event types. Might include uncategorized Microsoft Windows event logs. The resource was created/provisioned. This is equivalent to USER_RESOURCE_CREATION. The resource was deleted/deprovisioned. This is equivalent to USER_RESOURCE_DELETION. The resource had it's permissions or ACLs updated. This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS. The resource was read. This is equivalent to USER_RESOURCE_ACCESS. The resource was written to. This is equivalent to USER_RESOURCE_UPDATE_CONTENT. Firmware update. Configuration update. A program or application uploaded to a device. A program or application downloaded to a device. Analyst update about the Verdict (such as true positive, false positive, or disregard) of a finding. Analyst update about the Reputation (such as useful or not useful) of a finding. Analyst update about the Severity score (0-100) of a finding. Analyst update about the finding status. Analyst addition of a comment for a finding. Analyst update about the priority (such as low, medium, or high) for a finding. Analyst update about the root cause for a finding. Analyst update about the reason (such as malicious or not malicious) for a finding. Analyst update about the risk score (0-100) of a finding. An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. type string id description ID of the UDM event. Can be used for raw and normalized event retrieval. format byte type string ingestedTimestamp description The GMT timestamp when the event was ingested (received) by Chronicle. format google-datetime type string ingestionLabels description User-configured ingestion metadata labels. items $ref Label type array logType description The string value of log type. type string productDeploymentId description The deployment identifier assigned by the vendor for a product deployment. type string productEventType description A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start"). type string productLogId description A vendor-specific event identifier to uniquely identify the event (e.g. a GUID). type string productName description The name of the product. type string productVersion description The version of the product. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Flattened fields extracted from the log. type object tags $ref Tags description Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser. urlBackToProduct description A URL that takes the user to the source product console for this event. type string vendorName description The name of the product vendor. type string type object Metric description Stores precomputed aggregated analytic data for an entity. id Metric properties dimensions description All group by clauses used to calculate the metric. items enum DIMENSION_UNSPECIFIED PRINCIPAL_DEVICE TARGET_USER TARGET_DEVICE PRINCIPAL_USER TARGET_IP PRINCIPAL_FILE_HASH PRINCIPAL_COUNTRY SECURITY_CATEGORY NETWORK_ASN CLIENT_CERTIFICATE_HASH DNS_QUERY_TYPE DNS_DOMAIN HTTP_USER_AGENT EVENT_TYPE PRODUCT_NAME PRODUCT_EVENT_TYPE PARENT_FOLDER_PATH TARGET_RESOURCE_NAME PRINCIPAL_APPLICATION TARGET_APPLICATION EMAIL_TO_ADDRESS EMAIL_FROM_ADDRESS MAIL_ID PRINCIPAL_IP SECURITY_ACTION SECURITY_RULE_ID TARGET_NETWORK_ORGANIZATION_NAME PRINCIPAL_NETWORK_ORGANIZATION_NAME PRINCIPAL_PROCESS_FILE_PATH PRINCIPAL_PROCESS_FILE_HASH SECURITY_RESULT_RULE_NAME TARGET_RESOURCE_LABEL_KEY VENDOR_NAME TARGET_RESOURCE_TYPE TARGET_LOCATION_NAME enumDescriptions Default Principal Device Target User Target Device Principal User Target IP Principal File Hash Principal Country Security Category Network ASN Client Certificate Hash DNS Query Type DNS Domain HTTP User Agent Event Type Product Name Product Event Type Parent Folder Path Target resource Name Principal Application. Target Application. Email To Address. Email From Address. Mail Id. Principal IP. Security Action. Security Rule Id. Target Network Organization name. Principal Network Organization name. Principal Process File Path. Principal Process File SHA256 Hash. Security Result rule name. Target Resource label key. Vendor name. Target Resource type. Target Location name. type string type array exportWindow description Export window for which the metric was exported. format int64 type string firstSeen description Timestamp of the first time the entity was seen in the environment. format google-datetime type string lastSeen description Time stamp of the last time last time the entity was seen in the environment. format google-datetime type string metricName description Name of the analytic. enum METRIC_NAME_UNSPECIFIED NETWORK_BYTES_INBOUND NETWORK_BYTES_OUTBOUND NETWORK_BYTES_TOTAL AUTH_ATTEMPTS_SUCCESS AUTH_ATTEMPTS_FAIL AUTH_ATTEMPTS_TOTAL DNS_BYTES_OUTBOUND NETWORK_FLOWS_INBOUND NETWORK_FLOWS_OUTBOUND NETWORK_FLOWS_TOTAL DNS_QUERIES_SUCCESS DNS_QUERIES_FAIL DNS_QUERIES_TOTAL FILE_EXECUTIONS_SUCCESS FILE_EXECUTIONS_FAIL FILE_EXECUTIONS_TOTAL HTTP_QUERIES_SUCCESS HTTP_QUERIES_FAIL HTTP_QUERIES_TOTAL WORKSPACE_EMAILS_SENT_TOTAL WORKSPACE_TOTAL_DOWNLOAD_ACTIONS WORKSPACE_TOTAL_CHANGE_ACTIONS WORKSPACE_AUTH_ATTEMPTS_TOTAL WORKSPACE_NETWORK_BYTES_OUTBOUND WORKSPACE_NETWORK_BYTES_TOTAL ALERT_EVENT_NAME_COUNT RESOURCE_CREATION_TOTAL RESOURCE_CREATION_SUCCESS RESOURCE_READ_SUCCESS RESOURCE_READ_FAIL RESOURCE_DELETION_SUCCESS enumDescriptions Default Total received network bytes. Total network sent bytes. Total network sent bytes and received bytes. Successful authentication attempts. Failed authentication attempts. Total authentication attempts. Total number of sent bytes for DNS events. Total number of events having non-null received bytes. Total number of events having non-null sent bytes. Total events having non-null sent or received bytes. DNS query success count - Number of events with response_code = 0. Number of events with response_code != 0. Total number of DNS queries made. Number of successfule file executions. Number of failed file executions. Total number file executions. Number of successful HTTP queries. Number of failed HTTP queries. Total number of HTTP queries. Total number of emails sent in Google Workspace. Total number of download actions in Google Workspace. Total number of change actions in Google Workspace. Total number of authentication attempts in Google Workspace. Number of outbound network bytes (total sent) in Google Workspace. Total number of network bytes (both sent and received) in Google Workspace. Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH. First-time analytic tracking successful resource creations. Volume-based analytic tracking successful resource creations. Volume-based analytic tracking successful resource reads. Volume-based analytic tracking failed resource reads. Volume-based analytic tracking successful resource deletions. type string sumMeasure $ref Measure description Sum of all precomputed measures for the given metric. totalEvents description Total number of events used to calculate the given precomputed metric. format int64 type string type object Navigation description Navigation can be used to store the metadata required to navigate the user to a new URL. id Navigation properties targetUri description Output only. The URI to redirect the user to. readOnly True type string type object Network description A network event. id Network properties applicationProtocol description The application protocol. enum UNKNOWN_APPLICATION_PROTOCOL AFP APPC AMQP ATOM BEEP BITCOIN BIT_TORRENT CFDP CIP COAP COTP DCERPC DDS DEVICE_NET DHCP DICOM DNP3 DNS E_DONKEY ENRP FAST_TRACK FINGER FREENET FTAM GOOSE GOPHER GRPC HL7 H323 HTTP HTTPS IEC104 IRCP KADEMLIA KRB5 LDAP LPD MIME MMS MODBUS MQTT NETCONF NFS NIS NNTP NTCIP NTP OSCAR PNRP PTP QUIC RDP RELP RIP RLOGIN RPC RTMP RTP RTPS RTSP SAP SDP SIP SLP SMB SMTP SNMP SNTP SSH SSMS STYX SV TCAP TDS TOR TSP VTP WHOIS WEB_DAV X400 X500 XMPP enumDescriptions The default application protocol. Apple Filing Protocol. Advanced Program-to-Program Communication. Advanced Message Queuing Protocol. Publishing Protocol. Block Extensible Exchange Protocol. Crypto currency protocol. Peer-to-peer file sharing. Coherent File Distribution Protocol. Common Industrial Protocol. Constrained Application Protocol. Connection Oriented Transport Protocol. DCE/RPC. Data Distribution Service. Automation industry protocol. DHCP. Digital Imaging and Communications in Medicine Protocol. Distributed Network Protocol 3 (DNP3) DNS. Classic file sharing protocol. Endpoint Handlespace Redundancy Protocol. Filesharing peer-to-peer protocol. User Information Protocol. Censorship resistant peer-to-peer network. File Transfer Access and Management. GOOSE Protocol. Gopher protocol. gRPC Remote Procedure Call. Health Level Seven. Packet-based multimedia communications system. HTTP. HTTPS. IEC 60870-5-104 (IEC 104) Protocol. Internet Relay Chat Protocol. Peer-to-peer hashtables. Kerberos 5. Lightweight Directory Access Protocol. Line Printer Daemon Protocol. Multipurpose Internet Mail Extensions and Secure MIME. Multimedia Messaging Service. Serial communications protocol. Message Queuing Telemetry Transport. Network Configuration. Network File System. Network Information Service. Network News Transfer Protocol. National Transportation Communications for Intelligent Transportation System. Network Time Protocol. AOL Instant Messenger Protocol. Peer Name Resolution Protocol. Precision Time Protocol. QUIC. Remote Desktop Protocol. Reliable Event Logging Protocol. Routing Information Protocol. Remote Login in UNIX Systems. Remote Procedure Call. Real Time Messaging Protocol. Real-time Transport Protocol. Real Time Publish Subscribe. Real Time Streaming Protocol. Session Announcement Protocol. Session Description Protocol. Session Initiation Protocol. Service Location Protocol. Server Message Block. Simple Mail Transfer Protocol. Simple Network Management Protocol. Simple Network Time Protocol. Secure Shell. Secure SMS Messaging Protocol. Styx/9P - Plan 9 from Bell Labs distributed file system protocol. Sampled Values Protocol. Transaction Capabilities Application Part. Tabular Data Stream. Anonymity network. Time Stamp Protocol. Virtual Terminal Protocol. Remote Directory Access Protocol. Web Distributed Authoring and Versioning. Message Handling Service Protocol. Directory Access Protocol (DAP). Extensible Messaging and Presence Protocol. type string applicationProtocolVersion description The version of the application protocol. e.g. "1.1, 2.0" type string asn description Autonomous system number. type string carrierName description Carrier identification. type string communityId description Community ID network flow value. type string dhcp $ref Dhcp description DHCP info. direction description The direction of network traffic. enum UNKNOWN_DIRECTION INBOUND OUTBOUND BROADCAST enumDescriptions The default direction. An inbound request. An outbound request. A broadcast. type string dns $ref Dns description DNS info. dnsDomain description DNS domain name. type string email $ref Email description Email info for the sender/recipient. ftp $ref Ftp description FTP info. http $ref Http description HTTP info. ipProtocol description The IP protocol. enum UNKNOWN_IP_PROTOCOL ICMP IGMP TCP UDP IP6IN4 GRE ESP ICMP6 EIGRP ETHERIP PIM VRRP SCTP enumDescriptions The default protocol. ICMP. IGMP TCP. UDP. IPv6 Encapsulation Generic Routing Encapsulation Encapsulating Security Payload ICMPv6 Enhanced Interior Gateway Routing Ethernet-within-IP Encapsulation Protocol Independent Multicast Virtual Router Redundancy Protocol Stream Control Transmission Protocol type string ipSubnetRange description Associated human-readable IP subnet range (e.g. 10.1.2.0/24). type string organizationName description Organization name (e.g Google). type string parentSessionId description The ID of the parent network session. type string receivedBytes description The number of bytes received. format uint64 type string receivedPackets description The number of packets received. format int64 type string sentBytes description The number of bytes sent. format uint64 type string sentPackets description The number of packets sent. format int64 type string sessionDuration description The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer. format google-duration type string sessionId description The ID of the network session. type string smtp $ref Smtp description SMTP info. Store fields specific to SMTP not covered by Email. tls $ref Tls description TLS info. type object Noun description The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event. id Noun properties administrativeDomain description Domain which the device belongs to (for example, the Microsoft Windows domain). type string application description The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle". type string artifact $ref Artifact description Information about an artifact. asset $ref Asset description Information about the asset. assetId description The asset ID. This field can be used as an entity indicator for asset entities. type string cloud $ref Cloud deprecated True description Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud). domain $ref Domain description Information about the domain. email description Email address. Only filled in for security_result.about type string file $ref BackstoryFile description Information about the file. group $ref Group description Information about the group. hostname description Client hostname or domain name field. Hostname also doubles as the domain for remote entities. This field can be used as an entity indicator for asset entities. type string investigation $ref Investigation description Analyst feedback/investigation for alerts. ip description A list of IP addresses associated with a network connection. This field can be used as an entity indicator for asset entities. items type string type array ipGeoArtifact description Enriched geographic information corresponding to an IP address. Specifically, location and network data. items $ref Artifact type array ipLocation deprecated True description Deprecated: use ip_geo_artifact.location instead. items $ref Location type array labels deprecated True description Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels). items $ref Label type array location $ref Location description Physical location. For cloud environments, set the region in location.name. mac description List of MAC addresses associated with a device. This field can be used as an entity indicator for asset entities. items type string type array namespace description Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition. This field can be used along with an asset indicator to identify an asset. type string natIp description A list of NAT translated IP addresses associated with a network connection. items type string type array natPort description NAT external network port number when a specific network connection is described within an event. format int32 type integer network $ref Network description Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). objectReference $ref Id description Finding to which the Analyst updated the feedback. platform description Platform. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description Platform patch level. For example, "Build 17134.48" type string platformVersion description Platform version. For example, "Microsoft Windows 1803". type string port description Source or destination network port number when a specific network connection is described within an event. format int32 type integer process $ref Process description Information about the process. processAncestors description Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery. items $ref Process type array registry $ref Registry description Registry information. resource $ref Resource description Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun. resourceAncestors description Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource). items $ref Resource type array securityResult description A list of security results. items $ref SecurityResult type array url description The URL. type string urlMetadata $ref Url description Information about the URL. user $ref User description Information about the user. userManagementChain description Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery. items $ref User type array type object NtfsFileMetadata description NTFS-specific file metadata. id NtfsFileMetadata properties changeTime description NTFS MFT entry changed timestamp. format google-datetime type string filenameAccessTime description NTFS $FILE_NAME attribute accessed timestamp. format google-datetime type string filenameChangeTime description NTFS $FILE_NAME attribute changed timestamp. format google-datetime type string filenameCreateTime description NTFS $FILE_NAME attribute created timestamp. format google-datetime type string filenameModifyTime description NTFS $FILE_NAME attribute modified timestamp. format google-datetime type string type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object Option description DHCP options. id Option properties code description Code. See RFC1533. format uint32 type integer data description Data. format byte type string type object PDFInfo description Information about the PDF file structure. See https://developers.virustotal.com/reference/pdf_info id PDFInfo properties acroform description Number of /AcroForm tags found in the PDF. format int64 type string autoaction description Number of /AA tags found in the PDF. format int64 type string embeddedFile description Number of /EmbeddedFile tags found in the PDF. format int64 type string encrypted description Whether the document is encrypted or not. This is defined by the /Encrypt tag. format int64 type string endobjCount description Number of object definitions (endobj keyword). format int64 type string endstreamCount description Number of defined stream objects (stream keyword). format int64 type string flash description Number of /RichMedia tags found in the PDF. format int64 type string header description PDF version. type string javascript description Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios. format int64 type string jbig2Compression description Number of /JBIG2Decode tags found in the PDF. format int64 type string js description Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios. format int64 type string launchActionCount description Number of /Launch tags found in the PDF file. format int64 type string objCount description Number of objects definitions (obj keyword). format int64 type string objectStreamCount description Number of object streams. format int64 type string openaction description Number of /OpenAction tags found in the PDF. format int64 type string pageCount description Number of pages in the PDF. format int64 type string startxref description Number of startxref keywords in the PDF. format int64 type string streamCount description Number of defined stream objects (stream keyword). format int64 type string suspiciousColors description Number of colors expressed with more than 3 bytes (CVE-2009-3459). format int64 type string trailer description Number of trailer keywords in the PDF. format int64 type string xfa description Number of \XFA tags found in the PDF. format int64 type string xref description Number of xref keywords in the PDF. format int64 type string type object PeFileMetadata description Metadata about a Microsoft Windows Portable Executable. id PeFileMetadata properties importHash description Hash of PE imports. type string type object Permission description System permission for resource access and modification. id Permission properties description description Description of the permission (e.g. 'Ability to update detect rules'). type string name description Name of the permission (e.g. chronicle.analyst.updateRule). type string type description Type of the permission. enum UNKNOWN_PERMISSION_TYPE ADMIN_WRITE ADMIN_READ DATA_WRITE DATA_READ enumDescriptions Default permission type. Administrator write permission. Administrator read permission. Data resource access write permission. Data resource access read permission. type string type object PlatformSoftware description Platform software information about an operating system. id PlatformSoftware properties platform description The platform operating system. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description The platform software patch level ( e.g. "Build 17134.48", "SP1"). type string platformVersion description The platform software version ( e.g. "Microsoft Windows 1803"). type string type object PopularityRank description Domain's position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo. id PopularityRank properties giver description Name of the rank serial number hexdump. type string ingestionTime description Timestamp when the rank was ingested. format google-datetime type string rank description Rank position. format int64 type string type object Prevalence description The prevalence of a resource within the customer's environment. This measures how common it is for assets to access the resource. id Prevalence properties dayCount description The number of days over which rolling_max is calculated. format int32 type integer dayMax description The max prevalence score in a day interval window. format int32 type integer dayMaxSubDomains description The max prevalence score in a day interval window across sub-domains. This field is only valid for domains. format int32 type integer rollingMax description The maximum number of assets per day accessing the resource over the trailing day_count days. format int32 type integer rollingMaxSubDomains description The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains. format int32 type integer type object Process description Information about a process. id Process properties accessMask description A bit mask representing the level of access. format uint64 type string commandLine description The command line command that created the process. This field can be used as an entity indicator for process entities. type string commandLineHistory description The command line history of the process. items type string type array egid description The effective group ID of the process. type string euid description The effective user ID of the process. type string file $ref BackstoryFile description Information about the file in use by the process. integrityLevelRid description The Microsoft Windows integrity level relative ID (RID) of the process. format uint64 type string parentPid deprecated True description The ID of the parent process. Deprecated: use parent_process.pid instead. type string parentProcess $ref Process description Information about the parent process. pgid description The identifier that points to the process group ID leader. type string pid description The process ID. This field can be used as an entity indicator for process entities. type string productSpecificParentProcessId deprecated True description A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. type string productSpecificProcessId description A product specific process id. type string rgid description The real group ID of the process. type string ruid description The real user ID of the process. type string sessionLeaderPid description The process ID of the session leader process. type string tokenElevationType description The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled. enum UNKNOWN TYPE_1 TYPE_2 TYPE_3 enumDescriptions An undetermined token type. A full token with no privileges removed or groups disabled. An elevated token with no privileges removed or groups disabled. Used when running as administrator. A limited token with administrative privileges removed and administrative groups disabled. type string tty description The teletype terminal which the command was executed within. type string type object ProviderMLVerdict description Deprecated. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. id ProviderMLVerdict properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer confidenceScore description Confidence score of the verdict. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer mandiantSources description List of mandiant sources from which the verdict was generated. items $ref Source type array sourceProvider description Source provider giving the ML verdict. type string thirdPartySources description List of third-party sources from which the verdict was generated. items $ref Source type array type object PublicKey description Subject public key info. id PublicKey properties algorithm description Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the certificate. type string rsa $ref RSA description RSA public key information. type object Question description DNS Questions. See RFC1035, section 4.1.2. id Question properties class description The code specifying the class of the query. format uint32 type integer name description The domain name. type string prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. type description The code specifying the type of the query. format uint32 type integer type object RSA description RSA public key information. id RSA properties exponent description Key exponent hexdump. type string keySize description Key size. format int64 type string modulus description Key modulus hexdump. type string type object Reference description Reference to model primatives including event and entity. As support is added for fast retrieval of objects by identifiers, this will be expanded to include ID references rather than full object copies. BEGIN GOOGLE-INTERNAL See go/udm:ids for additional details. END GOOGLE-INTERNAL id Reference properties entity $ref BackstoryEntity description Entity being referenced. End one-of event $ref UDM description Only one of event or entity will be populated for a single reference. Start one-of Event being referenced. id $ref Id description Id being referenced. This field will also be populated for both event and entity with the event id. For detections, only this field will be populated. type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Registry description Information about a registry key or value. id Registry properties registryKey description Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...). type string registryValueData description Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp). type string registryValueName description Name of the registry value associated with an application or system component (e.g. TEMP). type string registryValueType description Type of the registry value. enum TYPE_UNSPECIFIED NONE SZ EXPAND_SZ BINARY DWORD DWORD_LITTLE_ENDIAN DWORD_BIG_ENDIAN LINK MULTI_SZ RESOURCE_LIST QWORD QWORD_LITTLE_ENDIAN enumDescriptions Default registry value type used when the type is unknown. The registry value is not set and only the key exists. A null-terminated string. A null-terminated string that contains unexpanded references to environment variables Binary data in any form. A 32-bit number. A 32-bit number in little-endian format. A 32-bit number in big-endian format. A null-terminated Unicode string that contains the target path of a symbolic link. A sequence of null-terminated strings, terminated by an empty string A device driver resource list. A 64-bit number. A 64-bit number in little-endian format. type string type object Relation description Defines the relationship between the entity (a) and another entity (b). id Relation properties direction description Directionality of relationship between primary entity (a) and the related entity (b). enum DIRECTIONALITY_UNSPECIFIED BIDIRECTIONAL UNIDIRECTIONAL enumDescriptions Default value. Modeled in both directions. Primary entity (a) to related entity (b) and related entity (b) to primary entity (a). Modeled in a single direction. Primary entity (a) to related entity (b). type string entity $ref Noun description Entity (b) that the primary entity (a) is related to. entityLabel description Label to identify the Noun of the relation. enum ENTITY_LABEL_UNSPECIFIED PRINCIPAL TARGET OBSERVER SRC NETWORK SECURITY_RESULT INTERMEDIARY enumDescriptions Default value. The Noun represents a principal type object. The Noun represents a target type object. The Noun represents an observer type object. The Noun represents src type object. The Noun represents a network type object. The Noun represents a SecurityResult object. The Noun represents an intermediary type object. type string entityType description Type of the related entity (b) in this relationship. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string relationship description Type of relationship. enum RELATIONSHIP_UNSPECIFIED OWNS ADMINISTERS MEMBER EXECUTES DOWNLOADED_FROM CONTACTS enumDescriptions Default value Related entity is owned by the primary entity (e.g. user owns device asset). Related entity is administered by the primary entity (e.g. user administers a group). Primary entity is a member of the related entity (e.g. user is a member of a group). Primary entity may have executed the related entity. Primary entity may have been downloaded from the related entity. Primary entity contacts the related entity. type string uid description UID of the relationship. format byte type string type object Resource description Information about a resource such as a task, Cloud Storage bucket, database, disk, logical policy, or something similar. id Resource properties attribute $ref Attribute description Generic entity metadata attributes of the resource. id deprecated True description Deprecated: Use resource.name or resource.product_object_id. type string name description The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. type string parent deprecated True description The parent of the resource. For a database table, the parent is the database. For a storage object, the bucket name. Deprecated: use resource_ancestors.name. type string productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) This field can be used as an entity indicator for a Resource entity. type string resourceSubtype description Resource sub-type (e.g. "BigQuery", "Bigtable"). type string resourceType description Resource type. enum UNSPECIFIED MUTEX TASK PIPE DEVICE FIREWALL_RULE MAILBOX_FOLDER VPC_NETWORK VIRTUAL_MACHINE STORAGE_BUCKET STORAGE_OBJECT DATABASE TABLE CLOUD_PROJECT CLOUD_ORGANIZATION SERVICE_ACCOUNT ACCESS_POLICY CLUSTER SETTING DATASET BACKEND_SERVICE POD CONTAINER FUNCTION RUNTIME IP_ADDRESS DISK VOLUME IMAGE SNAPSHOT REPOSITORY CREDENTIAL LOAD_BALANCER GATEWAY SUBNET USER enumDescriptions Default type. Mutex. Task. Named pipe. Device. Firewall rule. Mailbox folder. VPC Network. Virtual machine. Storage bucket. Storage object. Database. Data table. Cloud project. Cloud organization. Service account. Access policy. Cluster. Settings. Dataset. Endpoint that receive traffic from a load balancer or proxy. Pod, which is a collection of containers. Often used in Kubernetes. Container. Cloud function. Runtime. IP address. Disk. Volume. Machine image. Snapshot. Repository. Credential, e.g. access keys, ssh keys, tokens, certificates. Load balancer. Gateway. Subnet. User. type string type deprecated True description Deprecated: use resource_type instead. type string type object ResourceRecord description DNS Resource Records. See RFC1035, section 4.1.3. id ResourceRecord properties binaryData description The raw bytes of any non-UTF8 strings that might be included as part of a DNS response. format byte type string class description The code specifying the class of the resource record. format uint32 type integer data description The payload or response to the DNS question for all responses encoded in UTF-8 format type string name description The name of the owner of the resource record. type string ttl description The time interval for which the resource record can be cached before the source of the information should again be queried. format uint32 type integer type description The code specifying the type of the resource record. format uint32 type integer type object ResponsePlatformInfo description Related info of an Alert in customer's SOAR platform. id ResponsePlatformInfo properties alertId description Id of the alert in SOAR product. type string responsePlatformType description Type of SOAR product. enum RESPONSE_PLATFORM_TYPE_UNSPECIFIED RESPONSE_PLATFORM_TYPE_SIEMPLIFY enumDescriptions Response platform not specified. Siemplify type string type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object RiskDelta description Describes the difference in risk score between two points in time. id RiskDelta properties previousRangeEndTime description End time of the previous time window. format google-datetime type string previousRiskScore description Risk score from previous risk window format int32 type integer riskScoreDelta description Difference in the normalized risk score from the previous recorded value. format int32 type integer riskScoreNumericDelta description Numeric change between current and previous risk score format int32 type integer type object Role description System role for resource access and modification. id Role properties description description System role description for user. type string name description System role name for user. type string type description System role type for well known roles. enum TYPE_UNSPECIFIED ADMINISTRATOR SERVICE_ACCOUNT enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object RuntimeError id RuntimeError properties errorText type string timeRange $ref Interval type object SSLCertificate description SSL certificate. id SSLCertificate properties certExtensions additionalProperties description Properties of the object. type any description Certificate's extensions. type object certSignature $ref CertSignature description Certificate's signature and algorithm. ec $ref EC description EC public key information. extension $ref Extension deprecated True description (DEPRECATED) certificate's extension. firstSeenTime description Date the certificate was first retrieved by VirusTotal. format google-datetime type string issuer $ref Subject description Certificate's issuer data. publicKey $ref PublicKey description Public key information. serialNumber description Certificate's serial number hexdump. type string signatureAlgorithm description Algorithm used for the signature (for example, "sha1RSA"). type string size description Certificate content length. format int64 type string subject $ref Subject description Certificate's subject data. thumbprint description Certificate's content SHA1 hash. type string thumbprintSha256 description Certificate's content SHA256 hash. type string validity $ref Validity description Certificate's validity period. version description Certificate version (typically "V1", "V2" or "V3"). type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object SearchDataTableColumnInfo id SearchDataTableColumnInfo properties isDefault type boolean originalColumn type string type object SearchDataTableInfo id SearchDataTableInfo properties columnInfo items $ref SearchDataTableColumnInfo type array dataTable type string type object SearchDataTableRow id SearchDataTableRow properties column type string value type string type object SearchDataTableRowInfo id SearchDataTableRowInfo properties dataTable type string rows items $ref SearchDataTableRow type array type object SecurityResult description Security related metadata for the event. A security result might be something like "virus detected and quarantined," "malicious connection blocked," or "sensitive data included in document foo.doc." Each security result, of which there may be more than one, may either pertain to the whole event, or to a specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (such as process, user, IP, domain, URL, IP, or email address) in the about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty. id SecurityResult properties about $ref Noun description If the security result is about a specific entity (Noun), add it here. This field is not populated when the SecurityResult appears in a finding (a detection or alert). action description Actions taken for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_ACTION ALLOW BLOCK ALLOW_WITH_MODIFICATION QUARANTINE FAIL CHALLENGE enumDescriptions The default action. Allowed. Blocked. Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded). Put somewhere for later analysis (does NOT imply block). Failed (e.g. the event was allowed but failed). Challenged (e.g. the user was challenged by a Captcha, 2FA). type string type array actionDetails description The detail of the action taken as provided by the vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string alertState description The alerting types of this security result. This is primarily set for rule-generated detections and alerts. enum UNSPECIFIED NOT_ALERTING ALERTING enumDescriptions The security result type is not known. The security result is not an alert. The security result is an alert. type string analyticsMetadata description Stores metadata about each risk analytic metric the rule uses. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref AnalyticsMetadata type array associations description Associations related to the threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref Association type array attackDetails $ref AttackDetails description MITRE ATT&CK details. This field is not populated when the SecurityResult appears in a finding (a detection or alert). campaigns description Campaigns using this IOC threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array category description The security category. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_CATEGORY SOFTWARE_MALICIOUS SOFTWARE_SUSPICIOUS SOFTWARE_PUA NETWORK_MALICIOUS NETWORK_SUSPICIOUS NETWORK_CATEGORIZED_CONTENT NETWORK_DENIAL_OF_SERVICE NETWORK_RECON NETWORK_COMMAND_AND_CONTROL ACL_VIOLATION AUTH_VIOLATION EXPLOIT DATA_EXFILTRATION DATA_AT_REST DATA_DESTRUCTION TOR_EXIT_NODE MAIL_SPAM MAIL_PHISHING MAIL_SPOOFING POLICY_VIOLATION SOCIAL_ENGINEERING PHISHING enumDescriptions The default category. Malware, spyware, rootkit. Below the conviction threshold; probably bad. Potentially Unwanted App (such as adware). Includes C&C or network exploit. Suspicious activity, such as potential reverse tunnel. Non-security related: URL has category like gambling or porn. DoS, DDoS. Port scan detected by an IDS, probing of web app. If we know this is a C&C channel. Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc. Authentication failed (e.g. bad password or bad 2-factor authentication). Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits. DLP: Sensitive data transmission, copy to thumb drive. DLP: Sensitive data found at rest in a scan. Attempt to destroy/delete data. TOR Exit Nodes. Spam email, message, etc. Phishing email, chat messages, etc. Spoofed source email address, etc. Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action). Threats which manipulate to break normal security procedures. Phishing pages, pops, https phishing etc. type string type array categoryDetails description For vendor-specific categories. For web categorization, put type in here such as "gambling" or "porn". This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array confidence description The confidence level of the result as estimated by the product. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string confidenceDetails description Additional detail with regards to the confidence of a security event as estimated by the product vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string confidenceScore description The confidence score of the security result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format float type number description description A human-readable description (e.g. "user password was wrong"). This can be more detailed than the summary. type string detectionDepth description The depth of the detection chain. Applies only to composite detections. format int64 type string detectionFields description An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (the security result matched variables). This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array firstDiscoveredTime description First time the IoC threat was discovered in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastDiscoveredTime description Last time the IoC was seen in the provider data. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastUpdatedTime description Last time the IoC threat was updated in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string outcomes description A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to a stringified version of their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array priority description The priority of the result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_PRIORITY LOW_PRIORITY MEDIUM_PRIORITY HIGH_PRIORITY enumDescriptions Default priority level. Low priority. Medium priority. High priority. type string priorityDetails description Vendor-specific information about the security result priority. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string reports description Reports that reference this IOC threat. These are the report IDs. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array riskScore description The risk score of the security result. format float type number ruleAuthor description Author of the security rule. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string ruleId description A vendor-specific ID for a rule, varying by observer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe"). type string ruleLabels description A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John"). This is primarily set in rule-generated detections and alerts. items $ref Label type array ruleName description Name of the security rule (e.g. "BlockInboundToOracle"). type string ruleSet description The curated detection's rule set identifier. (for example, "windows-threats") This is primarily set in rule-generated detections and alerts. type string ruleSetDisplayName description The curated detections rule set display name. This is primarily set in rule-generated detections and alerts. type string ruleType description The type of security rule. type string ruleVersion description Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed. type string rulesetCategoryDisplayName description The curated detection rule set category display name. (for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration", the rule_set_category is "Cloud Threats"). This is primarily set in rule-generated detections and alerts. type string severity description The severity of the result. enum UNKNOWN_SEVERITY INFORMATIONAL ERROR NONE LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Info severity. An error. No malicious result. Low-severity malicious result. Medium-severity malicious result. High-severity malicious result. Critical-severity malicious result. type string severityDetails description Vendor-specific severity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string summary description A short human-readable summary (e.g. "failed login occurred") type string threatFeedName description Vendor feed name for a threat indicator feed. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatId description Vendor-specific ID for a threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatIdNamespace description The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string threatName description A vendor-assigned classification common across multiple customers (for example, "W32/File-A", "Slammer"). This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatStatus description Current status of the threat This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_STATUS_UNSPECIFIED ACTIVE CLEARED FALSE_POSITIVE enumDescriptions Default threat status Active threat. Cleared threat. False positive. type string threatVerdict description GCTI threat verdict on the security result entity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_VERDICT_UNSPECIFIED UNDETECTED SUSPICIOUS MALICIOUS enumDescriptions Unspecified threat verdict level. Undetected threat verdict level. Suspicious threat verdict level. Malicious threat verdict level. type string urlBackToProduct description URL that takes the user to the source product console for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string variables additionalProperties $ref FindingVariable description A list of outcomes and match variables that represent the results of this security finding. This list represents a mapping of names of the requested outcomes or match variables, to their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). type object verdict $ref Verdict deprecated True description Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead. verdictInfo description Verdict information about the IoC from the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref VerdictInfo type array type object Server description Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash). id Server properties certificate $ref Certificate description Server certificate. ja3s description JA3 hash from the TLS ServerHello, as a hex-encoded string. type string type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object SignatureInfo description File signature information extracted from different tools. id SignatureInfo properties codesign $ref FileMetadataCodesign description Signature information extracted from the codesign utility. sigcheck $ref FileMetadataSignatureInfo description Signature information extracted from the sigcheck tool. type object SignerInfo description File metadata related to the signer information. id SignerInfo properties certIssuer description Company that issued the certificate. type string name description Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority. type string status description It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid."). type string validUsage description Indicates which situations the certificate is valid for (e.g. "Code Signing"). type string type object Smtp description SMTP info. See RFC 2821. id Smtp properties helo description The client's 'HELO'/'EHLO' string. type string isTls description If the connection switched to TLS. type boolean isWebmail description If the message was sent via a webmail client. type boolean mailFrom description The client's 'MAIL FROM' string. type string messagePath description The message's path (extracted from the headers). type string rcptTo description The client's 'RCPT TO' string(s). items type string type array serverResponse description The server's response(s) to the client. items type string type array type object SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems. id SoarAlertMetadata properties alertId description Alert ID in the source SIEM system. type string product description Name of the product the alert is coming from. type string sourceRule description Name of the rule triggering the alert in the source SIEM. type string sourceSystem description Name of the Source SIEM system. type string sourceSystemTicketId description Ticket id for the alert in the source system. type string sourceSystemUri description Url to the source SIEM system. type string vendor description Name of the vendor. type string type object Software description Information about a software package or application. id Software properties description description The description of the software. type string name description The name of the software. type string permissions description System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE" items $ref Permission type array vendorName description The name of the software vendor. type string version description The version of the software. type string type object Source description Deprecated. Information about the threat intelligence source. These fields are used to model Mandiant sources. id Source properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer name description Name of the IoC source. type string quality description Quality of the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total response count from this source. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer threatIntelligenceSources description Different threat intelligence sources from which IoC info was extracted. items $ref Source type array type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object StringSequence description StringSequence represents a sequence of string. id StringSequence properties stringVals description string sequence. items type string type array type object StringToInt64MapEntry id StringToInt64MapEntry properties key description Key field. type string value description Value field. format int64 type string type object StringValue id StringValue properties displayValue type string rawValue type string type object StringValues id StringValues properties values items $ref StringValue type array type object Subject description Subject data. id Subject properties commonName description CN: CommonName. type string countryName description C: Country name. type string locality description L: Locality. type string organization description O: Organization. type string organizationalUnit description OU: OrganizationalUnit. type string stateOrProvinceName description ST: StateOrProvinceName. type string type object Tactic description Tactic information related to an attack or threat. id Tactic properties id description Tactic ID (e.g. "TA0043"). type string name description Tactic Name (e.g. "Reconnaissance") type string type object Tags description Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenant_id based on certain customer-defined parameters. id Tags properties dataTapConfigName description A list of sink name values defined in DataTap configurations. items type string type array tenantId description A list of subtenant ids that this event belongs to. items format byte type string type array type object Technique description Technique information related to an attack or threat. id Technique properties id description Technique ID (e.g. "T1595"). type string name description Technique Name (e.g. "Active Scanning"). type string subtechniqueId description Subtechnique ID (e.g. "T1595.001"). type string subtechniqueName description Subtechnique Name (e.g. "Scanning IP Blocks"). type string type object TimeOff description System record for leave/time-off from a Human Capital Management (HCM) system. id TimeOff properties description description Description of the leave if available (e.g. 'Vacation'). type string interval $ref Interval description Interval duration of the leave. type object Tls description Transport Layer Security (TLS) information. id Tls properties cipher description Cipher used during the connection. type string client $ref Client description Certificate information for the client certificate. curve description Elliptical curve used for a given cipher. type string established description Indicates whether the TLS negotiation was successful. type boolean nextProtocol description Protocol to be used for tunnel. type string resumed description Indicates whether the TLS connection was resumed from a previous TLS negotiation. type boolean server $ref Server description Certificate information for the server certificate. version description TLS version. type string versionProtocol description Protocol. type string type object Tracker description URL Tracker. id Tracker properties id description Tracker ID, if available. type string timestamp description Tracker ingestion date. format google-datetime type string tracker description Tracker name. type string url description Tracker script URL. type string type object Tunnels description VPN tunnels. id Tunnels properties provider description The provider of the VPN tunnels being used. type string type description The type of the VPN tunnels. type string type object UDM description A Unified Data Model event. id UDM properties about description Represents entities referenced by the event that are not otherwise described in principal, src, target, intermediary or observer. For example, it could be used to track email file attachments, domains/URLs/IPs embedded within an email body, and DLLs that are loaded during a PROCESS_LAUNCH event. items $ref Noun type array additional additionalProperties description Properties of the object. type any description Any important vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model. type object extensions $ref Extensions description All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object intermediary description Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a proxy server or SMTP relay server. If an active event (that has a principal and possibly target) passes through any intermediaries, they're added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that 'principal', 'target', and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C). items $ref Noun type array metadata $ref Metadata description Event metadata such as timestamp, source product, etc. network $ref Network description All network details go here, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). observer $ref Noun description Represents an observer entity (for example, a packet sniffer or network-based vulnerability scanner), which is not a direct intermediary, but which observes and reports on the event in question. principal $ref Noun description Represents the acting entity that originates the activity described in the event. The principal must include at least one machine detail (hostname, MACs, IPs, port, product-specific identifiers like an EDR asset ID) or user detail (for example, username), and optionally include process details. It must NOT include any of the following fields: email, files, registry keys or values. securityResult description A list of security results. items $ref SecurityResult type array src $ref Noun description Represents a source entity being acted upon by the participant along with the device or process context for the source object (the machine where the source object resides). For example, if user U copies file A on machine X to file B on machine Y, both file A and machine X would be specified in the src portion of the UDM event. target $ref Noun description Represents a target entity being referenced by the event or an object on the target entity. For example, in a firewall connection from device A to device B, A is described as the principal and B is described as the target. For a process injection by process C into target process D, process C is described as the principal and process D is described as the target. type object UdmColumnList id UdmColumnList properties values items $ref UdmColumnValue type array type object UdmColumnType id UdmColumnType properties list $ref UdmColumnList value $ref UdmColumnValue type object UdmColumnValue id UdmColumnValue properties boolVal type boolean bytesVal format byte type string dateVal $ref Date doubleVal format double type number int64Val format int64 type string nullVal type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any type object stringVal type string timestampVal format google-datetime type string uint64Val format uint64 type string type object UdmEventInfo id UdmEventInfo properties alertNumber format int32 type integer annotations items enum ANNOTATION_UNSPECIFIED ANNOTATION_ALERT enumDescriptions type string type array chip $ref Chip deprecated True connectedComponentLabel description Optional. format byte type string datatableRowInfo items $ref SearchDataTableRowInfo type array detections items $ref Collection type array displayName deprecated True type string entity $ref BackstoryEntity event $ref UDM eventLogToken type string filterProperties $ref FilterProperties deprecated True outcomes items $ref UdmColumnType type array tenantId description Optional. type string uid format byte type string type object UdmEventList id UdmEventList properties columnNames $ref ColumnNames complete type boolean datatableInfo items $ref SearchDataTableInfo type array events items $ref UdmEventInfo type array progress format double type number tooManyEvents type boolean type object UdmFieldAggregation id UdmFieldAggregation properties aggregationType enum UNSPECIFIED_FIELD_AGGREGATION_TYPE UDM_FIELD_AGGREGATION_TYPE ENTITY_FIELD_AGGREGATION_TYPE enumDescriptions type string allValues items $ref UdmValueCount type array baselineEventCount format int32 type integer bottomValues items $ref UdmValueCount type array eventCount format int32 type integer fieldName type string tooManyValues type boolean topValues items $ref UdmValueCount type array valueCount format int32 type integer type object UdmFieldAggregations id UdmFieldAggregations properties complete type boolean fields items $ref UdmFieldAggregation type array groupByFields items $ref GroupAggregationByField type array type object UdmFieldValue id UdmFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string isNull type boolean stringValue type string timestampValue format google-datetime type string uint32Value format uint32 type integer uint64Value format uint64 type string type object UdmPrevalence id UdmPrevalence properties artifacts items $ref FieldAndValue type array prevalence format int32 type integer type object UdmPrevalenceBucket id UdmPrevalenceBucket properties prevalence items $ref UdmPrevalence type array type object UdmPrevalenceResponse id UdmPrevalenceResponse properties buckets items $ref UdmPrevalenceBucket type array partialPrevalence type boolean type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UdmValueCount id UdmValueCount properties baselineEventCount format int32 type integer eventCount format int32 type integer value $ref UdmFieldValue type object Uint64Sequence description Uint64Sequence represents a sequence of uint64s. id Uint64Sequence properties uint64Vals description uint64 sequence. items format uint64 type string type array type object Url description Url. id Url properties categories description Categorisation done by VirusTotal partners. items type string type array favicon $ref Favicon description Difference hash and MD5 hash of the URL's. htmlMeta additionalProperties description Properties of the object. type any description Meta tags (only for URLs downloading HTML). type object lastFinalUrl description If the original URL redirects, where does it end. type string lastHttpResponseCode description HTTP response code of the last response. format int32 type integer lastHttpResponseContentLength description Length in bytes of the content received. format int64 type string lastHttpResponseContentSha256 description URL response body's SHA256 hash. type string lastHttpResponseCookies additionalProperties description Properties of the object. type any description Website's cookies. type object lastHttpResponseHeaders additionalProperties description Properties of the object. type any description Headers and values of the last HTTP response. type object tags description Tags. items type string type array title description Webpage title. type string trackers description Trackers found in the URL in a historical manner. items $ref Tracker type array url description URL. type string type object User description Information about a user. id User properties accountExpirationTime description User account expiration timestamp. format google-datetime type string accountLockoutTime description User account lockout timestamp. format google-datetime type string accountType description Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/ enum ACCOUNT_TYPE_UNSPECIFIED DOMAIN_ACCOUNT_TYPE LOCAL_ACCOUNT_TYPE CLOUD_ACCOUNT_TYPE SERVICE_ACCOUNT_TYPE DEFAULT_ACCOUNT_TYPE enumDescriptions Default user account type. A human account part of some domain in directory services. A local machine account. A SaaS service account type (such as Slack or GitHub). A non-human account for data access. A system built in default account. type string attribute $ref Attribute description Generic entity metadata attributes of the user. companyName description User job company name. type string department description User job department items type string type array emailAddresses description Email addresses of the user. This field can be used as an entity indicator for user entities. items type string type array employeeId description Human capital management identifier. This field can be used as an entity indicator for user entities. type string firstName description First name of the user (e.g. "John"). type string firstSeenTime description The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string groupIdentifiers description Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar). items type string type array groupid deprecated True description The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. type string hireDate description User job employment hire date. format google-datetime type string lastBadPasswordAttemptTime description User last bad password attempt timestamp. format google-datetime type string lastLoginTime description User last login timestamp. format google-datetime type string lastName description Last name of the user (e.g. "Locke"). type string lastPasswordChangeTime description User last password change timestamp. format google-datetime type string managers description User job manager(s). items $ref User type array middleName description Middle name of the user. type string officeAddress $ref Location description User job office location. passwordExpirationTime description User password expiration timestamp. format google-datetime type string personalAddress $ref Location description Personal address of the user. phoneNumbers description Phone numbers for the user. items type string type array productObjectId description A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar). This field can be used as an entity indicator for user entities. type string roleDescription deprecated True description System role description for user. Deprecated: use attribute.roles. type string roleName deprecated True description System role name for user. Deprecated: use attribute.roles. type string terminationDate description User job employment termination date. format google-datetime type string timeOff description User time off leaves from active work. items $ref TimeOff type array title description User job title. type string userAuthenticationStatus description System authentication status for user. enum UNKNOWN_AUTHENTICATION_STATUS ACTIVE SUSPENDED NO_ACTIVE_CREDENTIALS DELETED enumDescriptions The default authentication status. The authentication method is in active state. The authentication method is in suspended/disabled state. The authentication method has no active credentials. The authentication method has been deleted. type string userDisplayName description The display name of the user (e.g. "John Locke"). type string userRole deprecated True description System role for user. Deprecated: use attribute.roles. enum UNKNOWN_ROLE ADMINISTRATOR SERVICE_ACCOUNT enumDeprecated False False True enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. Deprecated: not a role, instead set User.account_type. type string userid description The ID of the user. This field can be used as an entity indicator for user entities. type string windowsSid description The Microsoft Windows SID of the user. This field can be used as an entity indicator for user entities. type string type object UserAgentProto id UserAgentProto properties annotation items $ref Annotation type array browser description Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents. type string browserEngineVersion description Version of the rendering engine e.g. "8.01" for "Opera/8.01" type string browserVersion description Minor and lower versions unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string carrier description Mobile specific: name of mobile carrier type string device description (Usually) Mobile specific: name of hardware device, may or may not contain the full model name. e.g. iPhone, Palm750, SPH-M800. Reduced to "K" for Android devices with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string deviceVersion description (Usually) Mobile specific: version of hardware device Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string family description User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.. enum USER_DEFINED MSIE GECKO APPLEWEBKIT OPERA KHTML OTHER APPLE BLACKBERRY DOCOMO GOOGLE OPENWAVE POLARIS OBIGO TELECA MICROSOFT NOKIA NETFRONT SEMC SMIT KOREAN CLIENT_HINTS enumDescriptions Used to represent new families supported by user-defined parsers Desktop user agent families WebKit based browsers e.g. Safari e.g. Konqueror Mobile and non-browser user agent families UA's w/o enough data to fit into a family Apple apps e.g. YouTube on iPhone Google Earth, Sketchup, UpdateChecker etc... UP.Browser Windows Media Player, RSS platform etc... Sony Ericsson Mobile Communications SKT, LGT Constructed from UA-CH instead of UserAgent string. type string googleToolbarVersion description Version number of GoogleToolbar, if installed. Applies only to MSIE and Firefox at this time. type string javaConfiguration description Mobile specific: e.g. Configuration/CLDC-1.1 type string javaConfigurationVersion type string javaProfile description Mobile specific: e.g. Profile/MIDP-2.0 type string javaProfileVersion type string locale description Locale in which the browser is running as country code and optionally language pair. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string messaging description Mobile specific: e.g. MMP/2.0 type string messagingVersion type string os description Full name of the operating system e.g. "Darwin/9.7.0", "Android 1.5", "Windows 98" Version is reduced, and other data might also be missing, for reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string osVariant description Extra qualifier for the OS e.g. "(i386)", "Build/CUPCAKE", "PalmSource/Palm-D061" Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string platform description The platform describes the environment in which the browser or app runs. For desktop user agents, Platform is a string describing the OS family e.g. Windows, Macintosh, Linux. For mobile user agents, Platform either describes the OS family (if available) or the hardware maker. e.g. Linux, or HTC, LG, Palm. type string security description Security level reported by user agent, either U, I or N. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string subFamily description Sub-family identifies individual regexps when a family has more than 1. This is used to generate the right UA string from a protobuf. Examples in the AppleWebKit family: Chrome and Safari. Can also be an arbitrary identifier. type string type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Validity description Defines certificate's validity period. id Validity properties expiryTime description Expiry date. format google-datetime type string issueTime description Issue date. format google-datetime type string type object Verdict description Deprecated. Encapsulates the threat verdict provided by human analysts and ML models. These fields are used to model Mandiant sources. id Verdict properties analystVerdict $ref AnalystVerdict description Human analyst verdict provided by sources like Mandiant. neighbourInfluence description Describes the neighbour influence of the verdict. type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer verdict $ref ProviderMLVerdict description ML Verdict provided by sources like Mandiant. type object VerdictInfo description Describes the threat verdict provided by human analysts and machine learning models. These fields are used to model Mandiant sources. id VerdictInfo properties benignCount description Count of responses where this IoC was marked as benign. format int32 type integer categoryDetails description Tags related to the verdict. type string confidenceScore description Confidence score of the verdict. format int32 type integer globalCustomerCount description Global customer count over the last 30 days format int32 type integer globalHitsCount description Global hit count over the last 30 days. format int32 type integer iocStats description List of IoCStats from which the verdict was generated. items $ref IoCStats type array maliciousCount description Count of responses where this IoC was marked as malicious. format int32 type integer neighbourInfluence description Describes the near neighbor influence of the verdict. type string pwn description Whether one or more Mandiant incident response customers had this indicator in their environment. type boolean pwnFirstTaggedTime description The timestamp of the first time a pwn was associated to this entity. format google-datetime type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer sourceProvider description Source provider giving the machine learning verdict. type string verdictResponse description Details about the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp when the verdict was generated. format google-datetime type string verdictType description Type of verdict. enum VERDICT_TYPE_UNSPECIFIED PROVIDER_ML_VERDICT ANALYST_VERDICT enumDescriptions Verdict category not specified. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. Verdict provided by the human analyst. These fields are used to model Mandiant sources. type string type object Vulnerabilities description The Vulnerabilities extension captures details on observed/detected vulnerabilities. id Vulnerabilities properties vulnerabilities description A list of vulnerabilities. items $ref Vulnerability type array type object Vulnerability description A vulnerability. id Vulnerability properties about $ref Noun description If the vulnerability is about a specific noun (e.g. executable), then add it here. cveDescription description Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record type string cveId description Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id type string cvssBaseScore description CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting. format float type number cvssVector description Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator type string cvssVersion description Version of CVSS Vector/Score. type string description description Description of the vulnerability. type string firstFound description Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset. format google-datetime type string lastFound description Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset. format google-datetime type string name description Name of the vulnerability (e.g. "Unsupported OS Version detected"). type string scanEndTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable. format google-datetime type string scanStartTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable. format google-datetime type string severity description The severity of the vulnerability. enum UNKNOWN_SEVERITY LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Low severity. Medium severity. High severity. Critical severity. type string severityDetails description Vendor-specific severity type string vendor description Vendor of scan that discovered vulnerability. type string vendorKnowledgeBaseArticleId description Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase type string vendorVulnerabilityId description Vendor specific vulnerability id (e.g. Microsoft security bulletin id). type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object X509 description File certificate. id X509 properties algorithm description Certificate algorithm. type string certIssuer description Issuer of the certificate. type string name description Certificate name. type string serialNumber description Certificate serial number. type string thumbprint description Certificate thumbprint. type string type object old_value CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{region}/instances/{instance} readOnly True type string type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Manual description Entities are added manually. id Manual properties type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object
prod/us-chronicle-v1alpha	dictionary_item_added root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['delete'] root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['undelete'] root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['legacy']['methods']['legacyCreateOrUpdateCase'] root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['legacy']['methods']['legacyCreateSoarAlert'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList'] root['schemas']['GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue'] root['schemas']['GoogleCloudStorageEventDrivenSettings'] root['schemas']['InstanceUdmSearchResponse'] root['schemas']['LegacyCreateOrUpdateCaseRequest'] root['schemas']['LegacyCreateSoarAlertRequest'] root['schemas']['LegacyFederatedUdmSearchViewResponse'] root['schemas']['LegacySoarAlert'] root['schemas']['SQSV2AccessKeySecretAuth'] root['schemas']['SoarEvent'] root['schemas']['UndeleteInstanceRequest'] root['schemas']['BackstoryFile']['properties']['symhash'] root['schemas']['ColumnMetadata']['properties']['latitude'] root['schemas']['ColumnMetadata']['properties']['longitude'] root['schemas']['EntityRisk']['properties']['riskWindowHasNewDetections'] root['schemas']['Extensions']['properties']['entityRisk'] root['schemas']['FeedDetails']['properties']['googleCloudStorageEventDrivenSettings'] root['schemas']['Instance']['properties']['customerCode'] root['schemas']['Instance']['properties']['deleteTime'] root['schemas']['Instance']['properties']['purgeTime'] root['schemas']['Instance']['properties']['wipeoutStatus'] root['schemas']['SQSAuthV2']['properties']['sqsV2AccessKeySecretAuth'] dictionary_item_removed root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['findings'] root['schemas']['FetchSimilarFindingsResponse'] root['schemas']['OmniflowAmazonS3Settings'] root['schemas']['OmniflowAmazonSQSSettings'] root['schemas']['OmniflowGoogleCloudStorageSettings'] root['schemas']['OmniflowS3Auth'] root['schemas']['FeedDetails']['properties']['omniflowAmazonS3Settings'] root['schemas']['FeedDetails']['properties']['omniflowAmazonSqsSettings'] root['schemas']['FeedDetails']['properties']['omniflowGcsSettings'] root['schemas']['FeedDetails']['properties']['feedSourceType']['enumDeprecated'] root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enumDeprecated'] root['schemas']['PackLogType']['properties']['recommendedSourceType']['enumDeprecated'] values_changed root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['generateCollectionAgentAuth']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to generate a collection agent auth json file for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to generate a collection agent auth json file for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['generateSoarAuthJwt']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['generateWorkspaceConnectionToken']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to create workspace token for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to create workspace token for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['get']['parameters']['name']['description'] new_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['report']['parameters']['name']['description'] new_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the chronicle instance to retrieve a report for. Format: projects/{project_id}/locations/{region}/instances/{instance} root['resources']['projects']['resources']['locations']['resources']['instances']['resources']['legacy']['methods']['legacyBatchGetCases']['parameters']['instance']['description'] new_value Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}/legacy old_value Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}/legacy root['revision'] new_value 20250310 old_value 20250227 root['schemas']['EntityRisk']['description'] new_value Stores information related to the risk score of an entity. Next ID: 15 old_value Stores information related to the risk score of an entity. Next ID: 14 root['schemas']['EntityRisk']['properties']['riskWindowSize']['description'] new_value Risk window duration for the entity. old_value Risk window duration for the Entity. root['schemas']['Instance']['properties']['name']['description'] new_value Output only. The resource name of this instance. Format: projects/{project}/locations/{location}/instances/{instance} old_value Output only. The resource name of this instance. Format: projects/{project}/locations/{region}/instances/{instance} root['schemas']['SQSAuthV2']['properties']['additionalS3AccessKeySecretAuth']['description'] new_value Required. Deprecated. If the S3 objects referred to by the SQS queue require different auth info other than the SQS auth, that can be specified here. Additional S3AccessKeySecret. Required. old_value Required. If the S3 objects referred to by the SQS queue require different auth info other than the SQS auth, that can be specified here. Additional S3AccessKeySecret. Required. root['schemas']['StatusProto']['properties']['canonicalCode']['description'] new_value copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional int32 canonical_code = 6; old_value The canonical error code (see codes.proto) that most closely corresponds to this status. This may be missing, and in the common case of the generic space, it definitely will be. copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional int32 canonical_code = 6; root['schemas']['StatusProto']['properties']['space']['description'] new_value copybara:strip_begin(b/383363683) Space to which this status belongs copybara:strip_end_and_replace optional string space = 2; // Space to which this status belongs old_value The following are usually only present when code != 0 Space to which this status belongs copybara:strip_begin(b/383363683) copybara:strip_end_and_replace optional string space = 2; iterable_item_added root['schemas']['AnalyticValue']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['AnalyticValue']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['EnrichmentDisablementTarget']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['EnrichmentDisablementTarget']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['EventTypesSuggestion']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['EventTypesSuggestion']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][19] GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN root['schemas']['FeedDetails']['properties']['feedSourceType']['enumDescriptions'][19] Google Cloud Storage Feed backed by Omniflow STS driven by pubsub events. root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][19] GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enumDescriptions'][19] Google Cloud Storage Feed backed by Omniflow STS driven by pubsub events. root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][1412] BLOCKDAEMON_METOMIC root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2124] JIT root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2125] PROCORE root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2126] HP_INC_MFP root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2127] MERU_CONTENTKEEPER_PROXY root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2128] KPMG_JAPAN_HR root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2129] FORD_ADFS_IDP root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2130] FORD_BLUE_DNS root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2131] TSA_VMS root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2132] ALLIANZ_CPAM root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2133] HKBK_ASE1_DIGITALGUARDIAN_NDLP root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2134] PANORAYS root['schemas']['IoCDiscoveryInfo']['properties']['logType']['enum'][2135] BBVA_BAEMPRE root['schemas']['Metadata']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['Metadata']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][19] GOOGLE_CLOUD_STORAGE_EVENT_DRIVEN root['schemas']['PackLogType']['properties']['recommendedSourceType']['enumDescriptions'][19] Google Cloud Storage Feed backed by Omniflow STS driven by pubsub events. root['schemas']['RawLog']['properties']['type']['enum'][1412] BLOCKDAEMON_METOMIC root['schemas']['RawLog']['properties']['type']['enum'][2124] JIT root['schemas']['RawLog']['properties']['type']['enum'][2125] PROCORE root['schemas']['RawLog']['properties']['type']['enum'][2126] HP_INC_MFP root['schemas']['RawLog']['properties']['type']['enum'][2127] MERU_CONTENTKEEPER_PROXY root['schemas']['RawLog']['properties']['type']['enum'][2128] KPMG_JAPAN_HR root['schemas']['RawLog']['properties']['type']['enum'][2129] FORD_ADFS_IDP root['schemas']['RawLog']['properties']['type']['enum'][2130] FORD_BLUE_DNS root['schemas']['RawLog']['properties']['type']['enum'][2131] TSA_VMS root['schemas']['RawLog']['properties']['type']['enum'][2132] ALLIANZ_CPAM root['schemas']['RawLog']['properties']['type']['enum'][2133] HKBK_ASE1_DIGITALGUARDIAN_NDLP root['schemas']['RawLog']['properties']['type']['enum'][2134] PANORAYS root['schemas']['RawLog']['properties']['type']['enum'][2135] BBVA_BAEMPRE root['schemas']['RawLogEventInformation']['properties']['eventType']['enum'][103] ENTITY_RISK_CHANGE root['schemas']['RawLogEventInformation']['properties']['eventType']['enumDescriptions'][103] An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. root['schemas']['SIEventData']['properties']['rawLogType']['enum'][1412] BLOCKDAEMON_METOMIC root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2124] JIT root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2125] PROCORE root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2126] HP_INC_MFP root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2127] MERU_CONTENTKEEPER_PROXY root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2128] KPMG_JAPAN_HR root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2129] FORD_ADFS_IDP root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2130] FORD_BLUE_DNS root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2131] TSA_VMS root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2132] ALLIANZ_CPAM root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2133] HKBK_ASE1_DIGITALGUARDIAN_NDLP root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2134] PANORAYS root['schemas']['SIEventData']['properties']['rawLogType']['enum'][2135] BBVA_BAEMPRE iterable_item_removed root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][14] OMNIFLOW_GOOGLE_CLOUD_STORAGE root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][15] OMNIFLOW_AMAZON_S3 root['schemas']['FeedDetails']['properties']['feedSourceType']['enum'][16] OMNIFLOW_AMAZON_SQS root['schemas']['FeedDetails']['properties']['feedSourceType']['enumDescriptions'][14] root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][14] OMNIFLOW_GOOGLE_CLOUD_STORAGE root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][15] OMNIFLOW_AMAZON_S3 root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enum'][16] OMNIFLOW_AMAZON_SQS root['schemas']['FeedSourceTypeSchema']['properties']['feedSourceType']['enumDescriptions'][14] root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][14] OMNIFLOW_GOOGLE_CLOUD_STORAGE root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][15] OMNIFLOW_AMAZON_S3 root['schemas']['PackLogType']['properties']['recommendedSourceType']['enum'][16] OMNIFLOW_AMAZON_SQS root['schemas']['PackLogType']['properties']['recommendedSourceType']['enumDescriptions'][14]
prod/us-chronicle-v1beta	values_changed root['resources']['projects']['resources']['locations']['resources']['instances']['methods']['get']['parameters']['name']['description'] new_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{location}/instances/{instance} old_value Required. The name of the instance to retrieve. Format: projects/{project_id}/locations/{region}/instances/{instance} root['revision'] new_value 20250310 old_value 20250227 root['schemas'] new_value AIOverview description AI generated overview for the search results. id AIOverview properties aiSummary description AI summary for the search results. Markdown formatted. type string complete description Whether AI overview generation is complete. type boolean suggestions description Suggested actions to continue the investigation in chat. items $ref Action type array type object Action description Action represents an action that can be performed in the host UI. id Action properties actionType description Output only. Type of action. enum ACTION_TYPE_UNSPECIFIED FOLLOW_UP NAVIGATION EXECUTION enumDescriptions The action type is unspecified. The action is a follow up action. The action is a navigation action. The action is an execution action. readOnly True type string displayText description Output only. The text that'll be displayed to the user if this is rendered in the UI as a suggested action. readOnly True type string execution $ref Execution description Metadata for execution action. followUp $ref FollowUp description Metadata for follow up action. navigation $ref Navigation description Metadata for navigation action. useCaseId description Output only. The use case ID of the action. It's used internally to identify in which context the action is used. readOnly True type string type object AlertFieldAggregation id AlertFieldAggregation properties alertCount format int32 type integer allValues items $ref AlertFieldValueCount type array baselineAlertCount format int32 type integer bottomValues items $ref AlertFieldValueCount type array fieldName type string tooManyValues type boolean topValues items $ref AlertFieldValueCount type array valueCount format int32 type integer type object AlertFieldAggregations id AlertFieldAggregations properties fields items $ref AlertFieldAggregation type array type object AlertFieldValue id AlertFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string stringValue type string uint32Value format uint32 type integer uint64Value format uint64 type string type object AlertFieldValueCount id AlertFieldValueCount properties alertCount format int32 type integer baselineAlertCount format int32 type integer value $ref AlertFieldValue type object AnalystVerdict description Verdict provided by the human analyst. These fields are used to model Mandiant sources. id AnalystVerdict properties confidenceScore description Confidence score of the verdict. format int32 type integer verdictResponse description Details of the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp at which the verdict was generated. format google-datetime type string type object AnalyticsMetadata description Stores information about an analytics metric used in a rule. id AnalyticsMetadata properties analytic description Name of the analytic. type string type object Annotation description Extra parameters that don't fit anywhere else, captured as key/value. For example "VendorID/42" in BlackBerry user agents. The following keys are modified with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference): * "Chrome" (see `browser_version`) * "ChromiumBrowser" (unavailable) * "ChromeWebview" (unavailable) * "OS_VERSION" (see `os`) * "Rest" (unavailable) * "misc" (see `device`) id Annotation properties key type string value type string type object Artifact description Information about an artifact. The artifact can only be an IP. id Artifact properties anonymous description Whether the VPN tunnels are configured for anonymous browsing or not. type boolean artifactClient $ref ArtifactClient description Entity or software accessing or utilizing network resources. asOwner description Owner of the Autonomous System to which the IP address belongs. type string asn description Autonomous System Number to which the IP address belongs. format int64 type string firstSeenTime description First seen timestamp of the IP in the customer's environment. format google-datetime type string ip description IP address of the artifact. This field can be used as an entity indicator for an external destination IP entity. type string jarm description The JARM hash for the IP address. (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a). type string lastHttpsCertificate $ref SSLCertificate description SSL certificate information about the IP address. lastHttpsCertificateDate description Most recent date for the certificate in VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the IP address in the customer's environment. format google-datetime type string location $ref Location description Location of the Artifact's IP address. network $ref Network description Network information related to the Artifact's IP address. prevalence $ref Prevalence description The prevalence of the artifact within the customer's environment. regionalInternetRegistry description RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC). type string risks description This field lists potential risks associated with the network activity. items type string type array tags description Identification attributes items type string type array tunnels description VPN tunnels. items $ref Tunnels type array whois description WHOIS information as returned from the pertinent WHOIS server. type string whoisDate description Date of the last update of the WHOIS record in VirusTotal. format google-datetime type string type object ArtifactClient description Entity or software accessing or utilizing network resources. id ArtifactClient properties behaviors description The behaviors of the client accessing the network. items type string type array proxies description The type of proxies used by the client. items type string type array type object Asset description Information about a compute asset such as a workstation, laptop, phone, virtual desktop, or VM. id Asset properties assetId description The asset ID. Value must contain the ':' character. For example, cs:abcdd23434. This field can be used as an entity indicator for asset entities. type string attribute $ref Attribute description Generic entity metadata attributes of the asset. category description The category of the asset (e.g. "End User Asset", "Workstation", "Server"). type string creationTime deprecated True description Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata. format google-datetime type string deploymentStatus description The deployment status of the asset for device lifecycle purposes. enum DEPLOYMENT_STATUS_UNSPECIFIED ACTIVE PENDING_DECOMISSION DECOMISSIONED enumDescriptions Unspecified deployment status. Asset is active, functional and deployed. Asset is pending decommission and no longer deployed. Asset is decommissioned. type string firstDiscoverTime description Time the asset was first discovered (by asset management/discoverability software). format google-datetime type string firstSeenTime description The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string hardware description The asset hardware specifications. items $ref Hardware type array hostname description Asset hostname or domain name field. This field can be used as an entity indicator for asset entities. type string ip description A list of IP addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array labels deprecated True description Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata. items $ref Label type array lastBootTime description Time the asset was last boot started. format google-datetime type string lastDiscoverTime description Time the asset was last discovered (by asset management/discoverability software). format google-datetime type string location $ref Location description Location of the asset. mac description List of MAC addresses associated with an asset. This field can be used as an entity indicator for asset entities. items type string type array natIp description List of NAT IP addresses associated with an asset. items type string type array networkDomain description The network domain of the asset (e.g. "corp.acme.com") type string platformSoftware $ref PlatformSoftware description The asset operating system platform software. productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID or similar). This field can be used as an entity indicator for asset entities. type string software description The asset software details. items $ref Software type array systemLastUpdateTime description Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a VM), use Attribute.last_update_time. format google-datetime type string type description The type of the asset (e.g. workstation or laptop or server). enum ROLE_UNSPECIFIED WORKSTATION LAPTOP IOT NETWORK_ATTACHED_STORAGE PRINTER SCANNER SERVER TAPE_LIBRARY MOBILE enumDescriptions Unspecified asset role. A workstation or desktop. A laptop computer. An IOT asset. A network attached storage device. A printer. A scanner. A server. A tape library device. A mobile device such as a mobile phone or PDA. type string vulnerabilities description Vulnerabilities discovered on asset. items $ref Vulnerability type array type object Association description Associations represents different metadata about malware and threat actors involved with an IoC. id Association properties alias description Different aliases of the threat actor given by different sources. items $ref AssociationAlias type array associatedActors description List of associated threat actors for a malware. Not applicable for threat actors. items $ref Association type array countryCode description Country from which the threat actor/ malware is originated. items type string type array description description Human readable description about the association. type string firstReferenceTime description First time the threat actor was referenced or seen. format google-datetime type string id description Unique association id generated by mandiant. type string industriesAffected description List of industries the threat actor affects. items type string type array lastReferenceTime description Last time the threat actor was referenced or seen. format google-datetime type string name description Name of the threat actor/malware. type string regionCode $ref Location description Name of the country, the threat is originating from. role description Role of the malware. Not applicable for threat actor. type string sourceCountry deprecated True description Name of the country the threat originated from. type string sponsorRegion $ref Location description Sponsor region of the threat actor. tags description Tags. items type string type array targetedRegions description Targeted regions. items $ref Location type array type description Signifies the type of association. enum ASSOCIATION_TYPE_UNSPECIFIED THREAT_ACTOR MALWARE enumDescriptions The default Association Type. Association type Threat actor. Association type Malware. type string type object AssociationAlias description Association Alias used to represent Mandiant Threat Intelligence. id AssociationAlias properties company description Name of the provider who gave the association's name. type string name description Name of the alias. type string type object AttackDetails description MITRE ATT&CK details. id AttackDetails properties tactics description Tactics employed. items $ref Tactic type array techniques description Techniques employed. items $ref Technique type array version description ATT&CK version (e.g. 12.1). type string type object Attribute description Attribute is a container for generic entity attributes including common attributes across core entities (such as, user or asset). For example, Cloud is a generic entity attribute since it can apply to an asset (for example, a VM) or a user (for example, an identity service account). id Attribute properties cloud $ref Cloud description Cloud metadata attributes such as project ID, account ID, or organizational hierarchy. creationTime description Time the resource or entity was created or provisioned. format google-datetime type string labels description Set of labels for the entity. Should only be used for product labels (for example, Google Cloud resource labels or Azure AD sensitivity labels. Should not be used for arbitrary key-value mappings. items $ref Label type array lastUpdateTime description Time the resource or entity was last updated. format google-datetime type string permissions description System permissions for IAM entity (human principal, service account, group). items $ref Permission type array roles description System IAM roles to be assumed by resources to use the role's permissions for access control. items $ref Role type array type object Authentication description The Authentication extension captures details specific to authentication events. General guidelines for authentication events: * Details about the source of the authentication event (for example, client IP or hostname), should be captured in principal. The principal may be empty if we have no details about the source of the login. * Details about the target of the authentication event (for example, details about the machine that is being logged into or logged out of) should be captured in target. * Some authentication events may involve a third-party. For example, a user logs into a cloud service (for example, Chronicle) via their company's SSO (the event is logged by their SSO solution). In this case, the principal captures information about the user's device, the target captures details about the cloud service they logged into, and the intermediary captures details about the SSO solution. id Authentication properties authDetails description The vendor defined details of the authentication. type string mechanism description The authentication mechanism. items enum MECHANISM_UNSPECIFIED USERNAME_PASSWORD OTP HARDWARE_KEY LOCAL REMOTE REMOTE_INTERACTIVE MECHANISM_OTHER BADGE_READER NETWORK BATCH SERVICE UNLOCK NETWORK_CLEAR_TEXT NEW_CREDENTIALS INTERACTIVE CACHED_INTERACTIVE CACHED_REMOTE_INTERACTIVE CACHED_UNLOCK BIOMETRIC WEARABLE enumDescriptions The default mechanism. Username + password authentication. OTP authentication. Hardware key authentication. Local authentication. Remote authentication. RDP, Terminal Services, or VNC. Some other mechanism that is not defined here. Badge reader authentication Network authentication. Batch authentication. Service authentication Direct human-interactive unlock authentication. Network clear text authentication. Authentication with new credentials. Interactive authentication. Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Cached Remote Interactive authentication using cached credentials. Biometric device such as a fingerprint reader. Wearable such as an Apple Watch. type string type array type description The type of authentication. enum AUTHTYPE_UNSPECIFIED MACHINE SSO VPN PHYSICAL TACACS enumDescriptions The default type. A machine authentication. An SSO authentication. A VPN authentication. A Physical authentication (e.g. "Badge reader"). A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+). type string type object AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. id AuthorityKeyId properties keyid description Key hexdump. type string serialNumber description Serial number hexdump. type string type object BackstoryEntity description An Entity provides additional context about an item in a UDM event. For example, a PROCESS_LAUNCH event describes that user 'abc@example.corp' launched process 'shady.exe'. The event does not include information that user 'abc@example.com' is a recently terminated employee who administers a server storing finance data. Information stored in one or more Entities can add this additional context. id BackstoryEntity properties additional additionalProperties description Properties of the object. type any description Important entity data that cannot be adequately represented within the formal sections of the Entity. type object entity $ref Noun description Noun in the UDM event that this entity represents. metadata $ref EntityMetadata description Entity metadata such as timestamp, product, etc. metric $ref Metric description Stores statistical metrics about the entity. Used if metadata.entity_type is METRIC. relations description One or more relationships between the entity (a) and other entities, including the relationship type and related entity. items $ref Relation type array riskScore $ref EntityRisk description Stores information related to the entity's risk score. type object BackstoryFile description Information about a file. id BackstoryFile properties ahash deprecated True description Deprecated. Use authentihash instead. type string authentihash description Authentihash of the file. type string capabilitiesTags description Capabilities tags. items type string type array createTime description Timestamp when the file was created. format google-datetime type string embeddedDomains description Embedded domains found in the file. items type string type array embeddedIps description Embedded IP addresses found in the file. items type string type array embeddedUrls description Embedded urls found in the file. items type string type array exifInfo $ref ExifInfo description Exif metadata from different file formats extracted by exiftool. fileMetadata $ref FileMetadata deprecated True description Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File. fileType description FileType field. enum FILE_TYPE_UNSPECIFIED FILE_TYPE_PE_EXE FILE_TYPE_PE_DLL FILE_TYPE_MSI FILE_TYPE_NE_EXE FILE_TYPE_NE_DLL FILE_TYPE_DOS_EXE FILE_TYPE_DOS_COM FILE_TYPE_COFF FILE_TYPE_ELF FILE_TYPE_LINUX_KERNEL FILE_TYPE_RPM FILE_TYPE_LINUX FILE_TYPE_MACH_O FILE_TYPE_JAVA_BYTECODE FILE_TYPE_DMG FILE_TYPE_DEB FILE_TYPE_PKG FILE_TYPE_PYC FILE_TYPE_LNK FILE_TYPE_DESKTOP_ENTRY FILE_TYPE_JPEG FILE_TYPE_TIFF FILE_TYPE_GIF FILE_TYPE_PNG FILE_TYPE_BMP FILE_TYPE_GIMP FILE_TYPE_IN_DESIGN FILE_TYPE_PSD FILE_TYPE_TARGA FILE_TYPE_XWD FILE_TYPE_DIB FILE_TYPE_JNG FILE_TYPE_ICO FILE_TYPE_FPX FILE_TYPE_EPS FILE_TYPE_SVG FILE_TYPE_EMF FILE_TYPE_WEBP FILE_TYPE_DWG FILE_TYPE_DXF FILE_TYPE_THREEDS FILE_TYPE_OGG FILE_TYPE_FLC FILE_TYPE_FLI FILE_TYPE_MP3 FILE_TYPE_FLAC FILE_TYPE_WAV FILE_TYPE_MIDI FILE_TYPE_AVI FILE_TYPE_MPEG FILE_TYPE_QUICKTIME FILE_TYPE_ASF FILE_TYPE_DIVX FILE_TYPE_FLV FILE_TYPE_WMA FILE_TYPE_WMV FILE_TYPE_RM FILE_TYPE_MOV FILE_TYPE_MP4 FILE_TYPE_T3GP FILE_TYPE_WEBM FILE_TYPE_MKV FILE_TYPE_PDF FILE_TYPE_PS FILE_TYPE_DOC FILE_TYPE_DOCX FILE_TYPE_PPT FILE_TYPE_PPTX FILE_TYPE_XLS FILE_TYPE_XLSX FILE_TYPE_RTF FILE_TYPE_PPSX FILE_TYPE_ODP FILE_TYPE_ODS FILE_TYPE_ODT FILE_TYPE_HWP FILE_TYPE_GUL FILE_TYPE_ODF FILE_TYPE_ODG FILE_TYPE_ONE_NOTE FILE_TYPE_OOXML FILE_TYPE_SLK FILE_TYPE_EBOOK FILE_TYPE_LATEX FILE_TYPE_TTF FILE_TYPE_EOT FILE_TYPE_WOFF FILE_TYPE_CHM FILE_TYPE_ZIP FILE_TYPE_GZIP FILE_TYPE_BZIP FILE_TYPE_RZIP FILE_TYPE_DZIP FILE_TYPE_SEVENZIP FILE_TYPE_CAB FILE_TYPE_JAR FILE_TYPE_RAR FILE_TYPE_MSCOMPRESS FILE_TYPE_ACE FILE_TYPE_ARC FILE_TYPE_ARJ FILE_TYPE_ASD FILE_TYPE_BLACKHOLE FILE_TYPE_KGB FILE_TYPE_ZLIB FILE_TYPE_TAR FILE_TYPE_ZST FILE_TYPE_LZFSE FILE_TYPE_PYTHON_WHL FILE_TYPE_PYTHON_PKG FILE_TYPE_MSIX FILE_TYPE_TEXT FILE_TYPE_SCRIPT FILE_TYPE_PHP FILE_TYPE_PYTHON FILE_TYPE_PERL FILE_TYPE_RUBY FILE_TYPE_C FILE_TYPE_CPP FILE_TYPE_JAVA FILE_TYPE_SHELLSCRIPT FILE_TYPE_PASCAL FILE_TYPE_AWK FILE_TYPE_DYALOG FILE_TYPE_FORTRAN FILE_TYPE_JAVASCRIPT FILE_TYPE_POWERSHELL FILE_TYPE_VBA FILE_TYPE_M4 FILE_TYPE_OBJETIVEC FILE_TYPE_JMOD FILE_TYPE_MAKEFILE FILE_TYPE_INI FILE_TYPE_CLJ FILE_TYPE_PDB FILE_TYPE_SQL FILE_TYPE_NEKO FILE_TYPE_WER FILE_TYPE_GOLANG FILE_TYPE_M3U FILE_TYPE_BAT FILE_TYPE_MSC FILE_TYPE_RDP FILE_TYPE_SYMBIAN FILE_TYPE_PALMOS FILE_TYPE_WINCE FILE_TYPE_ANDROID FILE_TYPE_IPHONE FILE_TYPE_HTML FILE_TYPE_XML FILE_TYPE_SWF FILE_TYPE_FLA FILE_TYPE_COOKIE FILE_TYPE_TORRENT FILE_TYPE_EMAIL_TYPE FILE_TYPE_OUTLOOK FILE_TYPE_SGML FILE_TYPE_JSON FILE_TYPE_CSV FILE_TYPE_HTA FILE_TYPE_INTERNET_SHORTCUT FILE_TYPE_CAP FILE_TYPE_ISOIMAGE FILE_TYPE_SQUASHFS FILE_TYPE_VHD FILE_TYPE_APPLE FILE_TYPE_MACINTOSH FILE_TYPE_APPLESINGLE FILE_TYPE_APPLEDOUBLE FILE_TYPE_MACINTOSH_HFS FILE_TYPE_APPLE_PLIST FILE_TYPE_MACINTOSH_LIB FILE_TYPE_APPLESCRIPT FILE_TYPE_APPLESCRIPT_COMPILED FILE_TYPE_CRX FILE_TYPE_XPI FILE_TYPE_ROM FILE_TYPE_IPS FILE_TYPE_PEM FILE_TYPE_PGP FILE_TYPE_CRT enumDescriptions File type is UNSPECIFIED. File type is PE_EXE. Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL. File type is MSI. File type is NE_EXE. File type is NE_DLL. File type is DOS_EXE. File type is DOS_COM. File type is COFF. File type is ELF. File type is LINUX_KERNEL. File type is RPM. File type is LINUX. File type is MACH_O. File type is JAVA_BYTECODE. File type is DMG. File type is DEB. File type is PKG. File type is PYC. File type is LNK. File type is DESKTOP_ENTRY. File type is JPEG. File type is TIFF. File type is GIF. File type is PNG. File type is BMP. File type is GIMP. File type is Adobe InDesign. File type is PSD. Adobe Photoshop. File type is TARGA. File type is XWD. File type is DIB. File type is JNG. File type is ICO. File type is FPX. File type is EPS. File type is SVG. File type is EMF. File type is WEBP. File type is DWG. File type is DXF. File type is 3DS. File type is OGG. File type is FLC. File type is FLI. File type is MP3. File type is FLAC. File type is WAV. File type is MIDI. File type is AVI. File type is MPEG. File type is QUICKTIME. File type is ASF. File type is DIVX. File type is FLV. File type is WMA. File type is WMV. File type is RM. RealMedia type. File type is MOV. File type is MP4. File type is T3GP. File type is WEBM. File type is MKV. File type is PDF. File type is PS. File type is DOC. File type is DOCX. File type is PPT. File type is PPTX. File type is XLS. File type is XLSX. File type is RTF. File type is PPSX. File type is ODP. File type is ODS. File type is ODT. File type is HWP. File type is GUL. File type is ODF. File type is ODG. File type is ONE_NOTE. File type is OOXML. File type is SLK. File type is EBOOK. File type is LATEX. File type is TTF. File type is EOT. File type is WOFF. File type is CHM. File type is ZIP. File type is GZIP. File type is BZIP. File type is RZIP. File type is DZIP. File type is SEVENZIP. File type is CAB. File type is JAR. File type is RAR. File type is MSCOMPRESS. File type is ACE. File type is ARC. File type is ARJ. File type is ASD. File type is BLACKHOLE. File type is KGB. File type is ZLIB. File type is TAR. File type is ZST. File type is LZFSE. File type is PYTHON_WHL. File type is PYTHON_PKG. File type is MSIX, new Windows app package format. File type is TEXT. File type is SCRIPT. File type is PHP. File type is PYTHON. File type is PERL. File type is RUBY. File type is C. File type is CPP. File type is JAVA. File type is SHELLSCRIPT. File type is PASCAL. File type is AWK. File type is DYALOG. File type is FORTRAN. File type is JAVASCRIPT. File type is POWERSHELL. File type is VBA. File type is M4. File type is OBJETIVEC. File type is JMOD. File type is MAKEFILE. File type is INI. File type is CLJ. File type is PDB. File type is SQL. File type is NEKO. File type is WER. File type is GOLANG. File type is M3U. File type is BAT, Windows .bat/.cmd (old files are tagged as SHELLSCRIPT). File type is MSC, Microsoft Management Console (MMC). File type is RDP, Microsoft Remote Desktop Protocol (RDP) file. File type is SYMBIAN. File type is PALMOS. File type is WINCE. File type is ANDROID. File type is IPHONE. File type is HTML. File type is XML. File type is SWF. File type is FLA. File type is COOKIE. File type is TORRENT. File type is EMAIL_TYPE. File type is OUTLOOK. File type is SGML. File type is JSON. File type is CSV. File type is HTA (HTML Application). File type is MSHTML .url. File type is CAP. File type is ISOIMAGE. File type is SQUASHFS. File type is VHD. File type is APPLE. File type is MACINTOSH. File type is APPLESINGLE. File type is APPLEDOUBLE. File type is MACINTOSH_HFS. File type is APPLE_PLIST. File type is MACINTOSH_LIB. File type is APPLESCRIPT. File type is APPLESCRIPT_COMPILED . File type is CRX. File type is XPI. File type is ROM. File type is IPS. File type is PEM. File type is PGP. File type is CRT. type string firstSeenTime description Timestamp the file was first seen in the customer's environment. format google-datetime type string firstSubmissionTime description First submission time of the file. format google-datetime type string fullPath description The full path identifying the location of the file on the system. This field can be used as an entity indicator for file entities. type string lastAccessTime description Timestamp when the file was accessed. format google-datetime type string lastAnalysisTime description Timestamp the file was last analysed. format google-datetime type string lastModificationTime description Timestamp when the file was last updated. format google-datetime type string lastSeenTime description Timestamp the file was last seen in the customer's environment. format google-datetime type string lastSubmissionTime description Last submission time of the file. format google-datetime type string mainIcon $ref Favicon description Icon's relevant hashes. md5 description The MD5 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string mimeType description The MIME (Multipurpose Internet Mail Extensions) type of the file, for example "PE", "PDF", or "powershell script". type string names description Names fields. items type string type array ntfs $ref NtfsFileMetadata description NTFS metadata. pdfInfo $ref PDFInfo description Information about the PDF file structure. peFile $ref FileMetadataPE description Metadata about the Portable Executable (PE) file. prevalence $ref Prevalence description Prevalence of the file hash in the customer's environment. securityResult $ref SecurityResult description Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata. sha1 description The SHA1 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string sha256 description The SHA256 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities. type string signatureInfo $ref SignatureInfo description File signature information extracted from different tools. size description The size of the file in bytes. format uint64 type string ssdeep description Ssdeep of the file type string statDev description The file system identifier to which the object belongs. format uint64 type string statFlags description User defined flags for file. format uint32 type integer statInode description The file identifier. Unique identifier of object within a file system. format uint64 type string statMode description The mode of the file. A bit string indicating the permissions and privileges of the file. format uint64 type string statNlink description Number of links to file. format uint64 type string symhash description SymHash of the file. Used for Mach-O (e.g. MacOS) binaries, to identify similar files based on their symbol table. type string tags description Tags for the file. items type string type array vhash description Vhash of the file. type string type object BoolSequence description BoolSequence represents a sequence of bools. id BoolSequence properties boolVals description bool sequence. items type boolean type array type object BytesSequence description BytesSequence represents a sequence of bytes. id BytesSequence properties bytesVals description bytes sequence. items format byte type string type array type object CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CertSignature description Certificate's signature and algorithm. id CertSignature properties signature description Signature. type string signatureAlgorithm description Algorithm. type string type object Certificate description Certificate information id Certificate properties issuer description Issuer of the certificate. type string md5 description The MD5 hash of the certificate, as a hex-encoded string. type string notAfter description Indicates when the certificate is no longer valid. format google-datetime type string notBefore description Indicates when the certificate is first valid. format google-datetime type string serial description Certificate serial number. type string sha1 description The SHA1 hash of the certificate, as a hex-encoded string. type string sha256 description The SHA256 hash of the certificate, as a hex-encoded string. type string subject description Subject of the certificate. type string version description Certificate version. type string type object Chip id Chip properties text type string type enum UNSPECIFIED ALERT NETWORK_CONNECTION EDR UNPARSED_RAW_LOG LOGIN_EVENT EMAIL_EVENT GENERIC TELEMETRY enumDescriptions type string type object Client description Transport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash). id Client properties certificate $ref Certificate description Client certificate. ja3 description JA3 hash from the TLS ClientHello, as a hex-encoded string. type string serverName description Host name of the server, that the client is connecting to. type string supportedCiphers description Ciphers supported by the client during client hello. items type string type array type object Cloud description Metadata related to the cloud environment. id Cloud properties availabilityZone description The cloud environment availability zone (different from region which is location.name). type string environment description The Cloud environment. enum UNSPECIFIED_CLOUD_ENVIRONMENT GOOGLE_CLOUD_PLATFORM AMAZON_WEB_SERVICES MICROSOFT_AZURE enumDescriptions Default. Google Cloud Platform. Amazon Web Services. Microsoft Azure. type string project $ref Resource deprecated True description The cloud environment project information. Deprecated: Use Resource.resource_ancestors vpc $ref Resource deprecated True description The cloud environment VPC. Deprecated. type object Collection description Collection represents a container of objects (such as events, entity context metadata, detection finding metadata) and state (such as investigation details). BEGIN GOOGLE-INTERNAL See go/udm:collections for additional details. END GOOGLE-INTERNAL An example use case for Collection is to model a detection and investigation from detection finding metadata to investigative state collected in the course of the investigation. For more complex investigation and response workflows a Collection could represent an incident consisting of multiple child findings or incidents. This can be expanded on to model remediation elements of a full detection and response workflow. NEXT TAG: 20 id Collection properties caseName description The resource name of the Case that this collection belongs to. Example: projects/{project id}/locations/{region}/chronicle/cases/{internal_case_id} type string collectionElements description Constituent elements of the collection. Each element shares an association that groups it together and is a component of the overall collection. For example, a detection collection may have several constituent elements that each share a correlation association that together represent a particular pattern or behavior. items $ref Element type array createdTime description Time the collection was created. format google-datetime type string dataAccessScope description The resource name of the DataAccessScope of this collection. BEGIN GOOGLE-INTERNAL We may change this name based on the final resource design of the scope. END GOOGLE-INTERNAL type string detection description Detection metadata for findings that represent detections, can include rule details, machine learning model metadata, and indicators implicated in the detection (using the .about field). items $ref SecurityResult type array detectionTime description Timestamp within the time_window related to the time of the collection_elements. For Rule Detections, this timestamp is the end of the the time_window for multi-event rules or the time of the event for single event rules. For late-arriving events that trigger new alerts, the detection_time will be the event time of the event. format google-datetime type string feedbackHistory description The history of feedback submitted by analysts for this finding, in descending order by timestamp. This field is limited to the most recent 1000 feedback events. The primary feedback will also be included in this list. items $ref Feedback type array feedbackSummary $ref Feedback description The current primary analyst feedback. This does not include the history of feedback given, which may be supplied in `feedback`. id description Unique ID for the collection. The ID is specific to the type of collection. For example, with rule detections this is the detection ID. type string idNamespace description The ID namespace used for the Collection. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string investigation $ref Investigation description Consolidated investigation details (categorization, status, etc) typically for collections that begin as detection findings and then evolve with analyst action and feedback into investigations around the detection output. lastUpdatedTime description Time the collection was last updated. format google-datetime type string responsePlatformInfo $ref ResponsePlatformInfo description Alert related info of this same alert in customer's SOAR platform. soarAlert description A boolean field indicating that the alert is present in SOAR. type boolean soarAlertMetadata $ref SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems via SOAR. tags description Tags set by UC/DSML/RE for the Finding during creation. items type string type array timeWindow $ref Interval description Time interval that the collection represents. type description What the collection represents. enum COLLECTION_TYPE_UNSPECIFIED TELEMETRY_ALERT GCTI_FINDING UPPERCASE_ALERT RULE_DETECTION MACHINE_INTELLIGENCE_ALERT SOAR_ALERT enumDescriptions An unspecified collection type. An alert reported in customer telemetry. A finding from the Uppercase team. A detection found by applying a rule. An alert generated by Chronicle machine learning models. An alert coming from other SIEMs via Chronicle SOAR. type string type object ColumnNames id ColumnNames properties names items type string type array type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DNSRecord description DNS record. id DNSRecord properties expire description Expire. format google-duration type string minimum description Minimum. format google-duration type string priority description Priority. format int64 type string refresh description Refresh. format google-duration type string retry description Retry. format int64 type string rname description Rname. type string serial description Serial. format int64 type string ttl description Time to live. format google-duration type string type description Type. type string value description Value. type string type object DataAccessIngestionLabel id DataAccessIngestionLabel properties key description The key. type string value description The value. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessLabels id DataAccessLabels properties allowScopedAccess description Are the labels ready for scoped access type boolean customLabels description All the complex labels (UDM search syntax based). items type string type array ingestionKvLabels description All the ingestion labels (key/value pairs). items $ref DataAccessIngestionLabel type array ingestionLabels deprecated True description All the ingestion labels. items type string type array logTypes description All the LogType labels. items type string type array namespaces description All the namespaces. items type string type array type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Date description Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values. * A month and day, with a zero year (for example, an anniversary). * A year on its own, with a zero month and a zero day. * A year and month, with a zero day (for example, a credit card expiration date). Related types: * google.type.TimeOfDay * google.type.DateTime * google.protobuf.Timestamp id Date properties day description Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant. format int32 type integer month description Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day. format int32 type integer year description Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year. format int32 type integer type object Detections id Detections properties baselineAlertsCount format int32 type integer complete type boolean detectionFieldAggregations $ref AlertFieldAggregations detections items $ref Collection type array filteredAlertsCount format int32 type integer tooManyDetections type boolean validSnapshotQuery type boolean type object Dhcp description DHCP information. id Dhcp properties chaddr description Client hardware address (chaddr). type string ciaddr description Client IP address (ciaddr). type string clientHostname description Client hostname. See RFC2132, section 3.14. type string clientIdentifier description Client identifier. See RFC2132, section 9.14. Note: Make sure to update the client_identifier_string field as well if you update this field. format byte type string clientIdentifierString description Client identifier as string. See RFC2132, section 9.14. This field holds the string value of the client_identifier. type string file description Boot image filename. type string flags description Flags. format uint32 type integer giaddr description Relay agent IP address (giaddr). type string hlen description Hardware address length. format uint32 type integer hops description Hardware ops. format uint32 type integer htype description Hardware address type. format uint32 type integer leaseTimeSeconds description Lease time in seconds. See RFC2132, section 9.2. format uint32 type integer opcode description The BOOTP op code. enum UNKNOWN_OPCODE BOOTREQUEST BOOTREPLY enumDescriptions Default opcode. Request. Reply. type string options description List of DHCP options. items $ref Option type array requestedAddress description Requested IP address. See RFC2132, section 9.1. type string seconds description Seconds elapsed since client began address acquisition/renewal process. format uint32 type integer siaddr description IP address of the next bootstrap server. type string sname description Server name that the client wishes to boot from. type string transactionId description Transaction ID. format uint32 type integer type description DHCP message type. enum UNKNOWN_MESSAGE_TYPE DISCOVER OFFER REQUEST DECLINE ACK NAK RELEASE INFORM WIN_DELETED WIN_EXPIRED enumDescriptions Default message type. DHCPDISCOVER. DHCPOFFER. DHCPREQUEST. DHCPDECLINE. DHCPACK. DHCPNAK. DHCPRELEASE. DHCPINFORM. Microsoft Windows DHCP "lease deleted". Microsoft Windows DHCP "lease expired". type string yiaddr description Your IP address (yiaddr). type string type object Dns description DNS information. id Dns properties additional description A list of additional domain name servers that can be used to verify the answer to the domain. items $ref ResourceRecord type array answers description A list of answers to the domain name query. items $ref ResourceRecord type array authoritative description Other DNS header flags. See RFC1035, section 4.1.1. type boolean authority description A list of domain name servers which verified the answers to the domain name queries. items $ref ResourceRecord type array id description DNS query id. format uint32 type integer opcode description The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS). format uint32 type integer questions description A list of domain protocol message questions. items $ref Question type array recursionAvailable description Whether a recursive DNS lookup is available. type boolean recursionDesired description Whether a recursive DNS lookup is desired. type boolean response description Set to true if the event is a DNS response. See QR field from RFC1035. type boolean responseCode description Response code. See RCODE from RFC1035. format uint32 type integer truncated description Whether the DNS response was truncated. type boolean type object Domain description Information about a domain. id Domain properties admin $ref User description Parsed contact information for the administrative contact for the domain. auditUpdateTime description Audit updated time. format google-datetime type string billing $ref User description Parsed contact information for the billing contact of the domain. categories description Categories assign to the domain as retrieved from VirusTotal. items type string type array contactEmail description Contact email address. type string creationTime description Domain creation time. format google-datetime type string expirationTime description Expiration time. format google-datetime type string favicon $ref Favicon description Includes difference hash and MD5 hash of the domain's favicon. firstSeenTime description First seen timestamp of the domain in the customer's environment. format google-datetime type string ianaRegistrarId description IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml format int32 type integer jarm description Domain's JARM hash. type string lastDnsRecords description Domain's DNS records from the last scan. items $ref DNSRecord type array lastDnsRecordsTime description Date when the DNS records list was retrieved by VirusTotal. format google-datetime type string lastHttpsCertificate $ref SSLCertificate description SSL certificate object retrieved last time the domain was analyzed. lastHttpsCertificateTime description When the certificate was retrieved by VirusTotal. format google-datetime type string lastSeenTime description Last seen timestamp of the domain in the customer's environment. format google-datetime type string name description The domain name. This field can be used as an entity indicator for Domain entities. type string nameServer description Repeated list of name servers. items type string type array popularityRanks description Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo, etc items $ref PopularityRank type array prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. privateRegistration description Indicates whether the domain appears to be using a private registration service to mask the owner's contact information. type boolean registrant $ref User description Parsed contact information for the registrant of the domain. registrar description Registrar name . FOr example, "Wild West Domains, Inc. (R120-LROR)", "GoDaddy.com, LLC", or "PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM". type string registryDataRawText description Registry Data raw text. format byte type string status description Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values type string tags description List of representative attributes. items type string type array tech $ref User description Parsed contact information for the technical contact for the domain updateTime description Last updated time. format google-datetime type string whoisRecordRawText description WHOIS raw text. format byte type string whoisServer description Whois server name. type string whoisTime description Date of the last update of the WHOIS record. format google-datetime type string zone $ref User description Parsed contact information for the zone. type object DoubleSequence description DoubleSequence represents a sequence of doubles. id DoubleSequence properties doubleVals description double sequence. items format double type number type array type object EC description EC public key information. id EC properties oid description Curve name. type string pub description Public key hexdump. type string type object Element description NEXT TAG: 5 id Element properties association $ref SecurityResult description Metadata that provides the relevant association for the references in the element. For a detection, this can be the correlated aspect of the references that contributed to the overall detection. For example, may include sub-rule condition, machine learning model metadata, and/or indicators implicated in this component of the detection (using the .about field). label description A name that labels the entire references group. type string references description References to model primatives including events and entities that share a common association. Even though a reference can have both UDM and entity, a collection of references (of a single element) will only have one type of message in it (either UDM / Entity). items $ref Reference type array referencesSampled description Copied from the detection event_sample.too_many_event_samples field. If true, the number of references will be capped at the sample limit (set at rule service). This is applicable to both UDM references and Entity references. type boolean type object Email description Email info. id Email properties bcc description A list of 'bcc' addresses. items type string type array bounceAddress description The envelope from address. https://en.wikipedia.org/wiki/Bounce_address type string cc description A list of 'cc' addresses. items type string type array from description The 'from' address. type string mailId description The mail (or message) ID. type string replyTo description The 'reply to' address. type string subject description The subject line(s) of the email. items type string type array to description A list of 'to' addresses. items type string type array type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityChangedCountTimelineBucket id EntityChangedCountTimelineBucket properties entityChangedInfo items $ref EntityChangedInfo type array totalChangedEntitiesCount format int32 type integer type object EntityChangedInfo id EntityChangedInfo properties artifacts $ref FieldAndValue entityCount format int32 type integer type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityMetadata description Information about the Entity and the product where the entity was created. Next Tag: 17 id EntityMetadata properties collectedTimestamp description GMT timestamp when the entity information was collected by the vendor's local collection infrastructure. format google-datetime type string creationTimestamp description GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected. format google-datetime type string description description Human-readable description of the entity. type string entityType description Entity type. If an entity has multiple possible types, this specifies the most specific type. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string eventMetadata $ref Metadata description Metadata field from the event. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object feed description Vendor feed name for a threat indicator feed. type string interval $ref Interval description Valid existence time range for the version of the entity represented by this entity data. productEntityId description A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar). type string productName description Product name that produced the entity information. type string productVersion description Version of the product that produced the entity information. type string sourceLabels description Entity source metadata labels. items $ref Label type array sourceType description The source of the entity. enum SOURCE_TYPE_UNSPECIFIED ENTITY_CONTEXT DERIVED_CONTEXT GLOBAL_CONTEXT enumDescriptions Default source type Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT) Entities derived from customer data such as prevalence, artifact first/last seen, or asset/user first seen stats. Global contextual entities such as WHOIS or Safe Browsing. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Structured fields extracted from the log. type object threat description Metadata provided by a threat intelligence feed that identified the entity as malicious. items $ref SecurityResult type array vendorName description Vendor name of the product that produced the entity information. type string type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object EntityRisk description Stores information related to the risk score of an entity. Next ID: 15 id EntityRisk properties DEPRECATEDRiskScore deprecated True description Deprecated risk score. format int32 type integer detailUri description Link to the Google Security Operations UI with information about the entity risk score. If the SecOps instance has multiple frontend paths configured, this will be a relative path that can be used to construct the full URL. type string detectionsCount description Number of detections that make up the risk score within the time window. format int32 type integer firstDetectionTime description Timestamp of the first detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastDetectionTime description Timestamp of the last detection within the specified time window. This field is empty when there are no detections. format google-datetime type string lastResetTime description Timestamp for UEBA risk score reset based deduplication. Used specifically for risk based meta rules. format google-datetime type string normalizedRiskScore description Normalized risk score for the entity. This value is between 0-1000. format int32 type integer rawRiskDelta $ref RiskDelta description Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window. riskDelta $ref RiskDelta description Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window. riskScore description Raw risk score for the entity. format float type number riskVersion description Version of the risk score calculation algorithm. type string riskWindow $ref Interval description Time window used when computing the risk score for an entity, for example 24 hours or 7 days. riskWindowHasNewDetections description Whether there are new detections for the risk window. type boolean riskWindowSize description Risk window duration for the entity. format google-duration type string type object ErrorMessage id ErrorMessage properties errorText type string type enum UNDEFINED_ERROR_TYPE INVALID_QUERY_TYPE INVALID_FIELD_PATH_TYPE UNCLOSED_BRACKET_TYPE BACKEND_ERROR_TYPE UNCLOSED_QUOTES_TYPE QUERY_TOO_LARGE_TYPE enumDescriptions type string type object EventCountTimeline id EventCountTimeline properties buckets items $ref EventCountTimelineBucket type array sizeOfBucketMs format int64 type string type object EventCountTimelineBucket id EventCountTimelineBucket properties alertCount format int32 type integer baselineAlertCount format int32 type integer baselineEventCount format int32 type integer baselineTimedEntityCount format int32 type integer entityChangedCount $ref EntityChangedCountTimelineBucket eventCount format int32 type integer filteredTimedEntityCount format int32 type integer type object Execution description Execution can be used to store metadata required for what action the UI should execute. id Execution properties metadata additionalProperties type string description Output only. The payload to use when executing the action. readOnly True type object type object ExifInfo description Exif information. id ExifInfo properties company description company name. type string compilationTime description Compilation time. format google-datetime type string entryPoint description entry point. format int64 type string fileDescription description description of a file. type string originalFile description original file name. type string product description product name. type string type object Extension description Certificate's extensions. id Extension properties authorityKeyId $ref AuthorityKeyId description Identifies the public key to be used to verify the signature on this certificate or CRL. ca description Whether the subject acts as a certificate authority (CA) or not. type boolean caInfoAccess description Authority information access locations are URLs that are added to a certificate in its authority information access extension. type string certTemplateNameDc description BMP data value "DomainController". See MS Q291010. type string certificatePolicies description Different certificate policies will relate to different applications which may use the certified key. type string crlDistributionPoints description CRL distribution points to which a certificate user should refer to ascertain if the certificate has been revoked. type string extendedKeyUsage description One or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field. type string keyUsage description The purpose for which the certified public key is used. type string netscapeCertComment description Used to include free-form text comments inside certificates. type string netscapeCertificate description Identify whether the certificate subject is an SSL client, an SSL server, or a CA. type boolean oldAuthorityKeyId description Whether the certificate has an old authority key identifier extension. type boolean peLogotype description Whether the certificate includes a logotype. type boolean subjectAlternativeName description Contains one or more alternative names, using any of a variety of name forms, for the entity that is bound by the CA to the certified public key. type string subjectKeyId description Identifies the public key being certified. type string type object Extensions description Extensions to a UDM event. id Extensions properties auth $ref Authentication description An authentication extension. entityRisk $ref EntityRisk description An entity risk change extension. vulns $ref Vulnerabilities description A vulnerability extension. type object Favicon description Difference hash and MD5 hash of the domain's favicon. id Favicon properties dhash description Difference hash. type string rawMd5 description Favicon's MD5 hash. type string type object Feedback id Feedback properties comment description Optional. type string confidenceScore format int32 type integer createdTime format google-datetime type string disregarded type boolean idpUserId type string priority description Optional. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string priorityDisplay description Optional. type string reason description Optional. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore format int32 type integer rootCause description Optional. type string severity format int32 type integer severityDisplay description Optional. type string status description Optional. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object FieldAndValue id FieldAndValue properties entityNamespace type string fieldPath type string kvalueType enum UNKNOWN COLLECTOR_ID EVENT_SHARD ASSET_IP_ADDRESS MAC HOSTNAME PRODUCT_SPECIFIC_ID NAMESPACE DOMAIN_NAME RESOLVED_IP_ADDRESS STEMMED_DOMAIN_NAME PROCESS_ID FULL_COMMAND_LINE FILE_NAME FILE_PATH HASH_MD5 HASH_SHA256 HASH_SHA1 RAW_PID PARENT_PROCESS_ID EMAIL USERNAME WINDOWS_SID EMPLOYEE_ID PRODUCT_OBJECT_ID USER_DISPLAY_NAME CLOUD_RESOURCE_NAME REGISTRY_KEY REGISTRY_VALUE_DATA REGISTRY_VALUE_NAME enumDescriptions type string value type string type object FileMetadata description Metadata about a file. Place metadata about different file types here, for example data from the Microsoft Windows VersionInfo block or digital signer details. Use a different sub-message per file type. id FileMetadata properties pe $ref PeFileMetadata deprecated True description Metadata for Microsoft Windows PE files. Deprecate PeFileMetadata in favor of single File proto. type object FileMetadataCodesign description File metadata from the codesign utility. id FileMetadataCodesign properties compilationTime description Code sign timestamp format google-datetime type string format description Code sign format. type string id description Code sign identifier. type string teamId description The assigned team identifier of the developer who signed the application. type string type object FileMetadataImports description File metadata imports. id FileMetadataImports properties functions description Function field. items type string type array library description Library field. type string type object FileMetadataPE description Metadata about the Portable Executable (PE) file. id FileMetadataPE properties compilationExiftoolTime description info.exiftool.TimeStamp. format google-datetime type string compilationTime description info.pe-timestamp. format google-datetime type string entryPoint description info.pe-entry-point. format int64 type string entryPointExiftool description info.exiftool.EntryPoint. format int64 type string imphash description Imphash of the file. type string imports description FilemetadataImports fields. items $ref FileMetadataImports type array resource description FilemetadataPeResourceInfo fields. items $ref FileMetadataPeResourceInfo type array resourcesLanguageCount deprecated True description Deprecated: use resources_language_count_str. items $ref StringToInt64MapEntry type array resourcesLanguageCountStr description Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10 items $ref Label type array resourcesTypeCount deprecated True description Deprecated: use resources_type_count_str. items $ref StringToInt64MapEntry type array resourcesTypeCountStr description Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5 items $ref Label type array section description FilemetadataSection fields. items $ref FileMetadataSection type array signatureInfo $ref FileMetadataSignatureInfo deprecated True description FilemetadataSignatureInfo field. deprecated, user File.signature_info instead. type object FileMetadataPeResourceInfo description File metadata for PE resource. id FileMetadataPeResourceInfo properties entropy description Entropy of the resource. format double type number fileType description File type. Note that this value may not match any of the well-known type identifiers defined in the ResourceType enum. type string filetypeMagic description Type of resource content, as identified by the magic Python module. type string languageCode description Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification. Examples: | Language | Sublanguage | Field value | | LANG_NEUTRAL | SUBLANG_NEUTRAL | NEUTRAL | | LANG_FRENCH | - | FRENCH | | LANG_ENGLISH | SUBLANG_ENGLISH US | ENGLISH US | type string sha256Hex description SHA256_hex field.. type string type object FileMetadataSection description File metadata section. id FileMetadataSection properties entropy description Entropy of the section. format double type number md5Hex description MD5 hex of the file. type string name description Name of the section. type string rawSizeBytes description Raw file size in bytes. format int64 type string virtualSizeBytes description Virtual file size in bytes. format int64 type string type object FileMetadataSignatureInfo description Signature information. id FileMetadataSignatureInfo properties signer deprecated True description Deprecated: use signers field. items type string type array signers description File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority. items $ref SignerInfo type array verificationMessage description Status of the certificate. Valid values are "Signed", "Unsigned" or a description of the certificate anomaly, if found. type string verified description True if verification_message == "Signed" type boolean x509 description List of certificates. items $ref X509 type array type object FilterProperties id FilterProperties properties hidden type boolean stringProperties additionalProperties $ref StringValues type object type object FindingVariable description A structure that holds the value and associated metadata for values extracted while producing a Finding. id FindingVariable properties boolSeq $ref BoolSequence description The value in boolsequence format. boolVal description The value in boolean format. type boolean bytesSeq $ref BytesSequence description The value in bytessequence format. bytesVal description The value in bytes format. format byte type string doubleSeq $ref DoubleSequence description The value in doublesequence format. doubleVal description The value in double format. format double type number int64Seq $ref Int64Sequence description The value in int64sequence format. int64Val description The value in int64 format. format int64 type string nullVal description Whether the value is null. type boolean sourcePath description The UDM field path for the field which this value was derived from. Example: `principal.user.username` type string stringSeq $ref StringSequence description The value in stringsequence format. stringVal description The value in string format. Enum values are returned as strings. type string type description The type of the variable. enum TYPE_UNSPECIFIED MATCH OUTCOME enumDescriptions An unspecified variable type. A variable coming from the match conditions. A variable representing significant data that was found in the detection logic. type string uint64Seq $ref Uint64Sequence description The value in uint64sequence format. uint64Val description The value in uint64 format. format uint64 type string value description The value in string form. type string type object FollowUp description FollowUp can be used to store metadata required to send a follow up message by the UI. id FollowUp properties followUp description Output only. The text to use as input when generating the follow up message. readOnly True type string type object Ftp description FTP info. id Ftp properties command description The FTP command. type string type object FunctionResponse id FunctionResponse properties rows items $ref FunctionResponseRow type array tooManyRows type boolean type object FunctionResponseRow id FunctionResponseRow properties values items $ref UdmFieldValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description LINT.IfChange(stats_data) Stats results when the query is for statistics NEXT TAG = 6; id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats properties dataQueryExpression description Expression that represent the subset of the requested query used to filter data. The expression will be used to enable features such as drill-down from stats results to UDM events. In that case, the new query will be composed by this expression and the expression related to a stats result. type string results description Result rows that are queried. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData type array sortOrder description Indicates the columns used for sorting and the order in which they are sorted. If no ORDER section is specified in the query, this will be empty. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort type array tooManyResults description If true, there are too many results to return and some have been omitted. type boolean totalResults description The total number of results returned. format int32 type integer type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData description Represents a single column in the set of columns returned as the stats query result. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnData properties column description Used to store column names. type string filterExpression description Expression used to compose a query for filtering/drill-downs related to the data in this column. type string filterable description To identify if the column can be used for filtering/drill-downs. type boolean values description To store store column data. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort description Contains the column name and which direction the column is sorted (ascending or descenging). id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnSort properties descending description Whether the column is sorted in descending order (ascending by default); type boolean name description Name of the column. type string type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType description Singular vs list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnType properties list $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description List of values in a column e.g. IPs value $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Single value in a column. type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList description Store list of values in a column. id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnTypeList properties values description List of values in one cell of the column. items $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue type array type object GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue description Value of the column based on data type id GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStatsColumnValue properties boolVal description Boolean value. type boolean bytesVal description Bytes value. format byte type string dateVal $ref Date description Date values. doubleVal description Double value. format double type number int64Val description Integer value (signed). format int64 type string nullVal description True if the value is NULL. type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any description For any proto values that are not any of the above. type object stringVal description String value. Enum values are returned as strings. type string timestampVal description Timestamp values. format google-datetime type string uint64Val description Un-signed integer value. format uint64 type string type object Group description Information about an organizational group. id Group properties attribute $ref Attribute description Generic entity metadata attributes of the group. creationTime deprecated True description Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata. format google-datetime type string emailAddresses description Email addresses of the group. items type string type array groupDisplayName description Group display name. e.g. "Finance". type string productObjectId description Product globally unique user object identifier, such as an LDAP Object Identifier. type string windowsSid description Microsoft Windows SID of the group. type string type object GroupAggregationByField id GroupAggregationByField properties baselineEventCount format int32 type integer eventCount format int32 type integer fieldName type string fieldValue $ref UdmFieldValue fields items $ref UdmFieldAggregation type array valueCount format int32 type integer type object Hardware description Hardware specification details for a resource, including both physical and virtual hardware. id Hardware properties cpuClockSpeed description Clock speed of the hardware CPU in MHz. format uint64 type string cpuMaxClockSpeed description Maximum possible clock speed of the hardware CPU in MHz. format uint64 type string cpuModel description Model description of the hardware CPU (e.g. "2.8 GHz Quad-Core Intel Core i5"). type string cpuNumberCores description Number of CPU cores. format uint64 type string cpuPlatform description Platform of the hardware CPU (e.g. "Intel Broadwell"). type string manufacturer description Hardware manufacturer. type string model description Hardware model. type string ram description Amount of the hardware ramdom access memory (RAM) in Mb. format uint64 type string serialNumber description Hardware serial number. type string type object Http description Specify the full URL of the HTTP request within "target". Also specify any uploaded or downloaded file information within "source" or "target". id Http properties method description The HTTP request method (e.g. "GET", "POST", "PATCH", "DELETE"). type string parsedUserAgent $ref UserAgentProto description The parsed user_agent string. referralUrl description The URL for the HTTP referer. type string responseCode description The response status code, for example 200, 302, 404, or 500. format int32 type integer userAgent description The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent. type string type object Id description Identifier to identify a UDM object like a UDM event, Entity, Collection. The full identifier for persistence is created by setting the 32 most significant bits as the Id.Namespace enum and the rest according to go/udm:ids. This is a convenience wrapper to define the id space enum values and provide an easy interface for RPCs, most persistence use cases should use a denormalized form. See go/udm:ids for background and details. id Id properties id description Full raw ID. format byte type string namespace description Namespace the id belongs to. enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string stringId description Some ids are stored as strings that are not able to be translated to bytes, so store these separately. Ex. detection id of the form de_aaaaaaaa-aaaa... type string type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{location}/instances/{instance} readOnly True type string type object InstanceUdmSearchResponse id InstanceUdmSearchResponse properties baselineEventsCount format int32 type integer complete type boolean detections $ref Detections filteredEventsCount format int32 type integer instanceId type string prevalence $ref UdmPrevalenceResponse progress format double type number runtimeErrors $ref RuntimeError timeline $ref EventCountTimeline tooManyEvents type boolean type object Int64Sequence description Int64Sequence represents a sequence of int64s. id Int64Sequence properties int64Vals description int64 sequence. items format int64 type string type array type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object Investigation description Represents the aggregated state of an investigation such as categorization, severity, and status. Can be expanded to include analyst assignment details and more. id Investigation properties comments description Comment added by the Analyst. items type string type array priority description Priority of the Alert or Finding set by analyst. enum PRIORITY_UNSPECIFIED PRIORITY_INFO PRIORITY_LOW PRIORITY_MEDIUM PRIORITY_HIGH PRIORITY_CRITICAL enumDescriptions Default priority level. Informational priority. Low priority. Medium priority. High priority. Critical priority. type string reason description Reason for closing the Case or Alert. enum REASON_UNSPECIFIED REASON_NOT_MALICIOUS REASON_MALICIOUS REASON_MAINTENANCE enumDescriptions Default reason. Case or Alert not malicious. Case or Alert is malicious. Case or Alert is under maintenance. type string reputation description Describes whether a finding was useful or not-useful. enum REPUTATION_UNSPECIFIED USEFUL NOT_USEFUL enumDescriptions An unspecified reputation. A categorization of the finding as useful. A categorization of the finding as not useful. type string riskScore description Risk score for a finding set by an analyst. format uint32 type integer rootCause description Root cause of the Alert or Finding set by analyst. type string severityScore description Severity score for a finding set by an analyst. format uint32 type integer status description Describes the workflow status of a finding. enum STATUS_UNSPECIFIED NEW REVIEWED CLOSED OPEN enumDescriptions Unspecified finding status. New finding. When a finding has feedback. When an analyst closes an finding. Open. Used to indicate that a Case / Alert is open. type string verdict description Describes reason a finding investigation was resolved. enum VERDICT_UNSPECIFIED TRUE_POSITIVE FALSE_POSITIVE enumDescriptions An unspecified verdict. A categorization of the finding as a "true positive". A categorization of the finding as a "false positive". type string type object IoCStats description Information about the threat intelligence source. These fields are used to model Mandiant sources. id IoCStats properties benignCount description Count of responses where the IoC was identified as benign. format int32 type integer firstLevelSource description Name of first level IoC source, for example Mandiant or a third-party. type string iocStatsType description Describes the source of the IoCStat. enum UNSPECIFIED_IOC_STATS_TYPE MANDIANT_SOURCES THIRD_PARTY_SOURCES THREAT_INTELLIGENCE_IOC_STATS enumDescriptions IoCStat source is unidentified. IoCStat is from a Mandiant Source. IoCStat is from a third-party source. IoCStat is from a threat intelligence feed. type string maliciousCount description Count of responses where the IoC was identified as malicious. format int32 type integer quality description Level of confidence in the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total number of response from the source. format int32 type integer secondLevelSource description Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph. type string sourceCount description Number of sources from which information was extracted. format int32 type integer type object Label description Key value labels. id Label properties key description The key. type string rbacEnabled description Indicates whether this label can be used for Data RBAC type boolean source description Where the label is derived from. type string value description The value. type string type object LatLng description An object that represents a latitude/longitude pair. This is expressed as a pair of doubles to represent degrees latitude and degrees longitude. Unless specified otherwise, this object must conform to the WGS84 standard. Values must be within normalized ranges. id LatLng properties latitude description The latitude in degrees. It must be in the range [-90.0, +90.0]. format double type number longitude description The longitude in degrees. It must be in the range [-180.0, +180.0]. format double type number type object LegacyFederatedUdmSearchViewResponse description Response to a Federated UDM Search query. This will be used by StreamSearchOperation RPC to return the results of a federated search operation. id LegacyFederatedUdmSearchViewResponse properties activityTimeline $ref EventCountTimeline description Timeline of event counts broken into hourly/daily buckets to identify activity. aiOverview $ref AIOverview description LINT.ThenChange( //depot/google3/google/cloud/chronicle/v1main/dashboard_query.proto:data_sources, //depot/google3/googlex/security/malachite/proto/udm_search.proto:data_sources ) AI generated overview for the search results. Only populated if the AI features are enabled for the customer and generate_ai_overview is set to true in the request. baselineEventsCount description The number of events in the baseline query. format int32 type integer complete description Streaming for this response is done. There will be no additional updates. type boolean dataSources description Datasource of the query and results in case of a statistics query items enum SEARCH_DATA_SOURCE_UNSPECIFIED SEARCH_UDM SEARCH_ENTITY SEARCH_RULE_DETECTIONS SEARCH_RULESETS enumDescriptions Unspecified data source. Events Entities To be used for detections data source. To be used for ruleset with detections datasource. type string type array detectionFieldAggregations $ref AlertFieldAggregations description List of detection fields with aggregated values. This enabled filtering in the Alerts panel for federated search. events $ref UdmEventList description List of UDM events. NOTE: After complete is set to true, the `UdmEventList` message will be omitted from the response. The latest message should be used as reference. If the `UdmEventList` message is returned again, then it should replace the previous value. fieldAggregations $ref UdmFieldAggregations description List of UDM fields with aggregated values. filteredEventsCount description The number of events in the snapshot that match the snapshot_query. This is <= `baseline_events_count`. If the snapshot query is empty this will be equivalent to `baseline_events_count`. format int32 type integer groupedFieldAggregations $ref UdmFieldAggregations description List of grouped fields with aggregated values. instanceAggregations $ref UdmFieldAggregations description Instance aggregations for the search results. Provides information on the number of events per instance for the aggregations panel in the UI. This allows users to easily drill-down into the individual instances. instanceUdmSearchResponses description All the instance specific UDM search responses. items $ref InstanceUdmSearchResponse type array operation description The name of the operation resource representing the UDM Search operation. This can be passed to `StreamSearchOperation` to fetch stored results or stream the results of an in-progress operation. The metadata type of the operation is `UdmSearchMetadata`. The response type is `LegacyFetchUdmSearchViewResponse`. Format: projects/{project}/locations/{location}/instances/{instance}/operations/{operation} type string progress description Progress of the query represented as a double between 0 and 1. format double type number queryValidationErrors description Parse error for the baseline_query and/or the snapshot_query. items $ref ErrorMessage type array runtimeErrors description Runtime errors. items $ref RuntimeError type array stats $ref GoogleCloudChronicleV1alphaLegacyFederatedUdmSearchViewResponseStats description Stats results when the query is for statistics statsFunctionParameterValidationErrorMessage description If the request's stats_function_parameter` is invalid, this field will contain the detailed error message. type string statsFunctionResponse $ref FunctionResponse description Result for statistical function. timeline $ref EventCountTimeline description Timeline of event counts broken into buckets. This populates the trend-over-time chart in the UI. tooLargeResponse description If true, the response to be returned to the UI is too large and some events have been omitted. type boolean tooManyEvents description If true, there are too many events to return and some have been omitted. type boolean validBaselineQuery description Indicates whether the request baseline_query is a valid structured query or not. If not, `query_validation_errors` will include the parse error. type boolean validSnapshotQuery description Indicates whether the request baseline and snapshot queries are valid. If not, `query_validation_errors` will include the parse error. type boolean type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Location description Information about a location. id Location properties city description The city. type string countryOrRegion description The country or region. type string deskName description Desk name or individual location, typically for an employee in an office. (e.g. "IN-BLR-BCPC-11-1121D"). type string floorName description Floor name, number or a combination of the two for a building. (e.g. "1-A"). type string name description Custom location name (e.g. building or site name like "London Office"). For cloud environments, this is the region (e.g. "us-west2"). type string regionCoordinates $ref LatLng description Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields. regionLatitude deprecated True description Deprecated: use region_coordinates. format float type number regionLongitude deprecated True description Deprecated: use region_coordinates. format float type number state description The state. type string type object Manual description Entities are added manually. id Manual properties type object Measure description Describes the precomputed measure. id Measure properties aggregateFunction description Function used to calculate the aggregated measure. enum AGGREGATE_FUNCTION_UNSPECIFIED MIN MAX COUNT SUM AVG STDDEV enumDescriptions Default value. Minimum. Maximum. Count. Sum. Average. Standard Deviation. type string value description Value of the aggregated measure. format double type number type object Metadata description General information associated with a UDM event. id Metadata properties baseLabels $ref DataAccessLabels description Data access labels on the base event. collectedTimestamp description The GMT timestamp when the event was collected by the vendor's local collection infrastructure. format google-datetime type string description description A human-readable unparsable description of the event. type string enrichmentLabels $ref DataAccessLabels description Data access labels from all the contextual events used to enrich the base event. enrichmentState description The enrichment state. enum ENRICHMENT_STATE_UNSPECIFIED ENRICHED UNENRICHED enumDescriptions Unspecified. The event has been enriched by Chronicle. The event has not been enriched by Chronicle. type string eventTimestamp description The GMT timestamp when the event was generated. format google-datetime type string eventType description The event type. If an event has multiple possible types, this specifies the most specific type. enum EVENTTYPE_UNSPECIFIED PROCESS_UNCATEGORIZED PROCESS_LAUNCH PROCESS_INJECTION PROCESS_PRIVILEGE_ESCALATION PROCESS_TERMINATION PROCESS_OPEN PROCESS_MODULE_LOAD REGISTRY_UNCATEGORIZED REGISTRY_CREATION REGISTRY_MODIFICATION REGISTRY_DELETION SETTING_UNCATEGORIZED SETTING_CREATION SETTING_MODIFICATION SETTING_DELETION MUTEX_UNCATEGORIZED MUTEX_CREATION FILE_UNCATEGORIZED FILE_CREATION FILE_DELETION FILE_MODIFICATION FILE_READ FILE_COPY FILE_OPEN FILE_MOVE FILE_SYNC USER_UNCATEGORIZED USER_LOGIN USER_LOGOUT USER_CREATION USER_CHANGE_PASSWORD USER_CHANGE_PERMISSIONS USER_STATS USER_BADGE_IN USER_DELETION USER_RESOURCE_CREATION USER_RESOURCE_UPDATE_CONTENT USER_RESOURCE_UPDATE_PERMISSIONS USER_COMMUNICATION USER_RESOURCE_ACCESS USER_RESOURCE_DELETION GROUP_UNCATEGORIZED GROUP_CREATION GROUP_DELETION GROUP_MODIFICATION EMAIL_UNCATEGORIZED EMAIL_TRANSACTION EMAIL_URL_CLICK NETWORK_UNCATEGORIZED NETWORK_FLOW NETWORK_CONNECTION NETWORK_FTP NETWORK_DHCP NETWORK_DNS NETWORK_HTTP NETWORK_SMTP STATUS_UNCATEGORIZED STATUS_HEARTBEAT STATUS_STARTUP STATUS_SHUTDOWN STATUS_UPDATE SCAN_UNCATEGORIZED SCAN_FILE SCAN_PROCESS_BEHAVIORS SCAN_PROCESS SCAN_HOST SCAN_VULN_HOST SCAN_VULN_NETWORK SCAN_NETWORK SCHEDULED_TASK_UNCATEGORIZED SCHEDULED_TASK_CREATION SCHEDULED_TASK_DELETION SCHEDULED_TASK_ENABLE SCHEDULED_TASK_DISABLE SCHEDULED_TASK_MODIFICATION SYSTEM_AUDIT_LOG_UNCATEGORIZED SYSTEM_AUDIT_LOG_WIPE SERVICE_UNSPECIFIED SERVICE_CREATION SERVICE_DELETION SERVICE_START SERVICE_STOP SERVICE_MODIFICATION GENERIC_EVENT RESOURCE_CREATION RESOURCE_DELETION RESOURCE_PERMISSIONS_CHANGE RESOURCE_READ RESOURCE_WRITTEN DEVICE_FIRMWARE_UPDATE DEVICE_CONFIG_UPDATE DEVICE_PROGRAM_UPLOAD DEVICE_PROGRAM_DOWNLOAD ANALYST_UPDATE_VERDICT ANALYST_UPDATE_REPUTATION ANALYST_UPDATE_SEVERITY_SCORE ANALYST_UPDATE_STATUS ANALYST_ADD_COMMENT ANALYST_UPDATE_PRIORITY ANALYST_UPDATE_ROOT_CAUSE ANALYST_UPDATE_REASON ANALYST_UPDATE_RISK_SCORE ENTITY_RISK_CHANGE enumDeprecated False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False True False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False False enumDescriptions Default event type Activity related to a process which does not match any other event types. Process launch. Process injecting into another process. Process privilege escalation. Process termination. Process being opened. Process loading a module. Registry event which does not match any of the other event types. Registry creation. Registry modification. Registry deletion. Settings-related event which does not match any of the other event types. Setting creation. Setting modification. Setting deletion. Any mutex event other than creation. Mutex creation. File event which does not match any of the other event types. File created. File deleted. File modified. File read. File copied. Used for file copies, for example, to a thumb drive. File opened. File moved or renamed. File synced (for example, Google Drive, Dropbox, backup). User activity which does not match any of the other event types. User login. User logout. User creation. User password change event. Change in user permissions. Deprecated. Used to update user info for an LDAP dump. User physically badging into a location. User deletion. User creating a virtual resource. This is equivalent to RESOURCE_CREATION. User updating content of a virtual resource. This is equivalent to RESOURCE_WRITTEN. User updating permissions of a virtual resource. This is equivalent to RESOURCE_PERMISSIONS_CHANGE. User initiating communication through a medium (for example, video). User accessing a virtual resource. This is equivalent to RESOURCE_READ. User deleting a virtual resource. This is equivalent to RESOURCE_DELETION. A group activity that does not fall into one of the other event types. A group creation. A group deletion. A group modification. Email messages An email transaction. Deprecated: use NETWORK_HTTP instead. An email URL click event. A network event that does not fit into one of the other event types. Aggregated flow stats like netflow. Network connection details like from a FW. FTP telemetry. DHCP payload. DNS payload. HTTP telemetry. SMTP telemetry. A status message that does not fit into one of the other event types. Heartbeat indicating product is alive. An agent startup. An agent shutdown. A software or fingerprint update. Scan item that does not fit into one of the other event types. A file scan. Scan process behaviors. Please use SCAN_PROCESS instead. Scan process. Scan results from scanning an entire host device for threats/sensitive documents. Vulnerability scan logs about host vulnerabilities (e.g., out of date software) and network vulnerabilities (e.g., unprotected service detected via a network scan). Vulnerability scan logs about network vulnerabilities. Scan network for suspicious activity Scheduled task event that does not fall into one of the other event types. Scheduled task creation. Scheduled task deletion. Scheduled task being enabled. Scheduled task being disabled. Scheduled task being modified. A system audit log event that is not a wipe. A system audit log wipe. Service event that does not fit into one of the other event types. A service creation. A service deletion. A service start. A service stop. A service modification. Operating system events that are not described by any of the other event types. Might include uncategorized Microsoft Windows event logs. The resource was created/provisioned. This is equivalent to USER_RESOURCE_CREATION. The resource was deleted/deprovisioned. This is equivalent to USER_RESOURCE_DELETION. The resource had it's permissions or ACLs updated. This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS. The resource was read. This is equivalent to USER_RESOURCE_ACCESS. The resource was written to. This is equivalent to USER_RESOURCE_UPDATE_CONTENT. Firmware update. Configuration update. A program or application uploaded to a device. A program or application downloaded to a device. Analyst update about the Verdict (such as true positive, false positive, or disregard) of a finding. Analyst update about the Reputation (such as useful or not useful) of a finding. Analyst update about the Severity score (0-100) of a finding. Analyst update about the finding status. Analyst addition of a comment for a finding. Analyst update about the priority (such as low, medium, or high) for a finding. Analyst update about the root cause for a finding. Analyst update about the reason (such as malicious or not malicious) for a finding. Analyst update about the risk score (0-100) of a finding. An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics. type string id description ID of the UDM event. Can be used for raw and normalized event retrieval. format byte type string ingestedTimestamp description The GMT timestamp when the event was ingested (received) by Chronicle. format google-datetime type string ingestionLabels description User-configured ingestion metadata labels. items $ref Label type array logType description The string value of log type. type string productDeploymentId description The deployment identifier assigned by the vendor for a product deployment. type string productEventType description A short, descriptive, human-readable, product-specific event name or type (e.g. "Scanned X", "User account created", "process_start"). type string productLogId description A vendor-specific event identifier to uniquely identify the event (e.g. a GUID). type string productName description The name of the product. type string productVersion description The version of the product. type string structuredFields additionalProperties description Properties of the object. type any deprecated True description Flattened fields extracted from the log. type object tags $ref Tags description Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser. urlBackToProduct description A URL that takes the user to the source product console for this event. type string vendorName description The name of the product vendor. type string type object Metric description Stores precomputed aggregated analytic data for an entity. id Metric properties dimensions description All group by clauses used to calculate the metric. items enum DIMENSION_UNSPECIFIED PRINCIPAL_DEVICE TARGET_USER TARGET_DEVICE PRINCIPAL_USER TARGET_IP PRINCIPAL_FILE_HASH PRINCIPAL_COUNTRY SECURITY_CATEGORY NETWORK_ASN CLIENT_CERTIFICATE_HASH DNS_QUERY_TYPE DNS_DOMAIN HTTP_USER_AGENT EVENT_TYPE PRODUCT_NAME PRODUCT_EVENT_TYPE PARENT_FOLDER_PATH TARGET_RESOURCE_NAME PRINCIPAL_APPLICATION TARGET_APPLICATION EMAIL_TO_ADDRESS EMAIL_FROM_ADDRESS MAIL_ID PRINCIPAL_IP SECURITY_ACTION SECURITY_RULE_ID TARGET_NETWORK_ORGANIZATION_NAME PRINCIPAL_NETWORK_ORGANIZATION_NAME PRINCIPAL_PROCESS_FILE_PATH PRINCIPAL_PROCESS_FILE_HASH SECURITY_RESULT_RULE_NAME TARGET_RESOURCE_LABEL_KEY VENDOR_NAME TARGET_RESOURCE_TYPE TARGET_LOCATION_NAME enumDescriptions Default Principal Device Target User Target Device Principal User Target IP Principal File Hash Principal Country Security Category Network ASN Client Certificate Hash DNS Query Type DNS Domain HTTP User Agent Event Type Product Name Product Event Type Parent Folder Path Target resource Name Principal Application. Target Application. Email To Address. Email From Address. Mail Id. Principal IP. Security Action. Security Rule Id. Target Network Organization name. Principal Network Organization name. Principal Process File Path. Principal Process File SHA256 Hash. Security Result rule name. Target Resource label key. Vendor name. Target Resource type. Target Location name. type string type array exportWindow description Export window for which the metric was exported. format int64 type string firstSeen description Timestamp of the first time the entity was seen in the environment. format google-datetime type string lastSeen description Time stamp of the last time last time the entity was seen in the environment. format google-datetime type string metricName description Name of the analytic. enum METRIC_NAME_UNSPECIFIED NETWORK_BYTES_INBOUND NETWORK_BYTES_OUTBOUND NETWORK_BYTES_TOTAL AUTH_ATTEMPTS_SUCCESS AUTH_ATTEMPTS_FAIL AUTH_ATTEMPTS_TOTAL DNS_BYTES_OUTBOUND NETWORK_FLOWS_INBOUND NETWORK_FLOWS_OUTBOUND NETWORK_FLOWS_TOTAL DNS_QUERIES_SUCCESS DNS_QUERIES_FAIL DNS_QUERIES_TOTAL FILE_EXECUTIONS_SUCCESS FILE_EXECUTIONS_FAIL FILE_EXECUTIONS_TOTAL HTTP_QUERIES_SUCCESS HTTP_QUERIES_FAIL HTTP_QUERIES_TOTAL WORKSPACE_EMAILS_SENT_TOTAL WORKSPACE_TOTAL_DOWNLOAD_ACTIONS WORKSPACE_TOTAL_CHANGE_ACTIONS WORKSPACE_AUTH_ATTEMPTS_TOTAL WORKSPACE_NETWORK_BYTES_OUTBOUND WORKSPACE_NETWORK_BYTES_TOTAL ALERT_EVENT_NAME_COUNT RESOURCE_CREATION_TOTAL RESOURCE_CREATION_SUCCESS RESOURCE_READ_SUCCESS RESOURCE_READ_FAIL RESOURCE_DELETION_SUCCESS enumDescriptions Default Total received network bytes. Total network sent bytes. Total network sent bytes and received bytes. Successful authentication attempts. Failed authentication attempts. Total authentication attempts. Total number of sent bytes for DNS events. Total number of events having non-null received bytes. Total number of events having non-null sent bytes. Total events having non-null sent or received bytes. DNS query success count - Number of events with response_code = 0. Number of events with response_code != 0. Total number of DNS queries made. Number of successfule file executions. Number of failed file executions. Total number file executions. Number of successful HTTP queries. Number of failed HTTP queries. Total number of HTTP queries. Total number of emails sent in Google Workspace. Total number of download actions in Google Workspace. Total number of change actions in Google Workspace. Total number of authentication attempts in Google Workspace. Number of outbound network bytes (total sent) in Google Workspace. Total number of network bytes (both sent and received) in Google Workspace. Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH. First-time analytic tracking successful resource creations. Volume-based analytic tracking successful resource creations. Volume-based analytic tracking successful resource reads. Volume-based analytic tracking failed resource reads. Volume-based analytic tracking successful resource deletions. type string sumMeasure $ref Measure description Sum of all precomputed measures for the given metric. totalEvents description Total number of events used to calculate the given precomputed metric. format int64 type string type object Navigation description Navigation can be used to store the metadata required to navigate the user to a new URL. id Navigation properties targetUri description Output only. The URI to redirect the user to. readOnly True type string type object Network description A network event. id Network properties applicationProtocol description The application protocol. enum UNKNOWN_APPLICATION_PROTOCOL AFP APPC AMQP ATOM BEEP BITCOIN BIT_TORRENT CFDP CIP COAP COTP DCERPC DDS DEVICE_NET DHCP DICOM DNP3 DNS E_DONKEY ENRP FAST_TRACK FINGER FREENET FTAM GOOSE GOPHER GRPC HL7 H323 HTTP HTTPS IEC104 IRCP KADEMLIA KRB5 LDAP LPD MIME MMS MODBUS MQTT NETCONF NFS NIS NNTP NTCIP NTP OSCAR PNRP PTP QUIC RDP RELP RIP RLOGIN RPC RTMP RTP RTPS RTSP SAP SDP SIP SLP SMB SMTP SNMP SNTP SSH SSMS STYX SV TCAP TDS TOR TSP VTP WHOIS WEB_DAV X400 X500 XMPP enumDescriptions The default application protocol. Apple Filing Protocol. Advanced Program-to-Program Communication. Advanced Message Queuing Protocol. Publishing Protocol. Block Extensible Exchange Protocol. Crypto currency protocol. Peer-to-peer file sharing. Coherent File Distribution Protocol. Common Industrial Protocol. Constrained Application Protocol. Connection Oriented Transport Protocol. DCE/RPC. Data Distribution Service. Automation industry protocol. DHCP. Digital Imaging and Communications in Medicine Protocol. Distributed Network Protocol 3 (DNP3) DNS. Classic file sharing protocol. Endpoint Handlespace Redundancy Protocol. Filesharing peer-to-peer protocol. User Information Protocol. Censorship resistant peer-to-peer network. File Transfer Access and Management. GOOSE Protocol. Gopher protocol. gRPC Remote Procedure Call. Health Level Seven. Packet-based multimedia communications system. HTTP. HTTPS. IEC 60870-5-104 (IEC 104) Protocol. Internet Relay Chat Protocol. Peer-to-peer hashtables. Kerberos 5. Lightweight Directory Access Protocol. Line Printer Daemon Protocol. Multipurpose Internet Mail Extensions and Secure MIME. Multimedia Messaging Service. Serial communications protocol. Message Queuing Telemetry Transport. Network Configuration. Network File System. Network Information Service. Network News Transfer Protocol. National Transportation Communications for Intelligent Transportation System. Network Time Protocol. AOL Instant Messenger Protocol. Peer Name Resolution Protocol. Precision Time Protocol. QUIC. Remote Desktop Protocol. Reliable Event Logging Protocol. Routing Information Protocol. Remote Login in UNIX Systems. Remote Procedure Call. Real Time Messaging Protocol. Real-time Transport Protocol. Real Time Publish Subscribe. Real Time Streaming Protocol. Session Announcement Protocol. Session Description Protocol. Session Initiation Protocol. Service Location Protocol. Server Message Block. Simple Mail Transfer Protocol. Simple Network Management Protocol. Simple Network Time Protocol. Secure Shell. Secure SMS Messaging Protocol. Styx/9P - Plan 9 from Bell Labs distributed file system protocol. Sampled Values Protocol. Transaction Capabilities Application Part. Tabular Data Stream. Anonymity network. Time Stamp Protocol. Virtual Terminal Protocol. Remote Directory Access Protocol. Web Distributed Authoring and Versioning. Message Handling Service Protocol. Directory Access Protocol (DAP). Extensible Messaging and Presence Protocol. type string applicationProtocolVersion description The version of the application protocol. e.g. "1.1, 2.0" type string asn description Autonomous system number. type string carrierName description Carrier identification. type string communityId description Community ID network flow value. type string dhcp $ref Dhcp description DHCP info. direction description The direction of network traffic. enum UNKNOWN_DIRECTION INBOUND OUTBOUND BROADCAST enumDescriptions The default direction. An inbound request. An outbound request. A broadcast. type string dns $ref Dns description DNS info. dnsDomain description DNS domain name. type string email $ref Email description Email info for the sender/recipient. ftp $ref Ftp description FTP info. http $ref Http description HTTP info. ipProtocol description The IP protocol. enum UNKNOWN_IP_PROTOCOL ICMP IGMP TCP UDP IP6IN4 GRE ESP ICMP6 EIGRP ETHERIP PIM VRRP SCTP enumDescriptions The default protocol. ICMP. IGMP TCP. UDP. IPv6 Encapsulation Generic Routing Encapsulation Encapsulating Security Payload ICMPv6 Enhanced Interior Gateway Routing Ethernet-within-IP Encapsulation Protocol Independent Multicast Virtual Router Redundancy Protocol Stream Control Transmission Protocol type string ipSubnetRange description Associated human-readable IP subnet range (e.g. 10.1.2.0/24). type string organizationName description Organization name (e.g Google). type string parentSessionId description The ID of the parent network session. type string receivedBytes description The number of bytes received. format uint64 type string receivedPackets description The number of packets received. format int64 type string sentBytes description The number of bytes sent. format uint64 type string sentPackets description The number of packets sent. format int64 type string sessionDuration description The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer. format google-duration type string sessionId description The ID of the network session. type string smtp $ref Smtp description SMTP info. Store fields specific to SMTP not covered by Email. tls $ref Tls description TLS info. type object Noun description The Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event. id Noun properties administrativeDomain description Domain which the device belongs to (for example, the Microsoft Windows domain). type string application description The name of an application or service. Some SSO solutions only capture the name of a target application such as "Atlassian" or "Chronicle". type string artifact $ref Artifact description Information about an artifact. asset $ref Asset description Information about the asset. assetId description The asset ID. This field can be used as an entity indicator for asset entities. type string cloud $ref Cloud deprecated True description Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud). domain $ref Domain description Information about the domain. email description Email address. Only filled in for security_result.about type string file $ref BackstoryFile description Information about the file. group $ref Group description Information about the group. hostname description Client hostname or domain name field. Hostname also doubles as the domain for remote entities. This field can be used as an entity indicator for asset entities. type string investigation $ref Investigation description Analyst feedback/investigation for alerts. ip description A list of IP addresses associated with a network connection. This field can be used as an entity indicator for asset entities. items type string type array ipGeoArtifact description Enriched geographic information corresponding to an IP address. Specifically, location and network data. items $ref Artifact type array ipLocation deprecated True description Deprecated: use ip_geo_artifact.location instead. items $ref Location type array labels deprecated True description Labels are key-value pairs. For example: key = "env", value = "prod". Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels). items $ref Label type array location $ref Location description Physical location. For cloud environments, set the region in location.name. mac description List of MAC addresses associated with a device. This field can be used as an entity indicator for asset entities. items type string type array namespace description Namespace which the device belongs to, such as "AD forest". Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition. This field can be used along with an asset indicator to identify an asset. type string natIp description A list of NAT translated IP addresses associated with a network connection. items type string type array natPort description NAT external network port number when a specific network connection is described within an event. format int32 type integer network $ref Network description Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). objectReference $ref Id description Finding to which the Analyst updated the feedback. platform description Platform. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description Platform patch level. For example, "Build 17134.48" type string platformVersion description Platform version. For example, "Microsoft Windows 1803". type string port description Source or destination network port number when a specific network connection is described within an event. format int32 type integer process $ref Process description Information about the process. processAncestors description Information about the process's ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery. items $ref Process type array registry $ref Registry description Registry information. resource $ref Resource description Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun. resourceAncestors description Information about the resource's ancestors ordered from immediate ancestor (starting with parent resource). items $ref Resource type array securityResult description A list of security results. items $ref SecurityResult type array url description The URL. type string urlMetadata $ref Url description Information about the URL. user $ref User description Information about the user. userManagementChain description Information about the user's management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery. items $ref User type array type object NtfsFileMetadata description NTFS-specific file metadata. id NtfsFileMetadata properties changeTime description NTFS MFT entry changed timestamp. format google-datetime type string filenameAccessTime description NTFS $FILE_NAME attribute accessed timestamp. format google-datetime type string filenameChangeTime description NTFS $FILE_NAME attribute changed timestamp. format google-datetime type string filenameCreateTime description NTFS $FILE_NAME attribute created timestamp. format google-datetime type string filenameModifyTime description NTFS $FILE_NAME attribute modified timestamp. format google-datetime type string type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object Option description DHCP options. id Option properties code description Code. See RFC1533. format uint32 type integer data description Data. format byte type string type object PDFInfo description Information about the PDF file structure. See https://developers.virustotal.com/reference/pdf_info id PDFInfo properties acroform description Number of /AcroForm tags found in the PDF. format int64 type string autoaction description Number of /AA tags found in the PDF. format int64 type string embeddedFile description Number of /EmbeddedFile tags found in the PDF. format int64 type string encrypted description Whether the document is encrypted or not. This is defined by the /Encrypt tag. format int64 type string endobjCount description Number of object definitions (endobj keyword). format int64 type string endstreamCount description Number of defined stream objects (stream keyword). format int64 type string flash description Number of /RichMedia tags found in the PDF. format int64 type string header description PDF version. type string javascript description Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios. format int64 type string jbig2Compression description Number of /JBIG2Decode tags found in the PDF. format int64 type string js description Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios. format int64 type string launchActionCount description Number of /Launch tags found in the PDF file. format int64 type string objCount description Number of objects definitions (obj keyword). format int64 type string objectStreamCount description Number of object streams. format int64 type string openaction description Number of /OpenAction tags found in the PDF. format int64 type string pageCount description Number of pages in the PDF. format int64 type string startxref description Number of startxref keywords in the PDF. format int64 type string streamCount description Number of defined stream objects (stream keyword). format int64 type string suspiciousColors description Number of colors expressed with more than 3 bytes (CVE-2009-3459). format int64 type string trailer description Number of trailer keywords in the PDF. format int64 type string xfa description Number of \XFA tags found in the PDF. format int64 type string xref description Number of xref keywords in the PDF. format int64 type string type object PeFileMetadata description Metadata about a Microsoft Windows Portable Executable. id PeFileMetadata properties importHash description Hash of PE imports. type string type object Permission description System permission for resource access and modification. id Permission properties description description Description of the permission (e.g. 'Ability to update detect rules'). type string name description Name of the permission (e.g. chronicle.analyst.updateRule). type string type description Type of the permission. enum UNKNOWN_PERMISSION_TYPE ADMIN_WRITE ADMIN_READ DATA_WRITE DATA_READ enumDescriptions Default permission type. Administrator write permission. Administrator read permission. Data resource access write permission. Data resource access read permission. type string type object PlatformSoftware description Platform software information about an operating system. id PlatformSoftware properties platform description The platform operating system. enum UNKNOWN_PLATFORM WINDOWS MAC LINUX GCP AWS AZURE IOS ANDROID CHROME_OS enumDeprecated False False False False True True True False False False enumDescriptions Default value. Microsoft Windows. macOS. Linux. Deprecated: see cloud.environment. Deprecated: see cloud.environment. Deprecated: see cloud.environment. IOS Android Chrome OS type string platformPatchLevel description The platform software patch level ( e.g. "Build 17134.48", "SP1"). type string platformVersion description The platform software version ( e.g. "Microsoft Windows 1803"). type string type object PopularityRank description Domain's position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo. id PopularityRank properties giver description Name of the rank serial number hexdump. type string ingestionTime description Timestamp when the rank was ingested. format google-datetime type string rank description Rank position. format int64 type string type object Prevalence description The prevalence of a resource within the customer's environment. This measures how common it is for assets to access the resource. id Prevalence properties dayCount description The number of days over which rolling_max is calculated. format int32 type integer dayMax description The max prevalence score in a day interval window. format int32 type integer dayMaxSubDomains description The max prevalence score in a day interval window across sub-domains. This field is only valid for domains. format int32 type integer rollingMax description The maximum number of assets per day accessing the resource over the trailing day_count days. format int32 type integer rollingMaxSubDomains description The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains. format int32 type integer type object Process description Information about a process. id Process properties accessMask description A bit mask representing the level of access. format uint64 type string commandLine description The command line command that created the process. This field can be used as an entity indicator for process entities. type string commandLineHistory description The command line history of the process. items type string type array egid description The effective group ID of the process. type string euid description The effective user ID of the process. type string file $ref BackstoryFile description Information about the file in use by the process. integrityLevelRid description The Microsoft Windows integrity level relative ID (RID) of the process. format uint64 type string parentPid deprecated True description The ID of the parent process. Deprecated: use parent_process.pid instead. type string parentProcess $ref Process description Information about the parent process. pgid description The identifier that points to the process group ID leader. type string pid description The process ID. This field can be used as an entity indicator for process entities. type string productSpecificParentProcessId deprecated True description A product specific id for the parent process. Please use parent_process.product_specific_process_id instead. type string productSpecificProcessId description A product specific process id. type string rgid description The real group ID of the process. type string ruid description The real user ID of the process. type string sessionLeaderPid description The process ID of the session leader process. type string tokenElevationType description The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled. enum UNKNOWN TYPE_1 TYPE_2 TYPE_3 enumDescriptions An undetermined token type. A full token with no privileges removed or groups disabled. An elevated token with no privileges removed or groups disabled. Used when running as administrator. A limited token with administrative privileges removed and administrative groups disabled. type string tty description The teletype terminal which the command was executed within. type string type object ProviderMLVerdict description Deprecated. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. id ProviderMLVerdict properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer confidenceScore description Confidence score of the verdict. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer mandiantSources description List of mandiant sources from which the verdict was generated. items $ref Source type array sourceProvider description Source provider giving the ML verdict. type string thirdPartySources description List of third-party sources from which the verdict was generated. items $ref Source type array type object PublicKey description Subject public key info. id PublicKey properties algorithm description Any of "RSA", "DSA" or "EC". Indicates the algorithm used to generate the certificate. type string rsa $ref RSA description RSA public key information. type object Question description DNS Questions. See RFC1035, section 4.1.2. id Question properties class description The code specifying the class of the query. format uint32 type integer name description The domain name. type string prevalence $ref Prevalence description The prevalence of the domain within the customer's environment. type description The code specifying the type of the query. format uint32 type integer type object RSA description RSA public key information. id RSA properties exponent description Key exponent hexdump. type string keySize description Key size. format int64 type string modulus description Key modulus hexdump. type string type object Reference description Reference to model primatives including event and entity. As support is added for fast retrieval of objects by identifiers, this will be expanded to include ID references rather than full object copies. BEGIN GOOGLE-INTERNAL See go/udm:ids for additional details. END GOOGLE-INTERNAL id Reference properties entity $ref BackstoryEntity description Entity being referenced. End one-of event $ref UDM description Only one of event or entity will be populated for a single reference. Start one-of Event being referenced. id $ref Id description Id being referenced. This field will also be populated for both event and entity with the event id. For detections, only this field will be populated. type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Registry description Information about a registry key or value. id Registry properties registryKey description Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment...). type string registryValueData description Data associated with a registry value (e.g. %USERPROFILE%\Local Settings\Temp). type string registryValueName description Name of the registry value associated with an application or system component (e.g. TEMP). type string registryValueType description Type of the registry value. enum TYPE_UNSPECIFIED NONE SZ EXPAND_SZ BINARY DWORD DWORD_LITTLE_ENDIAN DWORD_BIG_ENDIAN LINK MULTI_SZ RESOURCE_LIST QWORD QWORD_LITTLE_ENDIAN enumDescriptions Default registry value type used when the type is unknown. The registry value is not set and only the key exists. A null-terminated string. A null-terminated string that contains unexpanded references to environment variables Binary data in any form. A 32-bit number. A 32-bit number in little-endian format. A 32-bit number in big-endian format. A null-terminated Unicode string that contains the target path of a symbolic link. A sequence of null-terminated strings, terminated by an empty string A device driver resource list. A 64-bit number. A 64-bit number in little-endian format. type string type object Relation description Defines the relationship between the entity (a) and another entity (b). id Relation properties direction description Directionality of relationship between primary entity (a) and the related entity (b). enum DIRECTIONALITY_UNSPECIFIED BIDIRECTIONAL UNIDIRECTIONAL enumDescriptions Default value. Modeled in both directions. Primary entity (a) to related entity (b) and related entity (b) to primary entity (a). Modeled in a single direction. Primary entity (a) to related entity (b). type string entity $ref Noun description Entity (b) that the primary entity (a) is related to. entityLabel description Label to identify the Noun of the relation. enum ENTITY_LABEL_UNSPECIFIED PRINCIPAL TARGET OBSERVER SRC NETWORK SECURITY_RESULT INTERMEDIARY enumDescriptions Default value. The Noun represents a principal type object. The Noun represents a target type object. The Noun represents an observer type object. The Noun represents src type object. The Noun represents a network type object. The Noun represents a SecurityResult object. The Noun represents an intermediary type object. type string entityType description Type of the related entity (b) in this relationship. enum UNKNOWN_ENTITYTYPE ASSET USER GROUP RESOURCE IP_ADDRESS FILE DOMAIN_NAME URL MUTEX METRIC enumDescriptions @hide_from_doc An asset, such as workstation, laptop, phone, virtual machine, etc. User. Group. Resource. An external IP address. A file. A domain. A url. A mutex. A metric. type string relationship description Type of relationship. enum RELATIONSHIP_UNSPECIFIED OWNS ADMINISTERS MEMBER EXECUTES DOWNLOADED_FROM CONTACTS enumDescriptions Default value Related entity is owned by the primary entity (e.g. user owns device asset). Related entity is administered by the primary entity (e.g. user administers a group). Primary entity is a member of the related entity (e.g. user is a member of a group). Primary entity may have executed the related entity. Primary entity may have been downloaded from the related entity. Primary entity contacts the related entity. type string uid description UID of the relationship. format byte type string type object Resource description Information about a resource such as a task, Cloud Storage bucket, database, disk, logical policy, or something similar. id Resource properties attribute $ref Attribute description Generic entity metadata attributes of the resource. id deprecated True description Deprecated: Use resource.name or resource.product_object_id. type string name description The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe. type string parent deprecated True description The parent of the resource. For a database table, the parent is the database. For a storage object, the bucket name. Deprecated: use resource_ancestors.name. type string productObjectId description A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) This field can be used as an entity indicator for a Resource entity. type string resourceSubtype description Resource sub-type (e.g. "BigQuery", "Bigtable"). type string resourceType description Resource type. enum UNSPECIFIED MUTEX TASK PIPE DEVICE FIREWALL_RULE MAILBOX_FOLDER VPC_NETWORK VIRTUAL_MACHINE STORAGE_BUCKET STORAGE_OBJECT DATABASE TABLE CLOUD_PROJECT CLOUD_ORGANIZATION SERVICE_ACCOUNT ACCESS_POLICY CLUSTER SETTING DATASET BACKEND_SERVICE POD CONTAINER FUNCTION RUNTIME IP_ADDRESS DISK VOLUME IMAGE SNAPSHOT REPOSITORY CREDENTIAL LOAD_BALANCER GATEWAY SUBNET USER enumDescriptions Default type. Mutex. Task. Named pipe. Device. Firewall rule. Mailbox folder. VPC Network. Virtual machine. Storage bucket. Storage object. Database. Data table. Cloud project. Cloud organization. Service account. Access policy. Cluster. Settings. Dataset. Endpoint that receive traffic from a load balancer or proxy. Pod, which is a collection of containers. Often used in Kubernetes. Container. Cloud function. Runtime. IP address. Disk. Volume. Machine image. Snapshot. Repository. Credential, e.g. access keys, ssh keys, tokens, certificates. Load balancer. Gateway. Subnet. User. type string type deprecated True description Deprecated: use resource_type instead. type string type object ResourceRecord description DNS Resource Records. See RFC1035, section 4.1.3. id ResourceRecord properties binaryData description The raw bytes of any non-UTF8 strings that might be included as part of a DNS response. format byte type string class description The code specifying the class of the resource record. format uint32 type integer data description The payload or response to the DNS question for all responses encoded in UTF-8 format type string name description The name of the owner of the resource record. type string ttl description The time interval for which the resource record can be cached before the source of the information should again be queried. format uint32 type integer type description The code specifying the type of the resource record. format uint32 type integer type object ResponsePlatformInfo description Related info of an Alert in customer's SOAR platform. id ResponsePlatformInfo properties alertId description Id of the alert in SOAR product. type string responsePlatformType description Type of SOAR product. enum RESPONSE_PLATFORM_TYPE_UNSPECIFIED RESPONSE_PLATFORM_TYPE_SIEMPLIFY enumDescriptions Response platform not specified. Siemplify type string type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object RiskDelta description Describes the difference in risk score between two points in time. id RiskDelta properties previousRangeEndTime description End time of the previous time window. format google-datetime type string previousRiskScore description Risk score from previous risk window format int32 type integer riskScoreDelta description Difference in the normalized risk score from the previous recorded value. format int32 type integer riskScoreNumericDelta description Numeric change between current and previous risk score format int32 type integer type object Role description System role for resource access and modification. id Role properties description description System role description for user. type string name description System role name for user. type string type description System role type for well known roles. enum TYPE_UNSPECIFIED ADMINISTRATOR SERVICE_ACCOUNT enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object RuntimeError id RuntimeError properties errorText type string timeRange $ref Interval type object SSLCertificate description SSL certificate. id SSLCertificate properties certExtensions additionalProperties description Properties of the object. type any description Certificate's extensions. type object certSignature $ref CertSignature description Certificate's signature and algorithm. ec $ref EC description EC public key information. extension $ref Extension deprecated True description (DEPRECATED) certificate's extension. firstSeenTime description Date the certificate was first retrieved by VirusTotal. format google-datetime type string issuer $ref Subject description Certificate's issuer data. publicKey $ref PublicKey description Public key information. serialNumber description Certificate's serial number hexdump. type string signatureAlgorithm description Algorithm used for the signature (for example, "sha1RSA"). type string size description Certificate content length. format int64 type string subject $ref Subject description Certificate's subject data. thumbprint description Certificate's content SHA1 hash. type string thumbprintSha256 description Certificate's content SHA256 hash. type string validity $ref Validity description Certificate's validity period. version description Certificate version (typically "V1", "V2" or "V3"). type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object SearchDataTableColumnInfo id SearchDataTableColumnInfo properties isDefault type boolean originalColumn type string type object SearchDataTableInfo id SearchDataTableInfo properties columnInfo items $ref SearchDataTableColumnInfo type array dataTable type string type object SearchDataTableRow id SearchDataTableRow properties column type string value type string type object SearchDataTableRowInfo id SearchDataTableRowInfo properties dataTable type string rows items $ref SearchDataTableRow type array type object SecurityResult description Security related metadata for the event. A security result might be something like "virus detected and quarantined," "malicious connection blocked," or "sensitive data included in document foo.doc." Each security result, of which there may be more than one, may either pertain to the whole event, or to a specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (such as process, user, IP, domain, URL, IP, or email address) in the about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty. id SecurityResult properties about $ref Noun description If the security result is about a specific entity (Noun), add it here. This field is not populated when the SecurityResult appears in a finding (a detection or alert). action description Actions taken for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_ACTION ALLOW BLOCK ALLOW_WITH_MODIFICATION QUARANTINE FAIL CHALLENGE enumDescriptions The default action. Allowed. Blocked. Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded). Put somewhere for later analysis (does NOT imply block). Failed (e.g. the event was allowed but failed). Challenged (e.g. the user was challenged by a Captcha, 2FA). type string type array actionDetails description The detail of the action taken as provided by the vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string alertState description The alerting types of this security result. This is primarily set for rule-generated detections and alerts. enum UNSPECIFIED NOT_ALERTING ALERTING enumDescriptions The security result type is not known. The security result is not an alert. The security result is an alert. type string analyticsMetadata description Stores metadata about each risk analytic metric the rule uses. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref AnalyticsMetadata type array associations description Associations related to the threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref Association type array attackDetails $ref AttackDetails description MITRE ATT&CK details. This field is not populated when the SecurityResult appears in a finding (a detection or alert). campaigns description Campaigns using this IOC threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array category description The security category. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items enum UNKNOWN_CATEGORY SOFTWARE_MALICIOUS SOFTWARE_SUSPICIOUS SOFTWARE_PUA NETWORK_MALICIOUS NETWORK_SUSPICIOUS NETWORK_CATEGORIZED_CONTENT NETWORK_DENIAL_OF_SERVICE NETWORK_RECON NETWORK_COMMAND_AND_CONTROL ACL_VIOLATION AUTH_VIOLATION EXPLOIT DATA_EXFILTRATION DATA_AT_REST DATA_DESTRUCTION TOR_EXIT_NODE MAIL_SPAM MAIL_PHISHING MAIL_SPOOFING POLICY_VIOLATION SOCIAL_ENGINEERING PHISHING enumDescriptions The default category. Malware, spyware, rootkit. Below the conviction threshold; probably bad. Potentially Unwanted App (such as adware). Includes C&C or network exploit. Suspicious activity, such as potential reverse tunnel. Non-security related: URL has category like gambling or porn. DoS, DDoS. Port scan detected by an IDS, probing of web app. If we know this is a C&C channel. Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc. Authentication failed (e.g. bad password or bad 2-factor authentication). Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits. DLP: Sensitive data transmission, copy to thumb drive. DLP: Sensitive data found at rest in a scan. Attempt to destroy/delete data. TOR Exit Nodes. Spam email, message, etc. Phishing email, chat messages, etc. Spoofed source email address, etc. Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action). Threats which manipulate to break normal security procedures. Phishing pages, pops, https phishing etc. type string type array categoryDetails description For vendor-specific categories. For web categorization, put type in here such as "gambling" or "porn". This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array confidence description The confidence level of the result as estimated by the product. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string confidenceDetails description Additional detail with regards to the confidence of a security event as estimated by the product vendor. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string confidenceScore description The confidence score of the security result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format float type number description description A human-readable description (e.g. "user password was wrong"). This can be more detailed than the summary. type string detectionDepth description The depth of the detection chain. Applies only to composite detections. format int64 type string detectionFields description An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (the security result matched variables). This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array firstDiscoveredTime description First time the IoC threat was discovered in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastDiscoveredTime description Last time the IoC was seen in the provider data. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string lastUpdatedTime description Last time the IoC threat was updated in the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). format google-datetime type string outcomes description A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to a stringified version of their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). items $ref Label type array priority description The priority of the result. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum UNKNOWN_PRIORITY LOW_PRIORITY MEDIUM_PRIORITY HIGH_PRIORITY enumDescriptions Default priority level. Low priority. Medium priority. High priority. type string priorityDetails description Vendor-specific information about the security result priority. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string reports description Reports that reference this IOC threat. These are the report IDs. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items type string type array riskScore description The risk score of the security result. format float type number ruleAuthor description Author of the security rule. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string ruleId description A vendor-specific ID for a rule, varying by observer type (e.g. "08123", "5d2b44d0-5ef6-40f5-a704-47d61d3babbe"). type string ruleLabels description A list of rule labels that can't be captured by the other fields in security result (e.g. "reference : AnotherRule", "contributor : John"). This is primarily set in rule-generated detections and alerts. items $ref Label type array ruleName description Name of the security rule (e.g. "BlockInboundToOracle"). type string ruleSet description The curated detection's rule set identifier. (for example, "windows-threats") This is primarily set in rule-generated detections and alerts. type string ruleSetDisplayName description The curated detections rule set display name. This is primarily set in rule-generated detections and alerts. type string ruleType description The type of security rule. type string ruleVersion description Version of the security rule. (e.g. "v1.1", "00001", "1604709794", "2020-11-16T23:04:19+00:00"). Note that rule versions are source-dependant and lexical ordering should not be assumed. type string rulesetCategoryDisplayName description The curated detection rule set category display name. (for example, if rule_set_display_name is "CDIR SCC Enhanced Exfiltration", the rule_set_category is "Cloud Threats"). This is primarily set in rule-generated detections and alerts. type string severity description The severity of the result. enum UNKNOWN_SEVERITY INFORMATIONAL ERROR NONE LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Info severity. An error. No malicious result. Low-severity malicious result. Medium-severity malicious result. High-severity malicious result. Critical-severity malicious result. type string severityDetails description Vendor-specific severity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string summary description A short human-readable summary (e.g. "failed login occurred") type string threatFeedName description Vendor feed name for a threat indicator feed. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatId description Vendor-specific ID for a threat. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatIdNamespace description The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum NORMALIZED_TELEMETRY RAW_TELEMETRY RULE_DETECTIONS UPPERCASE MACHINE_INTELLIGENCE SECURITY_COMMAND_CENTER UNSPECIFIED SOAR_ALERT VIRUS_TOTAL enumDescriptions Ingested and Normalized telemetry events Ingested Raw telemetry Chronicle Rules engine Uppercase DSML - Machine Intelligence A normalized telemetry event from Google Security Command Center. Unspecified Namespace An alert coming from other SIEMs via Chronicle SOAR. VirusTotal. type string threatName description A vendor-assigned classification common across multiple customers (for example, "W32/File-A", "Slammer"). This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string threatStatus description Current status of the threat This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_STATUS_UNSPECIFIED ACTIVE CLEARED FALSE_POSITIVE enumDescriptions Default threat status Active threat. Cleared threat. False positive. type string threatVerdict description GCTI threat verdict on the security result entity. This field is not populated when the SecurityResult appears in a finding (a detection or alert). enum THREAT_VERDICT_UNSPECIFIED UNDETECTED SUSPICIOUS MALICIOUS enumDescriptions Unspecified threat verdict level. Undetected threat verdict level. Suspicious threat verdict level. Malicious threat verdict level. type string urlBackToProduct description URL that takes the user to the source product console for this event. This field is not populated when the SecurityResult appears in a finding (a detection or alert). type string variables additionalProperties $ref FindingVariable description A list of outcomes and match variables that represent the results of this security finding. This list represents a mapping of names of the requested outcomes or match variables, to their values. This is only populated when the SecurityResult appears in a finding (a detection or alert). type object verdict $ref Verdict deprecated True description Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead. verdictInfo description Verdict information about the IoC from the provider. This field is not populated when the SecurityResult appears in a finding (a detection or alert). items $ref VerdictInfo type array type object Server description Transport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash). id Server properties certificate $ref Certificate description Server certificate. ja3s description JA3 hash from the TLS ServerHello, as a hex-encoded string. type string type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object SignatureInfo description File signature information extracted from different tools. id SignatureInfo properties codesign $ref FileMetadataCodesign description Signature information extracted from the codesign utility. sigcheck $ref FileMetadataSignatureInfo description Signature information extracted from the sigcheck tool. type object SignerInfo description File metadata related to the signer information. id SignerInfo properties certIssuer description Company that issued the certificate. type string name description Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority. type string status description It can say "Valid" or state the problem with the certificate if any (e.g. "This certificate or one of the certificates in the certificate chain is not time valid."). type string validUsage description Indicates which situations the certificate is valid for (e.g. "Code Signing"). type string type object Smtp description SMTP info. See RFC 2821. id Smtp properties helo description The client's 'HELO'/'EHLO' string. type string isTls description If the connection switched to TLS. type boolean isWebmail description If the message was sent via a webmail client. type boolean mailFrom description The client's 'MAIL FROM' string. type string messagePath description The message's path (extracted from the headers). type string rcptTo description The client's 'RCPT TO' string(s). items type string type array serverResponse description The server's response(s) to the client. items type string type array type object SoarAlertMetadata description Metadata fields of alerts coming from other SIEM systems. id SoarAlertMetadata properties alertId description Alert ID in the source SIEM system. type string product description Name of the product the alert is coming from. type string sourceRule description Name of the rule triggering the alert in the source SIEM. type string sourceSystem description Name of the Source SIEM system. type string sourceSystemTicketId description Ticket id for the alert in the source system. type string sourceSystemUri description Url to the source SIEM system. type string vendor description Name of the vendor. type string type object Software description Information about a software package or application. id Software properties description description The description of the software. type string name description The name of the software. type string permissions description System permissions granted to the software. For example, "android.permission.WRITE_EXTERNAL_STORAGE" items $ref Permission type array vendorName description The name of the software vendor. type string version description The version of the software. type string type object Source description Deprecated. Information about the threat intelligence source. These fields are used to model Mandiant sources. id Source properties benignCount description Count of responses where this IoC was marked benign. format int32 type integer maliciousCount description Count of responses where this IoC was marked malicious. format int32 type integer name description Name of the IoC source. type string quality description Quality of the IoC mapping extracted from the source. enum UNKNOWN_CONFIDENCE LOW_CONFIDENCE MEDIUM_CONFIDENCE HIGH_CONFIDENCE enumDescriptions The default confidence level. Low confidence. Medium confidence. High confidence. type string responseCount description Total response count from this source. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer threatIntelligenceSources description Different threat intelligence sources from which IoC info was extracted. items $ref Source type array type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object StringSequence description StringSequence represents a sequence of string. id StringSequence properties stringVals description string sequence. items type string type array type object StringToInt64MapEntry id StringToInt64MapEntry properties key description Key field. type string value description Value field. format int64 type string type object StringValue id StringValue properties displayValue type string rawValue type string type object StringValues id StringValues properties values items $ref StringValue type array type object Subject description Subject data. id Subject properties commonName description CN: CommonName. type string countryName description C: Country name. type string locality description L: Locality. type string organization description O: Organization. type string organizationalUnit description OU: OrganizationalUnit. type string stateOrProvinceName description ST: StateOrProvinceName. type string type object Tactic description Tactic information related to an attack or threat. id Tactic properties id description Tactic ID (e.g. "TA0043"). type string name description Tactic Name (e.g. "Reconnaissance") type string type object Tags description Tags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenant_id based on certain customer-defined parameters. id Tags properties dataTapConfigName description A list of sink name values defined in DataTap configurations. items type string type array tenantId description A list of subtenant ids that this event belongs to. items format byte type string type array type object Technique description Technique information related to an attack or threat. id Technique properties id description Technique ID (e.g. "T1595"). type string name description Technique Name (e.g. "Active Scanning"). type string subtechniqueId description Subtechnique ID (e.g. "T1595.001"). type string subtechniqueName description Subtechnique Name (e.g. "Scanning IP Blocks"). type string type object TimeOff description System record for leave/time-off from a Human Capital Management (HCM) system. id TimeOff properties description description Description of the leave if available (e.g. 'Vacation'). type string interval $ref Interval description Interval duration of the leave. type object Tls description Transport Layer Security (TLS) information. id Tls properties cipher description Cipher used during the connection. type string client $ref Client description Certificate information for the client certificate. curve description Elliptical curve used for a given cipher. type string established description Indicates whether the TLS negotiation was successful. type boolean nextProtocol description Protocol to be used for tunnel. type string resumed description Indicates whether the TLS connection was resumed from a previous TLS negotiation. type boolean server $ref Server description Certificate information for the server certificate. version description TLS version. type string versionProtocol description Protocol. type string type object Tracker description URL Tracker. id Tracker properties id description Tracker ID, if available. type string timestamp description Tracker ingestion date. format google-datetime type string tracker description Tracker name. type string url description Tracker script URL. type string type object Tunnels description VPN tunnels. id Tunnels properties provider description The provider of the VPN tunnels being used. type string type description The type of the VPN tunnels. type string type object UDM description A Unified Data Model event. id UDM properties about description Represents entities referenced by the event that are not otherwise described in principal, src, target, intermediary or observer. For example, it could be used to track email file attachments, domains/URLs/IPs embedded within an email body, and DLLs that are loaded during a PROCESS_LAUNCH event. items $ref Noun type array additional additionalProperties description Properties of the object. type any description Any important vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model. type object extensions $ref Extensions description All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network. extracted additionalProperties description Properties of the object. type any description Flattened fields extracted from the log. type object intermediary description Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a proxy server or SMTP relay server. If an active event (that has a principal and possibly target) passes through any intermediaries, they're added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that 'principal', 'target', and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C). items $ref Noun type array metadata $ref Metadata description Event metadata such as timestamp, source product, etc. network $ref Network description All network details go here, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP). observer $ref Noun description Represents an observer entity (for example, a packet sniffer or network-based vulnerability scanner), which is not a direct intermediary, but which observes and reports on the event in question. principal $ref Noun description Represents the acting entity that originates the activity described in the event. The principal must include at least one machine detail (hostname, MACs, IPs, port, product-specific identifiers like an EDR asset ID) or user detail (for example, username), and optionally include process details. It must NOT include any of the following fields: email, files, registry keys or values. securityResult description A list of security results. items $ref SecurityResult type array src $ref Noun description Represents a source entity being acted upon by the participant along with the device or process context for the source object (the machine where the source object resides). For example, if user U copies file A on machine X to file B on machine Y, both file A and machine X would be specified in the src portion of the UDM event. target $ref Noun description Represents a target entity being referenced by the event or an object on the target entity. For example, in a firewall connection from device A to device B, A is described as the principal and B is described as the target. For a process injection by process C into target process D, process C is described as the principal and process D is described as the target. type object UdmColumnList id UdmColumnList properties values items $ref UdmColumnValue type array type object UdmColumnType id UdmColumnType properties list $ref UdmColumnList value $ref UdmColumnValue type object UdmColumnValue id UdmColumnValue properties boolVal type boolean bytesVal format byte type string dateVal $ref Date doubleVal format double type number int64Val format int64 type string nullVal type boolean protoVal additionalProperties description Properties of the object. Contains field @type with type URL. type any type object stringVal type string timestampVal format google-datetime type string uint64Val format uint64 type string type object UdmEventInfo id UdmEventInfo properties alertNumber format int32 type integer annotations items enum ANNOTATION_UNSPECIFIED ANNOTATION_ALERT enumDescriptions type string type array chip $ref Chip deprecated True connectedComponentLabel description Optional. format byte type string datatableRowInfo items $ref SearchDataTableRowInfo type array detections items $ref Collection type array displayName deprecated True type string entity $ref BackstoryEntity event $ref UDM eventLogToken type string filterProperties $ref FilterProperties deprecated True outcomes items $ref UdmColumnType type array tenantId description Optional. type string uid format byte type string type object UdmEventList id UdmEventList properties columnNames $ref ColumnNames complete type boolean datatableInfo items $ref SearchDataTableInfo type array events items $ref UdmEventInfo type array progress format double type number tooManyEvents type boolean type object UdmFieldAggregation id UdmFieldAggregation properties aggregationType enum UNSPECIFIED_FIELD_AGGREGATION_TYPE UDM_FIELD_AGGREGATION_TYPE ENTITY_FIELD_AGGREGATION_TYPE enumDescriptions type string allValues items $ref UdmValueCount type array baselineEventCount format int32 type integer bottomValues items $ref UdmValueCount type array eventCount format int32 type integer fieldName type string tooManyValues type boolean topValues items $ref UdmValueCount type array valueCount format int32 type integer type object UdmFieldAggregations id UdmFieldAggregations properties complete type boolean fields items $ref UdmFieldAggregation type array groupByFields items $ref GroupAggregationByField type array type object UdmFieldValue id UdmFieldValue properties boolValue type boolean bytesValue format byte type string doubleValue format double type number enumValue type string floatValue format float type number int32Value format int32 type integer int64Value format int64 type string isNull type boolean stringValue type string timestampValue format google-datetime type string uint32Value format uint32 type integer uint64Value format uint64 type string type object UdmPrevalence id UdmPrevalence properties artifacts items $ref FieldAndValue type array prevalence format int32 type integer type object UdmPrevalenceBucket id UdmPrevalenceBucket properties prevalence items $ref UdmPrevalence type array type object UdmPrevalenceResponse id UdmPrevalenceResponse properties buckets items $ref UdmPrevalenceBucket type array partialPrevalence type boolean type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UdmValueCount id UdmValueCount properties baselineEventCount format int32 type integer eventCount format int32 type integer value $ref UdmFieldValue type object Uint64Sequence description Uint64Sequence represents a sequence of uint64s. id Uint64Sequence properties uint64Vals description uint64 sequence. items format uint64 type string type array type object Url description Url. id Url properties categories description Categorisation done by VirusTotal partners. items type string type array favicon $ref Favicon description Difference hash and MD5 hash of the URL's. htmlMeta additionalProperties description Properties of the object. type any description Meta tags (only for URLs downloading HTML). type object lastFinalUrl description If the original URL redirects, where does it end. type string lastHttpResponseCode description HTTP response code of the last response. format int32 type integer lastHttpResponseContentLength description Length in bytes of the content received. format int64 type string lastHttpResponseContentSha256 description URL response body's SHA256 hash. type string lastHttpResponseCookies additionalProperties description Properties of the object. type any description Website's cookies. type object lastHttpResponseHeaders additionalProperties description Properties of the object. type any description Headers and values of the last HTTP response. type object tags description Tags. items type string type array title description Webpage title. type string trackers description Trackers found in the URL in a historical manner. items $ref Tracker type array url description URL. type string type object User description Information about a user. id User properties accountExpirationTime description User account expiration timestamp. format google-datetime type string accountLockoutTime description User account lockout timestamp. format google-datetime type string accountType description Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/ enum ACCOUNT_TYPE_UNSPECIFIED DOMAIN_ACCOUNT_TYPE LOCAL_ACCOUNT_TYPE CLOUD_ACCOUNT_TYPE SERVICE_ACCOUNT_TYPE DEFAULT_ACCOUNT_TYPE enumDescriptions Default user account type. A human account part of some domain in directory services. A local machine account. A SaaS service account type (such as Slack or GitHub). A non-human account for data access. A system built in default account. type string attribute $ref Attribute description Generic entity metadata attributes of the user. companyName description User job company name. type string department description User job department items type string type array emailAddresses description Email addresses of the user. This field can be used as an entity indicator for user entities. items type string type array employeeId description Human capital management identifier. This field can be used as an entity indicator for user entities. type string firstName description First name of the user (e.g. "John"). type string firstSeenTime description The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed. format google-datetime type string groupIdentifiers description Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar). items type string type array groupid deprecated True description The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field. type string hireDate description User job employment hire date. format google-datetime type string lastBadPasswordAttemptTime description User last bad password attempt timestamp. format google-datetime type string lastLoginTime description User last login timestamp. format google-datetime type string lastName description Last name of the user (e.g. "Locke"). type string lastPasswordChangeTime description User last password change timestamp. format google-datetime type string managers description User job manager(s). items $ref User type array middleName description Middle name of the user. type string officeAddress $ref Location description User job office location. passwordExpirationTime description User password expiration timestamp. format google-datetime type string personalAddress $ref Location description Personal address of the user. phoneNumbers description Phone numbers for the user. items type string type array productObjectId description A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar). This field can be used as an entity indicator for user entities. type string roleDescription deprecated True description System role description for user. Deprecated: use attribute.roles. type string roleName deprecated True description System role name for user. Deprecated: use attribute.roles. type string terminationDate description User job employment termination date. format google-datetime type string timeOff description User time off leaves from active work. items $ref TimeOff type array title description User job title. type string userAuthenticationStatus description System authentication status for user. enum UNKNOWN_AUTHENTICATION_STATUS ACTIVE SUSPENDED NO_ACTIVE_CREDENTIALS DELETED enumDescriptions The default authentication status. The authentication method is in active state. The authentication method is in suspended/disabled state. The authentication method has no active credentials. The authentication method has been deleted. type string userDisplayName description The display name of the user (e.g. "John Locke"). type string userRole deprecated True description System role for user. Deprecated: use attribute.roles. enum UNKNOWN_ROLE ADMINISTRATOR SERVICE_ACCOUNT enumDeprecated False False True enumDescriptions Default user role. Product administrator with elevated privileges. System service account for automated privilege access. Deprecated: not a role, instead set User.account_type. type string userid description The ID of the user. This field can be used as an entity indicator for user entities. type string windowsSid description The Microsoft Windows SID of the user. This field can be used as an entity indicator for user entities. type string type object UserAgentProto id UserAgentProto properties annotation items $ref Annotation type array browser description Product brand within the family: Firefox, Netscape, Camino etc.. Or Earth, Windows-Media-Player etc.. for non-browser user agents. type string browserEngineVersion description Version of the rendering engine e.g. "8.01" for "Opera/8.01" type string browserVersion description Minor and lower versions unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string carrier description Mobile specific: name of mobile carrier type string device description (Usually) Mobile specific: name of hardware device, may or may not contain the full model name. e.g. iPhone, Palm750, SPH-M800. Reduced to "K" for Android devices with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string deviceVersion description (Usually) Mobile specific: version of hardware device Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string family description User agent family captures the type of browser/app at a high-level e.g. MSIE, Gecko, Safari etc.. enum USER_DEFINED MSIE GECKO APPLEWEBKIT OPERA KHTML OTHER APPLE BLACKBERRY DOCOMO GOOGLE OPENWAVE POLARIS OBIGO TELECA MICROSOFT NOKIA NETFRONT SEMC SMIT KOREAN CLIENT_HINTS enumDescriptions Used to represent new families supported by user-defined parsers Desktop user agent families WebKit based browsers e.g. Safari e.g. Konqueror Mobile and non-browser user agent families UA's w/o enough data to fit into a family Apple apps e.g. YouTube on iPhone Google Earth, Sketchup, UpdateChecker etc... UP.Browser Windows Media Player, RSS platform etc... Sony Ericsson Mobile Communications SKT, LGT Constructed from UA-CH instead of UserAgent string. type string googleToolbarVersion description Version number of GoogleToolbar, if installed. Applies only to MSIE and Firefox at this time. type string javaConfiguration description Mobile specific: e.g. Configuration/CLDC-1.1 type string javaConfigurationVersion type string javaProfile description Mobile specific: e.g. Profile/MIDP-2.0 type string javaProfileVersion type string locale description Locale in which the browser is running as country code and optionally language pair. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string messaging description Mobile specific: e.g. MMP/2.0 type string messagingVersion type string os description Full name of the operating system e.g. "Darwin/9.7.0", "Android 1.5", "Windows 98" Version is reduced, and other data might also be missing, for reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string osVariant description Extra qualifier for the OS e.g. "(i386)", "Build/CUPCAKE", "PalmSource/Palm-D061" Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string platform description The platform describes the environment in which the browser or app runs. For desktop user agents, Platform is a string describing the OS family e.g. Windows, Macintosh, Linux. For mobile user agents, Platform either describes the OS family (if available) or the hardware maker. e.g. Linux, or HTC, LG, Palm. type string security description Security level reported by user agent, either U, I or N. Unavailable with reduced User-Agent and no client hints (go/ua-reduction-ua-string-reference). type string subFamily description Sub-family identifies individual regexps when a family has more than 1. This is used to generate the right UA string from a protobuf. Examples in the AppleWebKit family: Chrome and Safari. Can also be an arbitrary identifier. type string type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Validity description Defines certificate's validity period. id Validity properties expiryTime description Expiry date. format google-datetime type string issueTime description Issue date. format google-datetime type string type object Verdict description Deprecated. Encapsulates the threat verdict provided by human analysts and ML models. These fields are used to model Mandiant sources. id Verdict properties analystVerdict $ref AnalystVerdict description Human analyst verdict provided by sources like Mandiant. neighbourInfluence description Describes the neighbour influence of the verdict. type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer verdict $ref ProviderMLVerdict description ML Verdict provided by sources like Mandiant. type object VerdictInfo description Describes the threat verdict provided by human analysts and machine learning models. These fields are used to model Mandiant sources. id VerdictInfo properties benignCount description Count of responses where this IoC was marked as benign. format int32 type integer categoryDetails description Tags related to the verdict. type string confidenceScore description Confidence score of the verdict. format int32 type integer globalCustomerCount description Global customer count over the last 30 days format int32 type integer globalHitsCount description Global hit count over the last 30 days. format int32 type integer iocStats description List of IoCStats from which the verdict was generated. items $ref IoCStats type array maliciousCount description Count of responses where this IoC was marked as malicious. format int32 type integer neighbourInfluence description Describes the near neighbor influence of the verdict. type string pwn description Whether one or more Mandiant incident response customers had this indicator in their environment. type boolean pwnFirstTaggedTime description The timestamp of the first time a pwn was associated to this entity. format google-datetime type string responseCount description Total response count across all sources. format int32 type integer sourceCount description Number of sources from which intelligence was extracted. format int32 type integer sourceProvider description Source provider giving the machine learning verdict. type string verdictResponse description Details about the verdict. enum VERDICT_RESPONSE_UNSPECIFIED MALICIOUS BENIGN enumDescriptions The default verdict response type. VerdictResponse resulted a threat as malicious. VerdictResponse resulted a threat as benign. type string verdictTime description Timestamp when the verdict was generated. format google-datetime type string verdictType description Type of verdict. enum VERDICT_TYPE_UNSPECIFIED PROVIDER_ML_VERDICT ANALYST_VERDICT enumDescriptions Verdict category not specified. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources. Verdict provided by the human analyst. These fields are used to model Mandiant sources. type string type object Vulnerabilities description The Vulnerabilities extension captures details on observed/detected vulnerabilities. id Vulnerabilities properties vulnerabilities description A list of vulnerabilities. items $ref Vulnerability type array type object Vulnerability description A vulnerability. id Vulnerability properties about $ref Noun description If the vulnerability is about a specific noun (e.g. executable), then add it here. cveDescription description Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record type string cveId description Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id type string cvssBaseScore description CVSS Base Score in the range of 0.0 to 10.0. Useful for sorting. format float type number cvssVector description Vector of CVSS properties (e.g. "AV:L/AC:H/Au:N/C:N/I:P/A:C") Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator type string cvssVersion description Version of CVSS Vector/Score. type string description description Description of the vulnerability. type string firstFound description Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset. format google-datetime type string lastFound description Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset. format google-datetime type string name description Name of the vulnerability (e.g. "Unsupported OS Version detected"). type string scanEndTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable. format google-datetime type string scanStartTime description If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable. format google-datetime type string severity description The severity of the vulnerability. enum UNKNOWN_SEVERITY LOW MEDIUM HIGH CRITICAL enumDescriptions The default severity level. Low severity. Medium severity. High severity. Critical severity. type string severityDetails description Vendor-specific severity type string vendor description Vendor of scan that discovered vulnerability. type string vendorKnowledgeBaseArticleId description Vendor specific knowledge base article (e.g. "KBXXXXXX" from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase type string vendorVulnerabilityId description Vendor specific vulnerability id (e.g. Microsoft security bulletin id). type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object X509 description File certificate. id X509 properties algorithm description Certificate algorithm. type string certIssuer description Issuer of the certificate. type string name description Certificate name. type string serialNumber description Certificate serial number. type string thumbprint description Certificate thumbprint. type string type object old_value CancelOperationRequest description The request message for Operations.CancelOperation. id CancelOperationRequest properties type object CompilationDiagnostic description CompilationDiagnostic represents a compilation diagnostic generated during a rule's compilation, such as a compilation error or a compilation warning. id CompilationDiagnostic properties message description Output only. The diagnostic message. readOnly True type string position $ref CompilationPosition description Output only. The approximate position in the rule text associated with the compilation diagnostic. Compilation Position may be empty. readOnly True severity description Output only. The severity of a rule's compilation diagnostic. enum SEVERITY_UNSPECIFIED WARNING ERROR enumDescriptions An unspecified severity level. A compilation warning. A compilation error. readOnly True type string uri description Output only. Link to documentation that describes a diagnostic in more detail. readOnly True type string type object CompilationPosition description CompilationPosition represents the location of a compilation diagnostic in rule text. id CompilationPosition properties endColumn description Output only. End column number, beginning at 1. format int32 readOnly True type integer endLine description Output only. End line number, beginning at 1. format int32 readOnly True type integer startColumn description Output only. Start column number, beginning at 1. format int32 readOnly True type integer startLine description Output only. Start line number, beginning at 1. format int32 readOnly True type integer type object CreateParserExtensionMetadata description Operation metadata for creating a parser extension. id CreateParserExtensionMetadata properties state description The state of the parser extension creation process. enum STATE_UNSPECIFIED NEW VALIDATING LIVE REJECTED INTERNAL_ERROR VALIDATED ARCHIVED enumDescriptions The state for this parser extension was not specified. The parser extension has been newly submitted and is waiting to be validated. The parser extension is currently going through the validation pipeline. The parser extension is live in production. Only configs that have successfully passed the validation stage will be set to LIVE. Validation completed, but the parser extension was rejected with errors. An error occurred when processing this parser extension. Extension is validated. Extension is archived and is no more being used. type string stateLastChangedTime description The time the config state was last changed. format google-datetime type string validationErrors description Any validation error while validating the extension, this have cap of size 10 items type string type array validationReport description The validation report generated during validation of the parser extension. type string type object CreateParserMetadata description Operation metadata for creating a parser. id CreateParserMetadata properties stage description The validation stage of the parser creation process. enum VALIDATION_STAGE_UNSPECIFIED NEW VALIDATING PASSED FAILED DELETE_CANDIDATE enumDescriptions The validation stage is not specified. The custom parser is submitted for validation. The custom parser is currently going through the validation pipeline The custom parser has successfully passed the validation. The custom parser has failed validation. The parser is no good, It is available for auto deletion. type string validationReport description The validation report generated during validation of the parser. type string type object DataAccessLabel description A DataAccessLabel is a label on events to define user access to data. id DataAccessLabel properties author description Output only. The user who created the data access label. readOnly True type string createTime description Output only. The time at which the data access label was created. format google-datetime readOnly True type string description description Optional. A description of the data access label for a human reader. type string displayName description Output only. The short name displayed for the label as it appears on event data. readOnly True type string lastEditor description Output only. The user who last updated the data access label. readOnly True type string name description Required. The unique resource name of the data access label. type string udmQuery description A UDM query over event data. type string updateTime description Output only. The time at which the data access label was last updated. format google-datetime readOnly True type string type object DataAccessLabelReference description Reference object to a data access label. id DataAccessLabelReference properties assetNamespace description The asset namespace configured in the forwarder of the customer's events. type string dataAccessLabel description The name of the data access label. type string displayName description Output only. The display name of the label. Data access label and log types's name will match the display name of the resource. The asset namespace will match the namespace itself. The ingestion key value pair will match the key of the tuple. readOnly True type string ingestionLabel $ref IngestionLabel description The ingestion label configured in the forwarder of the customer's events. logType description The name of the log type. type string type object DataAccessScope description A DataAccessScope is a boolean expression of data access labels used to restrict access to data for users. id DataAccessScope properties allowAll description Optional. Whether or not the scope allows all labels, allow_all and allowed_data_access_labels are mutually exclusive and one of them must be present. denied_data_access_labels can still be used along with allow_all. When combined with denied_data_access_labels, access will be granted to all data that doesn't have labels mentioned in denied_data_access_labels. E.g.: A customer with scope with denied labels A and B and allow_all will be able to see all data except data labeled with A and data labeled with B and data with labels A and B. type boolean allowedDataAccessLabels description Optional. The allowed labels for the scope. Either allow_all or allowed_data_access_labels needs to be provided. When provided, there has to be at least one label allowed for the scope to be valid. The logical operator for evaluation of the allowed labels is OR. E.g.: A customer with scope with allowed labels A and B will be able to see data with labeled with A or B or (A and B). items $ref DataAccessLabelReference type array author description Output only. The user who created the data access scope. readOnly True type string createTime description Output only. The time at which the data access scope was created. format google-datetime readOnly True type string deniedDataAccessLabels description Optional. The denied labels for the scope. The logical operator for evaluation of the denied labels is AND. E.g.: A customer with scope with denied labels A and B won't be able to see data labeled with A and data labeled with B and data with labels A and B. items $ref DataAccessLabelReference type array description description Optional. A description of the data access scope for a human reader. type string displayName description Output only. The name to be used for display to customers of the data access scope. readOnly True type string lastEditor description Output only. The user who last updated the data access scope. readOnly True type string name description Required. The unique full name of the data access scope. The name should comply with https://google.aip.dev/122 standards. type string updateTime description Output only. The time at which the data access scope was last updated. format google-datetime readOnly True type string type object Empty description A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); } id Empty properties type object EntityCount description Count of different types of entities in the watchlist. id EntityCount properties asset description Output only. Count of asset type entities in the watchlist. format int32 readOnly True type integer user description Output only. Count of user type entities in the watchlist. format int32 readOnly True type integer type object EntityPopulationMechanism description Mechanism to populate entities in the watchlist. id EntityPopulationMechanism properties manual $ref Manual description Optional. Entities are added manually. type object IngestionLabel description Representation of an ingestion label type. id IngestionLabel properties ingestionLabelKey description Required. The key of the ingestion label. Always required. type string ingestionLabelValue description Optional. The value of the ingestion label. Optional. An object with no provided value and some key provided would match against the given key and ANY value. type string type object InputsUsed description InputsUsed is a convenience field that tells us which sources of events (if any) were used in the rule. NEXT TAG: 4 id InputsUsed properties usesDetection description Optional. Whether the rule queries detections. type boolean usesEntity description Optional. Whether the rule queries entity events. type boolean usesUdm description Optional. Whether the rule queries UDM events. type boolean type object Instance description A Instance represents an instantiation of the Instance product. id Instance properties name description Output only. The resource name of this instance. Format: projects/{project}/locations/{region}/instances/{instance} readOnly True type string type object Interval description Represents a time interval, encoded as a Timestamp start (inclusive) and a Timestamp end (exclusive). The start must be less than or equal to the end. When the start equals the end, the interval is empty (matches no time). When both start and end are unspecified, the interval matches any time. id Interval properties endTime description Optional. Exclusive end of the interval. If specified, a Timestamp matching this interval will have to be before the end. format google-datetime type string startTime description Optional. Inclusive start of the interval. If specified, a Timestamp matching this interval will have to be the same or after the start. format google-datetime type string type object ListDataAccessLabelsResponse description Response message for ListDataAccessLabels. id ListDataAccessLabelsResponse properties dataAccessLabels description List of data access labels. items $ref DataAccessLabel type array nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListDataAccessScopesResponse description Response message for ListDataAccessScopes. id ListDataAccessScopesResponse properties dataAccessScopes description List of data access scopes. items $ref DataAccessScope type array globalDataAccessScopeGranted description Whether or not global scope is granted to the user. type boolean nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string type object ListOperationsResponse description The response message for Operations.ListOperations. id ListOperationsResponse properties nextPageToken description The standard List next-page token. type string operations description A list of operations that matches the specified filter in the request. items $ref Operation type array type object ListReferenceListsResponse description A response to a request for a list of reference lists. id ListReferenceListsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string referenceLists description The reference lists. Ordered in ascending alphabetical order by name. items $ref ReferenceList type array type object ListRetrohuntsResponse description Response message for ListRetrohunts method. id ListRetrohuntsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string retrohunts description The retrohunts from the specified rule. items $ref Retrohunt type array type object ListRuleDeploymentsResponse description Response message for ListRuleDeployments. id ListRuleDeploymentsResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string ruleDeployments description The rule deployments from all rules. items $ref RuleDeployment type array type object ListRuleRevisionsResponse description Response message for ListRuleRevisions method. id ListRuleRevisionsResponse properties nextPageToken description A token that can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The revisions of the rule. items $ref Rule type array type object ListRulesResponse description Response message for ListRules method. id ListRulesResponse properties nextPageToken description A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string rules description The rules from the specified instance. items $ref Rule type array type object ListWatchlistsResponse description Response message for listing watchlists. id ListWatchlistsResponse properties nextPageToken description Optional. A token, which can be sent as `page_token` to retrieve the next page. If this field is omitted, there are no subsequent pages. type string watchlists description Optional. The watchlists from the specified instance. items $ref Watchlist type array type object Manual description Entities are added manually. id Manual properties type object Operation description This resource represents a long-running operation that is the result of a network API call. id Operation properties done description If the value is `false`, it means the operation is still in progress. If `true`, the operation is completed, and either `error` or `response` is available. type boolean error $ref Status description The error result of the operation in case of failure or cancellation. metadata additionalProperties description Properties of the object. Contains field @type with type URL. type any description Service-specific metadata associated with the operation. It typically contains progress information and common metadata such as create time. Some services might not provide such metadata. Any method that returns a long-running operation should document the metadata type, if any. type object name description The server-assigned name, which is only unique within the same service that originally returns it. If you use the default HTTP mapping, the `name` should be a resource name ending with `operations/{unique_id}`. type string response additionalProperties description Properties of the object. Contains field @type with type URL. type any description The normal, successful response of the operation. If the original method returns no data on success, such as `Delete`, the response is `google.protobuf.Empty`. If the original method is standard `Get`/`Create`/`Update`, the response should be the resource. For other methods, the response should have the type `XxxResponse`, where `Xxx` is the original method name. For example, if the original method name is `TakeSnapshot()`, the inferred response type is `TakeSnapshotResponse`. type object type object ReferenceList description A reference list. Reference lists are user-defined lists of values which users can use in multiple Rules. id ReferenceList properties description description Required. A user-provided description of the reference list. type string displayName description Output only. The unique display name of the reference list. readOnly True type string entries description Required. The entries of the reference list. When listed, they are returned in the order that was specified at creation or update. The combined size of the values of the reference list may not exceed 6MB. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items $ref ReferenceListEntry type array name description Output only. The resource name of the reference list. Format: projects/{project}/locations/{location}/instances/{instance}/referenceLists/{reference_list} readOnly True type string revisionCreateTime description Output only. The timestamp when the reference list was last updated. format google-datetime readOnly True type string ruleAssociationsCount description Output only. The count of self-authored rules using the reference list. format int32 readOnly True type integer rules description Output only. The resource names for the associated self-authored Rules that use this reference list. This is returned only when the view is REFERENCE_LIST_VIEW_FULL. items type string readOnly True type array scopeInfo $ref ScopeInfo description Output only. The scope info of the reference list. During reference list creation, if this field is not set, the reference list without scopes (an unscoped list) will be created for an unscoped user. For a scoped user, this field must be set. During reference list update, if scope_info is requested to be updated, this field must be set. readOnly True syntaxType description Required. The syntax type indicating how list entries should be validated. enum REFERENCE_LIST_SYNTAX_TYPE_UNSPECIFIED REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING REFERENCE_LIST_SYNTAX_TYPE_REGEX REFERENCE_LIST_SYNTAX_TYPE_CIDR enumDescriptions Defaults to REFERENCE_LIST_SYNTAX_TYPE_PLAIN_TEXT_STRING. List contains plain text patterns. List contains only Regular Expression patterns. List contains only CIDR patterns. type string type object ReferenceListEntry description An entry in a reference list. id ReferenceListEntry properties value description Required. The value of the entry. Maximum length is 512 characters. type string type object ReferenceListScope description ReferenceListScope specifies the list of scope names of the reference list. id ReferenceListScope properties scopeNames description Optional. The list of scope names of the reference list. The scope names should be full resource names and should be of the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope_name}". items type string type array type object Retrohunt description Retrohunt is an execution of a Rule over a time range in the past. id Retrohunt properties executionInterval $ref Interval description Output only. The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be populated. readOnly True name description The resource name of the retrohunt. Retrohunt is the child of a rule revision. {rule} in the format below is structured as {rule_id@revision_id}. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string processInterval $ref Interval description Required. The start and end time of the event time range this retrohunt processes. progressPercentage description Output only. Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float readOnly True type number state description Output only. The state of the retrohunt. enum STATE_UNSPECIFIED RUNNING DONE CANCELLED FAILED enumDescriptions Unspecified or unknown retrohunt state. Running state. Done state. Cancelled state. Failed state. readOnly True type string type object RetrohuntMetadata description Operation Metadata for Retrohunts. id RetrohuntMetadata properties executionInterval $ref Interval description The start and end time of the retrohunt execution. If the retrohunt is not yet finished, the end time of the interval will not be filled. progressPercentage description Percent progress of the retrohunt towards completion, from 0.00 to 100.00. format float type number retrohunt description The name of the retrohunt. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/retrohunts/{retrohunt} type string type object Rule description The Rule resource represents a user-created rule. NEXT TAG: 21 id Rule properties allowedRunFrequencies description Output only. The run frequencies that are allowed for the rule. Populated in BASIC view and FULL view. items enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string readOnly True type array author description Output only. The author of the rule. Extracted from the meta section of text. Populated in BASIC view and FULL view. readOnly True type string compilationDiagnostics description Output only. A list of a rule's corresponding compilation diagnostic messages such as compilation errors and compilation warnings. Populated in FULL view. items $ref CompilationDiagnostic readOnly True type array compilationState description Output only. The current compilation state of the rule. Populated in FULL view. enum COMPILATION_STATE_UNSPECIFIED SUCCEEDED FAILED enumDescriptions The compilation state is unspecified/unknown. The Rule can successfully compile. The Rule cannot successfully compile. This is possible if a backwards-incompatible change was made to the compiler. readOnly True type string createTime description Output only. The timestamp of when the rule was created. Populated in FULL view. format google-datetime readOnly True type string dataTables description Output only. Resource names of the data tables used in this rule. items type string readOnly True type array displayName description Output only. Display name of the rule. Populated in BASIC view and FULL view. readOnly True type string etag description The etag for this rule. If this is provided on update, the request will succeed if and only if it matches the server-computed value, and will fail with an ABORTED error otherwise. Populated in BASIC view and FULL view. type string inputsUsed $ref InputsUsed description Output only. The set of inputs used in the rule. For example, if the rule uses $e.principal.hostname, then the uses_udm field will be true. readOnly True metadata additionalProperties type string description Output only. Additional metadata specified in the meta section of text. Populated in FULL view. readOnly True type object name description Full resource name for the rule. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} type string nearRealTimeLiveRuleEligible description Output only. Indicate the rule can run in near real time live rule. If this is true, the rule uses the near real time live rule when the run frequency is set to LIVE. readOnly True type boolean referenceLists description Output only. Resource names of the reference lists used in this rule. Populated in FULL view. items type string readOnly True type array revisionCreateTime description Output only. The timestamp of when the rule revision was created. Populated in FULL, REVISION_METADATA_ONLY views. format google-datetime readOnly True type string revisionId description Output only. The revision ID of the rule. A new revision is created whenever the rule text is changed in any way. Format: v_{10 digits}_{9 digits} Populated in REVISION_METADATA_ONLY view and FULL view. readOnly True type string scope description Resource name of the DataAccessScope bound to this rule. Populated in BASIC view and FULL view. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}". type string severity $ref Severity description Output only. The severity of the rule as specified in the meta section of text. Populated in BASIC view and FULL view. readOnly True text description The YARA-L content of the rule. Populated in FULL view. type string type description Output only. User-facing type of the rule. Extracted from the events section of rule text. Populated in BASIC view and FULL view. enum RULE_TYPE_UNSPECIFIED SINGLE_EVENT MULTI_EVENT enumDescriptions The rule type is unspecified/unknown. Rule checks for the existence of a single event. Rule checks for correlation between multiple events readOnly True type string type object RuleDeployment description The RuleDeployment resource represents the deployment state of a Rule. id RuleDeployment properties alerting description Whether detections resulting from this deployment should be considered alerts. type boolean archiveTime description Output only. The timestamp when the rule deployment archive state was last set to true. If the rule deployment's current archive state is not set to true, the field will be empty. format google-datetime readOnly True type string archived description The archive state of the rule deployment. Cannot be set to true unless enabled is set to false. If set to true, alerting will automatically be set to false. If currently set to true, enabled, alerting, and run_frequency cannot be updated. type boolean consumerRules description Output only. The names of the associated/chained consumer rules. Rules are considered consumers of this rule if their rule text explicitly filters on this rule's ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array enabled description Whether the rule is currently deployed continuously against incoming data. type boolean executionState description Output only. The execution state of the rule deployment. enum EXECUTION_STATE_UNSPECIFIED DEFAULT LIMITED PAUSED enumDescriptions Unspecified or unknown execution state. Default execution state. Rules in limited state may not have their executions guaranteed. Paused rules are not executed at all. readOnly True type string lastAlertStatusChangeTime description Output only. The timestamp when the rule deployment alert state was lastly changed. This is filled regardless of the current alert state. E.g. if the current alert status is false, this timestamp will be the timestamp when the alert status was changed to false. format google-datetime readOnly True type string name description Required. The resource name of the rule deployment. Note that RuleDeployment is a child of the overall Rule, not any individual revision, so the resource ID segment for the Rule resource must not reference a specific revision. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule}/deployment type string producerRules description Output only. The names of the associated/chained producer rules. Rules are considered producers for this rule if this rule explicitly filters on their ruleid. Format: projects/{project}/locations/{location}/instances/{instance}/rules/{rule} items type string readOnly True type array runFrequency description The run frequency of the rule deployment. enum RUN_FREQUENCY_UNSPECIFIED LIVE HOURLY DAILY enumDescriptions The run frequency is unspecified/unknown. Executes in real time. Executes once per hour. Executes once per day. type string type object ScopeInfo description ScopeInfo specifies the scope info of the reference list. id ScopeInfo properties referenceListScope $ref ReferenceListScope description Required. The list of scope names of the reference list, if the list is empty the reference list is treated as unscoped. type object Severity description Severity represents the severity level of the rule. id Severity properties displayName description The display name of the severity level. Extracted from the meta section of the rule text. type string type object Status description The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). id Status properties code description The status code, which should be an enum value of google.rpc.Code. format int32 type integer details description A list of messages that carry the error details. There is a common set of message types for APIs to use. items additionalProperties description Properties of the object. Contains field @type with type URL. type any type object type array message description A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type string type object UdmSearchOperationMetadata description Information about a UDM Search operation. This message is used to populate the `metadata` field of `Operation` resources created by UDM Search. id UdmSearchOperationMetadata properties baselineEventsCount description The number of events matching the baseline query so far. format int32 type integer baselineQuery description Query used to search for events. type string baselineTimeRange $ref Interval description The time range used for the baseline query [inclusive start time, exclusive end time). caseInsensitive description If true, the search was performed in a case-insensitive manner. type boolean endTime description The end time of the operation, if done. format google-datetime type string expireTime description The time when the operation results expire. This time may change while the operation is in progress. If unset, the results never expire. format google-datetime type string filteredEventsCount description The number of events matching the snapshot query so far. This is <= `baseline_events_count`. If the snapshot query is empty, this will be equal to `baseline_events_count`. format int32 type integer progress description A value from 0 to 1 representing the progress of the operation. format double type number snapshotQuery description Query used to filter the baseline query's events. type string snapshotTimeRange $ref Interval description Time range used to filter the baseline query's events [inclusive start time, exclusive end time). This time range is completely within `baseline_time_range`. If not set, it is assumed to match `baseline_time_range`. startTime description The start time of the operation. format google-datetime type string statsRowsCount description The total number of rows returned for a stats query. format int32 type integer type object UserError description This message exists solely to get the `UserErrorReason` enum to appear in the service discovery document. id UserError properties reason description The reason for a specific error that should be shown to the app user. enum USER_ERROR_REASON_UNSPECIFIED RULE_REFERENCES_OUT_OF_SCOPE RULE_ARCHIVED RULE_STALE_VERSION RULE_ACTIVE RULE_RETROHUNT_RUNNING RULE_LIVE RULE_ALREADY_DISABLED EXPENSIVE_RULE_LARGE_WINDOW RULE_LIMITED_PAUSED REFERENCE_LIST_NOT_FOUND UEBA_RULES_NO_SCOPE RULE_TESTING_INTERVAL_TOO_SHORT SEARCH_CSV_FIELDS_NOT_SUPPORTED INVALID_ARGUMENT_FOR_DASHBOARD_FILTER INVALID_CONFIG_FOR_DASHBOARD_IMPORT RETROHUNT_LIMIT_REACHED enumDescriptions Do not use this default value. The rule text references resources, such as reference lists, that are out of scope for the rule. Example of an ErrorInfo for this reason: { "reason": "RULE_REFERENCES_OUT_OF_SCOPE", "domain": "chronicle.googleapis.com", "metadata": { "reference_lists": "list_name1,list_name2,list_name3,", } } The rule being operated on (saving or setting run frequency) is archived, and so the operation can't be done. The rule version being operated on is not the latest, and so the operation can't be done. The rule can't be archived because it is live (detecting) and a retrohunt is running. The rule can't be archived because a retrohunt is running against it. The rule can't be archived because it is live (detecting). The rule can't be disabled because is is already disabled. The rule's match time window is too large for its current run frequency. The rule can't be enabled because it has been limited or paused because of high resource use. The list being referred to doesn't exist. UEBA rules may not be assigned a data access scope. The rule's match window is longer than the time range it's being tested over. Returns the match window duration and testing interval duration as metadata labeled `match_window_duration` and `testing_interval_duration`, formatted as Go durations. Example ErrorInfo: { "reason": "RULE_TESTING_INTERVAL_TOO_SHORT", "domain": "chronicle.googleapis.com", "metadata": { "match_window_duration": "24h", "testing_interval_duration": "12h", } } The CSV fields are not supported for download. Returns the unsupported fields as metadata labeled `unsupported_fields`. Example ErrorInfo: { "reason": "SEARCH_CSV_FIELDS_NOT_SUPPORTED", "domain": "chronicle.googleapis.com", "metadata": { "unsupported_fields": "udm.about.security_result.variables,udm.network.http.parsed_user_agent.family", } } Invalid argument for dashboard chart filters. Returns the filter name, filter value, operator, and expected type as metadata labeled `filter_name`, `filter_value`, `operator`, and `expected_type`, respectively. Example ErrorInfo: { "reason": "INVALID_ARGUMENT_FOR_DASHBOARD_FILTER", "domain": "chronicle.googleapis.com", "metadata": { "filter_name": "filter_name", "filter_value": "filter_value", "operater": "operator", "expected_type": "expected_type", } } Invalid config for dashboard import. Example ErrorInfo: { "reason": "INVALID_CONFIG_FOR_DASHBOARD_IMPORT", "domain": "chronicle.googleapis.com", } The user has reached the limit of retrohunts that can be run. Returns the retrohunt limit as metadata labeled `retrohunt_limit`. Example ErrorInfo: { "reason": "RETROHUNT_LIMIT_REACHED", "domain": "chronicle.googleapis.com", "metadata": { "retrohunt_limit": "10", } } type string type object Watchlist description A watchlist is a list of entities that allows for bulk operations over the included entities. id Watchlist properties createTime description Output only. Time the watchlist was created. format google-datetime readOnly True type string description description Optional. Description of the watchlist. type string displayName description Required. Display name of the watchlist. Note that it must be at least one character and less than 63 characters (https://google.aip.dev/148). type string entityCount $ref EntityCount description Output only. Entity count in the watchlist. readOnly True entityPopulationMechanism $ref EntityPopulationMechanism description Required. Mechanism to populate entities in the watchlist. multiplyingFactor description Optional. Weight applied to the risk score for entities in this watchlist. The default is 1.0 if it is not specified. format float type number name description Identifier. Resource name of the watchlist. Format: projects/{project}/locations/{location}/instances/{instance}/watchlists/{watchlist} type string updateTime description Output only. Time the watchlist was last updated. format google-datetime readOnly True type string watchlistUserPreferences $ref WatchlistUserPreferences description Optional. User preferences for watchlist configuration. type object WatchlistUserPreferences description A collection of user preferences for watchlist UI configuration. id WatchlistUserPreferences properties pinned description Optional. Whether the watchlist is pinned on the dashboard. type boolean type object
prod/us-east1-connectgateway-	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/us-east1-connectgateway-v1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/us-east1-connectgateway-v1beta1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/us-east1-containerfilesystem-	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/us-east1-containerfilesystem-v1	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/us-east4-connectgateway-	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/us-east4-connectgateway-v1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/us-east4-connectgateway-v1beta1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/us-east4-containerfilesystem-	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/us-east4-containerfilesystem-v1	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/us-enterpriseknowledgegraph-	values_changed root['revision'] new_value 20250228 old_value 20250221
prod/us-enterpriseknowledgegraph-v1	values_changed root['revision'] new_value 20250228 old_value 20250221
prod/us-rbmopenmaap-	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/us-rbmopenmaap-v1	values_changed root['revision'] new_value 20250313 old_value 20250310
prod/us-taskassist-pa-	dictionary_item_added root['schemas']['SourceId']['properties']['threadLocator'] values_changed root['revision'] new_value 20250310 old_value 20250303
prod/us-taskassist-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/us-taskassist-pa-v2	dictionary_item_added root['schemas']['SourceId']['properties']['threadLocator'] values_changed root['revision'] new_value 20250310 old_value 20250303
prod/us-west1-connectgateway-	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/us-west1-connectgateway-v1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/us-west1-connectgateway-v1beta1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/us-west1-containerfilesystem-	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/us-west1-containerfilesystem-v1	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/us-west2-dataproccontrol-	values_changed root['revision'] new_value 20250311 old_value 20250306
prod/us-west2-dataproccontrol-v1	values_changed root['revision'] new_value 20250311 old_value 20250306
prod/us-west3-dataproccontrol-	values_changed root['revision'] new_value 20250311 old_value 20250224
prod/us-west3-dataproccontrol-v1	values_changed root['revision'] new_value 20250311 old_value 20250224
prod/us-west4-connectgateway-	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/us-west4-connectgateway-v1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/us-west4-connectgateway-v1beta1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/us-west4-containerfilesystem-	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/us-west4-containerfilesystem-v1	values_changed root['revision'] new_value 20250307 old_value 20250221
prod/usercontext-	values_changed root['revision'] new_value 20250312 old_value 20250226
prod/usercontext-v1	values_changed root['revision'] new_value 20250312 old_value 20250226
prod/userlocation-	values_changed root['revision'] new_value 20250311 old_value 20250304
prod/userlocation-v1	values_changed root['revision'] new_value 20250311 old_value 20250304
prod/userpaneltv-pa-	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/userpaneltv-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250303
prod/vectortile-	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/vectortile-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/workloadcertificate-v1alpha1	values_changed root['revision'] new_value 20240117 old_value 20240103
prod/workspaceui-pa-	values_changed root['revision'] new_value 20250310 old_value 20250226
prod/workspaceui-pa-v1	values_changed root['revision'] new_value 20250310 old_value 20250226
prod/workspacevideo-pa-	values_changed root['revision'] new_value 20250311 old_value 20250309
prod/workspacevideo-pa-v1	values_changed root['revision'] new_value 20250312 old_value 20250309
prod/youtubeembeddedplayer-	values_changed root['revision'] new_value 20250312 old_value 20250305
prod/youtubeembeddedplayer-v1beta1	values_changed root['revision'] new_value 20250312 old_value 20250305
prod/youtubeoembed-	values_changed root['revision'] new_value 20250312 old_value 20250305
prod/youtubeoembed-v1	values_changed root['revision'] new_value 20250312 old_value 20250305