Spaces:

Galatea007
/

LLMopsDK

Paused

App Files Files Community

Galatea007 commited on Oct 5, 2024

Commit

0bf70b9

verified ·

1 Parent(s): 146eb8d

Upload udm_field_list.csv

Browse files

Files changed (1) hide show

udm_field_list.csv +989 -0

udm_field_list.csv ADDED Viewed

	@@ -0,0 +1,989 @@

+Field Name,Type,Description
+metadata,EntityMetadata,"Entity metadata such as timestamp, product, etc."
+entity,Noun,Noun in the UDM event that this entity represents.
+relations,Relation,"One or more relationships between the entity (a) and other entities, including the relationship type and related entity."
+additional,google.protobuf.Struct,"Important entity data that cannot be adequately represented within
+the formal sections of the Entity."
+risk_score,EntityRisk,Stores information related to the entity's risk score.
+metric,Metric,"Stores statistical metrics about the entity. Used if metadata.entity_type
+is METRIC."
+product_entity_id,string,"A vendor-specific identifier that uniquely identifies the entity
+(e.g. a GUID, LDAP, OID, or similar)."
+collected_timestamp,google.protobuf.Timestamp,"GMT timestamp when the entity information was collected by the vendor's
+local collection infrastructure."
+creation_timestamp,google.protobuf.Timestamp,"GMT timestamp when the entity described by the product_entity_id was
+created on the system where data was collected."
+interval,google.type.Interval,"Valid existence time range for the version of the entity represented by
+this entity data."
+vendor_name,string,Vendor name of the product that produced the entity information.
+product_name,string,Product name that produced the entity information.
+feed,string,Vendor feed name for a threat indicator feed.
+product_version,string,Version of the product that produced the entity information.
+entity_type,EntityMetadata.EntityType   (Enumerated list),"Entity type.
+If an entity has multiple possible types, this specifies the most specific
+type."
+description,string,Human-readable description of the entity.
+threat,SecurityResult,"Metadata provided by a threat intelligence feed that identified the
+entity as malicious."
+source_type,EntityMetadata.SourceType   (Enumerated list),The source of the entity.
+source_labels,Label,Entity source metadata labels.
+event_metadata,Metadata,Metadata field from the event.
+risk_version,string,Version of the risk score calculation algorithm.
+risk_window,google.type.Interval,"Time window used when computing the risk score for an entity, for
+example 24 hours or 7 days."
+DEPRECATED_risk_score,int32,Deprecated risk score.
+risk_delta,RiskDelta,"Represents the change in risk score for an entity between the end of the
+previous time window and the end of the current time window."
+detections_count,int32,Number of detections that make up the risk score within the time window.
+first_detection_time,google.protobuf.Timestamp,"Timestamp of the first detection within the specified time window.
+This field is empty when there are no detections."
+last_detection_time,google.protobuf.Timestamp,"Timestamp of the last detection within the specified time window.
+This field is empty when there are no detections."
+risk_score,float,Raw risk score for the entity.
+normalized_risk_score,int32,Normalized risk score for the entity. This value is between 0-1000.
+risk_window_size,Int64,Risk window duration for the Entity.
+raw_risk_delta,RiskDelta,"Represents the change in raw risk score for an entity between the end of
+the previous time window and the end of the current time window."
+first_seen,google.protobuf.Timestamp,Timestamp of the first time the entity was seen in the environment.
+last_seen,google.protobuf.Timestamp,Timestamp of the last time the entity was seen in the environment.
+sum_measure,Metric.Measure,Sum of all precomputed measures for the given metric.
+total_events,int64,Total number of events used to calculate the given precomputed metric.
+metric_name,Metric.MetricName   (Enumerated list),Name of the analytic.
+dimensions,Metric.Dimension   (Enumerated list),All group by clauses used to calculate the metric.
+export_window,int64,Export window for which the metric was exported.
+value,double,Value of the aggregated measure.
+aggregate_function,Metric.AggregateFunction   (Enumerated list),Function used to calculate the aggregated measure.
+entity,Noun,Entity (b) that the primary entity (a) is related to.
+entity_type,EntityMetadata.EntityType   (Enumerated list),Type of the related entity (b) in this relationship.
+relationship,Relation.Relationship   (Enumerated list),Type of relationship.
+direction,Relation.Directionality   (Enumerated list),"Directionality of relationship between primary entity (a) and the
+related entity (b)."
+uid,bytes,UID of the relationship.
+entity_label,Relation.EntityLabel   (Enumerated list),Label to identify the Noun of the relation.
+previous_range_end_time,google.protobuf.Timestamp,End time of the previous time window.
+risk_score_delta,int32,Difference in the normalized risk score from the previous recorded value.
+previous_risk_score,int32,Risk score from previous risk window
+risk_score_numeric_delta,int32,Numeric change between current and previous risk score
+metadata,Metadata,"Event metadata such as timestamp, source product, etc."
+additional,google.protobuf.Struct,"Any important vendor-specific event data that cannot be adequately
+represented within the formal sections of the UDM model."
+principal,Noun,"Represents the acting entity that originates the activity
+described in the event. The principal must include at least one machine
+detail (hostname, MACs, IPs, port, product-specific identifiers like an
+EDR asset ID) or user detail (for example, username), and optionally
+include process details. It must NOT include any of the following fields:
+email, files, registry keys, or values."
+src,Noun,"Represents a source entity being acted upon by the participant along with
+the device or process context for the source object (the machine where the
+source object resides). For example, if user U copies file A on machine X
+to file B on machine Y, both file A and machine X would be specified in the
+src portion of the UDM event."
+target,Noun,"Represents a target entity being referenced by the event or an object on
+the target entity. For example, in a firewall connection from device A to
+device B, A is described as the principal and B is described as the target.
+For a process injection by process C into target process D, process C is
+described as the principal and process D is described as the target."
+intermediary,Noun,"Represents details on one or more intermediate entities processing activity
+described in the event. This includes device details about a proxy server
+or SMTP relay server. If an active event (that has a principal and
+possibly target) passes through any intermediaries, they're added here.
+Intermediaries can impact the overall action, for example blocking or
+modifying an ongoing request.  A rule of thumb here is that 'principal',
+'target', and description of the initial action should be the same
+regardless of the intermediary or its action.  A successful network
+connection from A->B should look the same in principal/target/intermediary
+as one blocked by firewall C: principal: A, target: B (intermediary: C)."
+observer,Noun,"Represents an observer entity (for example, a packet sniffer or
+network-based vulnerability scanner), which is not a direct intermediary,
+but which observes and reports on the event in question."
+about,Noun,"Represents entities referenced by the event that are not otherwise
+described in principal, src, target, intermediary or observer. For example,
+it could be used to track email file attachments, domains/URLs/IPs embedded
+within an email body, and DLLs that are loaded during a PROCESS_LAUNCH
+event."
+security_result,SecurityResult,A list of security results.
+network,Network,"All network details go here, including sub-messages with details on each
+protocol (for example, DHCP, DNS, or HTTP)."
+extensions,Extensions,"All other first-class, event-specific metadata goes in this message.
+Don't place protocol metadata in Extensions; put it in Network."
+auth,Authentication,An authentication extension.
+vulns,Vulnerabilities,A vulnerability extension.
+id,bytes,ID of the UDM event. Can be used for raw and normalized event retrieval.
+product_log_id,string,"A vendor-specific event identifier to uniquely identify the event (for example: a
+GUID)."
+event_timestamp,google.protobuf.Timestamp,The GMT timestamp when the event was generated.
+collected_timestamp,google.protobuf.Timestamp,"The GMT timestamp when the event was collected by the vendor's local
+collection infrastructure."
+ingested_timestamp,google.protobuf.Timestamp,The GMT timestamp when the event was ingested (received) by Google Security Operations.
+event_type,Metadata.EventType,"The event type.
+If an event has multiple possible types, this specifies the most specific
+type."
+vendor_name,string,The name of the product vendor.
+product_name,string,The name of the product.
+product_version,string,The version of the product.
+product_event_type,string,"A short, descriptive, human-readable, product-specific event name or type
+(for example: ""Scanned X"", ""User account created"", ""process_start"")."
+product_deployment_id,string,The deployment identifier assigned by the vendor for a product deployment.
+description,string,A human-readable unparsable description of the event.
+url_back_to_product,string,A URL that takes the user to the source product console for this event.
+ingestion_labels,Label,User-configured ingestion metadata labels.
+tags,Tags,"Tags added by Google Security Operations after an event is parsed. It is an error to
+populate this field from within a parser."
+enrichment_state,Metadata.EnrichmentState,The enrichment state.
+log_type,string,The string value of log type.
+base_labels,DataAccessLabels,Data access labels on the base event.
+enrichment_labels,DataAccessLabels,"Data access labels from all the contextual events used to enrich the base
+event."
+sent_bytes,uint64,The number of bytes sent.
+received_bytes,uint64,The number of bytes received.
+sent_packets,int64,The number of packets sent.
+received_packets,int64,The number of packets received.
+session_duration,Int64,"The duration of the session as the number of seconds and nanoseconds.
+For seconds, network.session_duration.seconds, the type is a 64-bit
+integer. For nanoseconds, network.session_duration.nanos, the type is a
+32-bit integer."
+session_id,string,The ID of the network session.
+parent_session_id,string,The ID of the parent network session.
+application_protocol_version,string,"The version of the application protocol. e.g. ""1.1, 2.0"""
+community_id,string,Community ID network flow value.
+direction,Network.Direction,The direction of network traffic.
+ip_protocol,Network.IpProtocol,The IP protocol.
+application_protocol,Network.ApplicationProtocol,The application protocol.
+ftp,Ftp,FTP info.
+email,Email,Email info for the sender/recipient.
+dns,Dns,DNS info.
+dhcp,Dhcp,DHCP info.
+http,Http,HTTP info.
+tls,Tls,TLS info.
+smtp,Smtp,"SMTP info.
+Store fields specific to SMTP not covered by Email."
+asn,string,Autonomous system number.
+dns_domain,string,DNS domain name.
+carrier_name,string,Carrier identification.
+organization_name,string,Organization name (e.g Google).
+ip_subnet_range,string,Associated human-readable IP subnet range (e.g. 10.1.2.0/24).
+hostname,string,"Client hostname or domain name field.
+Hostname also doubles as the domain for remote entities."
+domain,Domain,Information about the domain.
+artifact,Artifact,Information about an artifact.
+url_metadata,URL,Information about the URL.
+asset_id,string,The asset ID.
+user,User,Information about the user.
+user_management_chain,User,"Information about the user's management chain (reporting hierarchy).
+Note: user_management_chain is only populated when data is exported to
+BigQuery since recursive fields (e.g. user.managers) are not supported by
+BigQuery."
+group,Group,Information about the group.
+process,Process,Information about the process.
+process_ancestors,Process,"Information about the process's ancestors ordered from immediate ancestor
+(parent process) to root.
+Note: process_ancestors is only populated when data is exported to BigQuery
+since recursive fields (e.g. process.parent_process) are not supported by
+BigQuery."
+asset,Asset,Information about the asset.
+ip,string,A list of IP addresses associated with a network connection.
+nat_ip,string,A list of NAT translated IP addresses associated with a network connection.
+port,int32,"Source or destination network port number when a specific network
+connection is described within an event."
+nat_port,int32,"NAT external network port number when a specific network connection is
+described within an event."
+mac,string,List of MAC addresses associated with a device.
+administrative_domain,string,"Domain which the device belongs to (for example, the Microsoft Windows
+domain)."
+namespace,string,"Namespace which the device belongs to, such as ""AD forest"".
+Uses for this field include Microsoft Windows AD forest, the name of
+subsidiary, or the name of acquisition."
+URL,string,The URL.
+file,File,Information about the file.
+email,string,"Email address.
+Only filled in for security_result.about"
+registry,Registry,Registry information.
+application,string,"The name of an application or service.
+Some SSO solutions only capture the name of a target application
+such as ""Atlassian"" or ""Google""."
+platform,Noun.Platform,Platform.
+platform_version,string,"Platform version. For example,
+""Microsoft Windows 1803""."
+platform_patch_level,string,"Platform patch level.
+For example, ""Build 17134.48"""
+cloud,Cloud,"Cloud metadata.
+Deprecated: cloud should be populated in entity Attribute as generic
+metadata (e.g. asset.attribute.cloud)."
+location,Location,"Physical location. For cloud environments, set the region in
+location.name."
+ip_location,Location,Deprecated: use ip_geo_artifact.location instead.
+ip_geo_artifact,Artifact,"Enriched geographic information corresponding to an IP address.
+Specifically, location and network data."
+resource,Resource,"Information about the resource (e.g. scheduled task, calendar entry).
+This field should not be used for files, registry, or processes because
+these objects are already part of Noun."
+resource_ancestors,Resource,"Information about the resource's ancestors ordered from immediate ancestor
+(starting with parent resource)."
+labels,Label,"Labels are key-value pairs.
+For example: key = ""env"", value = ""prod"".
+Deprecated: labels should be populated in entity Attribute as generic
+metadata (e.g. user.attribute.labels)."
+object_reference,Id,Finding to which the Analyst updated the feedback.
+investigation,Investigation,Analyst feedback/investigation for alerts.
+network,Network,"Network details, including sub-messages with details on each protocol
+(for example, DHCP, DNS, or HTTP)."
+security_result,SecurityResult,A list of security results.
+about,Noun,"If the security result is about a specific entity (Noun), add it here."
+category,SecurityResult.SecurityCategory,The security category.
+category_details,string,"For vendor-specific categories. For web categorization, put type in here
+such as ""gambling"" or ""porn""."
+threat_name,string,"A vendor-assigned classification common across multiple customers
+(e.g. ""W32/File-A"", ""Slammer"")."
+rule_set,string,"The result's rule set identifier.
+(e.g. ""windows-threats"")"
+rule_set_display_name,string,The curated detections rule set display name.
+ruleset_category_display_name,string,"The curated detection rule set category display name.
+(for example, if rule_set_display_name is ""CDIR SCC Enhanced Exfiltration"",
+the rule_set_category is ""Cloud Threats"")."
+rule_id,string,"A vendor-specific ID and name for a rule, varying by observerer type
+(e.g. ""08123"", ""5d2b44d0-5ef6-40f5-a704-47d61d3babbe"")."
+rule_name,string,"Name of the security rule
+(e.g. ""BlockInboundToOracle"")."
+rule_version,string,"Version of the security rule.
+(e.g. ""v1.1"", ""00001"", ""1604709794"", ""2020-11-16T23:04:19+00:00"").
+Note that rule versions are source-dependant and lexical ordering
+should not be assumed."
+rule_type,string,The type of security rule.
+rule_author,string,Author of the security rule.
+rule_labels,Label,"A list of rule labels that can't be captured by the other fields
+in security result
+(e.g. ""reference : AnotherRule"", ""contributor : John"")."
+alert_state,SecurityResult.AlertState,The alerting types of this security result.
+detection_fields,Label,"An ordered list of values, that represent fields in detections for a
+security finding. This list represents mapping of names of requested
+entities to their values (i.e. the security result matched variables) ."
+outcomes,Label,"A list of outcomes that represent the results of this security finding.
+This list represents a mapping of names of the requested outcomes,
+to their values."
+summary,string,"A human readable summary (e.g. ""failed login occurred"")"
+description,string,"A human readable description (e.g. ""user password was wrong"")"
+action,SecurityResult.Action,Actions taken for this event.
+action_details,string,The detail of the action taken as provided by the vendor.
+severity,SecurityResult.ProductSeverity,The severity of the result.
+confidence,SecurityResult.ProductConfidence,The confidence level of the result as estimated by the product.
+priority,SecurityResult.ProductPriority,The priority of the result.
+risk_score,float,The risk score of the security result.
+confidence_score,float,The confidence score of the security result.
+analytics_metadata,AnalyticsMetadata,Stores metadata about each risk analytic metric the rule uses.
+severity_details,string,Vendor-specific severity.
+confidence_details,string,"Additional detail with regards to the confidence of a security event as
+estimated by the product vendor."
+priority_details,string,Vendor-specific information about the security result priority.
+url_back_to_product,string,URL that takes the user to the source product console for this event.
+threat_id,string,Vendor-specific ID for a threat.
+threat_feed_name,string,Vendor feed name for a threat indicator feed.
+threat_id_namespace,Id.Namespace,"The attribute threat_id_namespace qualifies threat_id with an ID namespace
+to get an
+unique ID. The attribute threat_id by itself is not unique across Google SecOps
+as it is a vendor specific ID."
+threat_status,SecurityResult.ThreatStatus,Current status of the threat
+attack_details,AttackDetails,MITRE ATT&CK details.
+first_discovered_time,google.protobuf.Timestamp,First time the IoC threat was discovered in the provider.
+associations,SecurityResult.Association,Associations related to the threat.
+campaigns,string,Campaigns using this IOC threat.
+verdict,SecurityResult.Verdict,"Verdict about the IoC from the provider.
+This field is now deprecated. Use VerdictInfo instead."
+last_updated_time,google.protobuf.Timestamp,Last time the IoC threat was updated in the provider.
+verdict_info,SecurityResult.VerdictInfo,Verdict information about the IoC from the provider.
+threat_verdict,ThreatVerdict,GCTI threat verdict on the security result entity.
+last_discovered_time,google.protobuf.Timestamp,Last time the IoC was seen in the provider data.
+analytic,string,Name of the analytic.
+ip,string,IP address of the artifact.
+prevalence,Prevalence,The prevalence of the artifact within the customer's environment.
+first_seen_time,google.protobuf.Timestamp,First seen timestamp of the IP in the customer's environment.
+last_seen_time,google.protobuf.Timestamp,Last seen timestamp of the IP address in the customer's environment.
+location,Location,Location of the Artifact's IP address.
+network,Network,Network information related to the Artifact's IP address.
+as_owner,string,Owner of the Autonomous System to which the IP address belongs.
+asn,int64,Autonomous System Number to which the IP address belongs.
+jarm,string,"The JARM hash for the IP address.
+(https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a)."
+last_https_certificate,SSLCertificate,SSL certificate information about the IP address.
+last_https_certificate_date,google.protobuf.Timestamp,Most recent date for the certificate in VirusTotal.
+regional_internet_registry,string,"RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC)."
+tags,string,Identification attributes
+whois,string,WHOIS information as returned from the pertinent WHOIS server.
+whois_date,google.protobuf.Timestamp,Date of the last update of the WHOIS record in VirusTotal.
+product_object_id,string,"A vendor-specific identifier to uniquely identify the entity (a GUID  or
+similar)."
+hostname,string,Asset hostname or domain name field.
+asset_id,string,"The asset ID. Value must contain the ':' character. For example,
+cs:abcdd23434."
+ip,string,A list of IP addresses associated with an asset.
+mac,string,List of MAC addresses associated with an asset.
+nat_ip,string,List of NAT IP addresses associated with an asset.
+first_seen_time,google.protobuf.Timestamp,"The first observed time for an asset.
+The value is calculated on the basis of the
+first time the identifier was observed."
+hardware,Hardware,The asset hardware specifications.
+platform_software,PlatformSoftware,The asset operating system platform software.
+software,Software,The asset software details.
+location,Location,Location of the asset.
+category,string,"The category of the asset (e.g. ""End User Asset"", ""Workstation"", ""Server"")."
+type,Asset.AssetType,The type of the asset (e.g. workstation or laptop or server).
+network_domain,string,"The network domain of the asset (e.g. ""corp.acme.com"")"
+creation_time,google.protobuf.Timestamp,"Time the asset was created or provisioned.
+Deprecate: creation_time should be populated in Attribute as generic
+metadata."
+first_discover_time,google.protobuf.Timestamp,"Time the asset was first discovered (by asset management/discoverability
+software)."
+last_discover_time,google.protobuf.Timestamp,"Time the asset was last discovered (by asset management/discoverability
+software)."
+system_last_update_time,google.protobuf.Timestamp,"Time the asset system or OS was last updated.
+For all other operations that are not system updates (such as resizing a
+VM), use Attribute.last_update_time."
+last_boot_time,google.protobuf.Timestamp,Time the asset was last boot started.
+labels,Label,"Metadata labels for the asset.
+Deprecated: labels should be populated in Attribute as generic metadata."
+deployment_status,Asset.DeploymentStatus,The deployment status of the asset for device lifecycle purposes.
+vulnerabilities,Vulnerability,Vulnerabilities discovered on asset.
+attribute,Attribute,Generic entity metadata attributes of the asset.
+version,string,ATT&CK version (e.g. 12.1).
+tactics,AttackDetails.Tactic,Tactics employed.
+techniques,AttackDetails.Technique,Techniques employed.
+id,string,"Tactic ID (e.g. ""TA0043"")."
+name,string,"Tactic Name (e.g. ""Reconnaissance"")"
+id,string,"Technique ID (e.g. ""T1595"")."
+name,string,"Technique Name (e.g. ""Active Scanning"")."
+subtechnique_id,string,"Subtechnique ID (e.g. ""T1595.001"")."
+subtechnique_name,string,"Subtechnique Name (e.g. ""Scanning IP Blocks"")."
+cloud,Cloud,"Cloud metadata attributes such as project ID, account ID, or organizational
+hierarchy."
+labels,Label,"Set of labels for the entity. Should only be used for product labels (for
+example, Google Cloud resource labels or Azure AD sensitivity labels.
+Should not be used for arbitrary key-value mappings."
+permissions,Permission,"System permissions for IAM entity
+(human principal, service account, group)."
+roles,Role,"System IAM roles to be assumed by resources to use the role's permissions
+for access control."
+creation_time,google.protobuf.Timestamp,Time the resource or entity was created or provisioned.
+last_update_time,google.protobuf.Timestamp,Time the resource or entity was last updated.
+type,Authentication.AuthType,The type of authentication.
+mechanism,Authentication.Mechanism,The authentication mechanism.
+auth_details,string,The vendor defined details of the authentication.
+version,string,Certificate version.
+serial,string,Certificate serial number.
+subject,string,Subject of the certificate.
+issuer,string,Issuer of the certificate.
+md5,string,"The MD5 hash of the certificate, as a hex-encoded string."
+sha1,string,"The SHA1 hash of the certificate, as a hex-encoded string."
+sha256,string,"The SHA256 hash of the certificate, as a hex-encoded string."
+not_before,google.protobuf.Timestamp,Indicates when the certificate is first valid.
+not_after,google.protobuf.Timestamp,Indicates when the certificate is no longer valid.
+environment,Cloud.CloudEnvironment,The Cloud environment.
+vpc,Resource,"The cloud environment VPC.
+Deprecated."
+project,Resource,"The cloud environment project information.
+Deprecated: Use Resource.resource_ancestors"
+availability_zone,string,"The cloud environment availability zone (different from region which is
+location.name)."
+type,string,Type.
+value,string,Value.
+ttl,Int64,Time to live.
+priority,int64,Priority.
+retry,int64,Retry.
+refresh,Int64,Refresh.
+minimum,Int64,Minimum.
+expire,Int64,Expire.
+serial,int64,Serial.
+rname,string,Rname.
+opcode,Dhcp.OpCode,The BOOTP op code.
+htype,uint32,Hardware address type.
+hlen,uint32,Hardware address length.
+hops,uint32,Hardware ops.
+transaction_id,uint32,Transaction ID.
+seconds,uint32,Seconds elapsed since client began address acquisition/renewal process.
+flags,uint32,Flags.
+ciaddr,string,Client IP address (ciaddr).
+yiaddr,string,Your IP address (yiaddr).
+siaddr,string,IP address of the next bootstrap server.
+giaddr,string,Relay agent IP address (giaddr).
+chaddr,string,Client hardware address (chaddr).
+sname,string,Server name that the client wishes to boot from.
+file,string,Boot image filename.
+options,Dhcp.Option,List of DHCP options.
+type,Dhcp.MessageType,DHCP message type.
+lease_time_seconds,uint32,"Lease time in seconds. See RFC2132, section 9.2."
+client_hostname,string,"Client hostname. See RFC2132, section 3.14."
+client_identifier,bytes,"Client identifier. See RFC2132, section 9.14."
+requested_address,string,"Requested IP address. See RFC2132, section 9.1."
+code,uint32,Code. See RFC1533.
+data,bytes,Data.
+id,uint32,DNS query id.
+response,bool,Set to true if the event is a DNS response. See QR field from RFC1035.
+opcode,uint32,"The DNS OpCode used to specify the type of DNS query
+(for example, QUERY, IQUERY, or STATUS)."
+authoritative,bool,"Other DNS header flags. See RFC1035, section 4.1.1."
+truncated,bool,Whether the DNS response was truncated.
+recursion_desired,bool,Whether a recursive DNS lookup is desired.
+recursion_available,bool,Whether a recursive DNS lookup is available.
+response_code,uint32,Response code. See RCODE from RFC1035.
+questions,Dns.Question,A list of domain protocol message questions.
+answers,Dns.ResourceRecord,A list of answers to the domain name query.
+authority,Dns.ResourceRecord,"A list of domain name servers which verified the answers to the domain name
+queries."
+additional,Dns.ResourceRecord,"A list of additional domain name servers that can be used to verify the
+answer to the domain."
+name,string,The domain name.
+type,uint32,The code specifying the type of the query.
+class,uint32,The code specifying the class of the query.
+prevalence,Prevalence,The prevalence of the domain within the customer's environment.
+name,string,The name of the owner of the resource record.
+type,uint32,The code specifying the type of the resource record.
+class,uint32,The code specifying the class of the resource record.
+ttl,uint32,"The time interval for which the resource record can be cached before the
+source of the information should again be queried."
+data,string,"The payload or response to the DNS question for all responses encoded in
+UTF-8 format"
+binary_data,bytes,"The raw bytes of any non-UTF8 strings that might be included as part of a
+DNS response."
+name,string,The domain name.
+prevalence,Prevalence,The prevalence of the domain within the customer's environment.
+first_seen_time,google.protobuf.Timestamp,First seen timestamp of the domain in the customer's environment.
+last_seen_time,google.protobuf.Timestamp,Last seen timestamp of the domain in the customer's environment.
+registrar,string,"Registrar name . FOr example, ""Wild West Domains, Inc. (R120-LROR)"",
+""GoDaddy.com, LLC"", or ""PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM""."
+contact_email,string,Contact email address.
+whois_server,string,Whois server name.
+name_server,string,Repeated list of name servers.
+creation_time,google.protobuf.Timestamp,Domain creation time.
+update_time,google.protobuf.Timestamp,Last updated time.
+expiration_time,google.protobuf.Timestamp,Expiration time.
+audit_update_time,google.protobuf.Timestamp,Audit updated time.
+status,string,"Domain status. See
+https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en
+for meanings of possible values"
+registrant,User,Parsed contact information for the registrant of the domain.
+admin,User,Parsed contact information for the administrative contact for the domain.
+tech,User,Parsed contact information for the technical contact for the domain
+billing,User,Parsed contact information for the billing contact of the domain.
+zone,User,Parsed contact information for the zone.
+whois_record_raw_text,bytes,WHOIS raw text.
+registry_data_raw_text,bytes,Registry Data raw text.
+iana_registrar_id,int32,"IANA Registrar ID.  See
+https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml"
+private_registration,bool,"Indicates whether the domain appears to be using a private registration
+service to mask the owner's contact information."
+categories,string,Categories assign to the domain as retrieved from VirusTotal.
+favicon,Favicon,Includes difference hash and MD5 hash of the domain's favicon.
+jarm,string,Domain's JARM hash.
+last_dns_records,DNSRecord,Domain's DNS records from the last scan.
+last_dns_records_time,google.protobuf.Timestamp,Date when the DNS records list was retrieved by VirusTotal.
+last_https_certificate,SSLCertificate,SSL certificate object retrieved last time the domain was analyzed.
+last_https_certificate_time,google.protobuf.Timestamp,When the certificate was retrieved by VirusTotal.
+popularity_ranks,PopularityRank,"Domain's position in popularity ranks such as Alexa, Quantcast, Statvoo,
+etc"
+tags,string,List of representative attributes.
+whois_time,google.protobuf.Timestamp,Date of the last update of the WHOIS record.
+from,string,The 'from' address.
+reply_to,string,The 'reply to' address.
+to,string,A list of 'to' addresses.
+cc,string,A list of 'cc' addresses.
+bcc,string,A list of 'bcc' addresses.
+mail_id,string,The mail (or message) ID.
+subject,string,The subject line(s) of the email.
+bounce_address,string,"The envelope from address.
+https://en.wikipedia.org/wiki/Bounce_address"
+raw_md5,string,Favicon's MD5 hash.
+dhash,string,Difference hash.
+sha256,string,"The SHA256 hash of the file, as a hex-encoded string."
+md5,string,"The MD5 hash of the file, as a hex-encoded string."
+sha1,string,"The SHA1 hash of the file, as a hex-encoded string."
+size,uint64,The size of the file in bytes.
+full_path,string,The full path identifying the location of the file on the system.
+mime_type,string,"The MIME (Multipurpose Internet Mail Extensions) type of the file,
+for example ""PE"", ""PDF"", or ""powershell script""."
+file_metadata,FileMetadata,"Metadata associated with the file.
+Deprecate FileMetadata in favor of using fields in File."
+security_result,SecurityResult,"Google Cloud Threat Intelligence (GCTI) security result for the file
+including threat context and detection metadata."
+pe_file,FileMetadataPE,Metadata about the Portable Executable (PE) file.
+ssdeep,string,Ssdeep of the file
+vhash,string,Vhash of the file.
+ahash,string,Deprecated. Use authentihash instead.
+authentihash,string,Authentihash of the file.
+file_type,File.FileType,FileType field.
+capabilities_tags,string,Capabilities tags.
+names,string,Names fields.
+tags,string,Tags for the file.
+last_modification_time,google.protobuf.Timestamp,Timestamp when the file was last updated.
+prevalence,Prevalence,Prevalence of the file hash in the customer's environment.
+first_seen_time,google.protobuf.Timestamp,Timestamp the file was first seen in the customer's environment.
+last_seen_time,google.protobuf.Timestamp,Timestamp the file was last seen in the customer's environment.
+stat_mode,uint64,"The mode of the file. A bit string indicating the permissions and
+privileges of the file."
+stat_inode,uint64,The file identifier. Unique identifier of object within a file system.
+stat_dev,uint64,The file system identifier to which the object belongs.
+stat_nlink,uint64,Number of links to file.
+stat_flags,uint32,User defined flags for file.
+last_analysis_time,google.protobuf.Timestamp,Timestamp the file was last analysed.
+embedded_urls,string,Embedded URLs found in the file.
+embedded_domains,string,Embedded domains found in the file.
+embedded_ips,string,Embedded IP addresses found in the file.
+exif_info,ExifInfo,Exif metadata from different file formats extracted by exiftool.
+signature_info,SignatureInfo,File signature information extracted from different tools.
+pdf_info,PDFInfo,Information about the PDF file structure.
+first_submission_time,google.protobuf.Timestamp,First submission time of the file.
+last_submission_time,google.protobuf.Timestamp,Last submission time of the file.
+main_icon,Favicon,Icon's relevant hashes.
+id,string,Code sign identifier.
+format,string,Code sign format.
+compilation_time,google.protobuf.Timestamp,Code sign timestamp
+imphash,string,Imphash of the file.
+entry_point,int64,info.pe-entry-point.
+entry_point_exiftool,int64,info.exiftool.EntryPoint.
+compilation_time,google.protobuf.Timestamp,info.pe-timestamp.
+compilation_exiftool_time,google.protobuf.Timestamp,info.exiftool.TimeStamp.
+section,FileMetadataSection,FilemetadataSection fields.
+imports,FileMetadataImports,FilemetadataImports fields.
+resource,FileMetadataPeResourceInfo,FilemetadataPeResourceInfo fields.
+resources_type_count,StringToInt64MapEntry,Deprecated: use resources_type_count_str.
+resources_language_count,StringToInt64MapEntry,Deprecated: use resources_language_count_str.
+resources_type_count_str,Label,"Number of resources by resource type.
+Example: RT_ICON: 10, RT_DIALOG: 5"
+resources_language_count_str,Label,"Number of resources by language.
+Example: NEUTRAL: 20, ENGLISH US: 10"
+signature_info,FileMetadataSignatureInfo,"FilemetadataSignatureInfo field.
+deprecated, user File.signature_info instead."
+verification_message,string,"Status of the certificate.
+Valid values are ""Signed"", ""Unsigned"" or a description of the certificate
+anomaly, if found."
+verified,bool,"True if verification_message == ""Signed"""
+signer,string,Deprecated: use signers field.
+signers,SignerInfo,"File metadata signer information.
+The order of the signers matters. Each element is a higher level
+authority, being the last the root authority."
+x509,X509,List of certificates.
+command,string,The FTP command.
+product_object_id,string,"Product globally unique user object identifier, such as an LDAP Object
+Identifier."
+creation_time,google.protobuf.Timestamp,"Group creation time.
+Deprecated: creation_time should be populated in Attribute as generic
+metadata."
+group_display_name,string,"Group display name. e.g. ""Finance""."
+attribute,Attribute,Generic entity metadata attributes of the group.
+email_addresses,string,Email addresses of the group.
+windows_sid,string,Microsoft Windows SID of the group.
+serial_number,string,Hardware serial number.
+manufacturer,string,Hardware manufacturer.
+model,string,Hardware model.
+cpu_platform,string,"Platform of the hardware CPU (e.g. ""Intel Broadwell"")."
+cpu_model,string,"Model description of the hardware CPU
+(e.g. ""2.8 GHz Quad-Core Intel Core i5"")."
+cpu_clock_speed,uint64,Clock speed of the hardware CPU in MHz.
+cpu_max_clock_speed,uint64,Maximum possible clock speed of the hardware CPU in MHz.
+cpu_number_cores,uint64,Number of CPU cores.
+ram,uint64,Amount of the hardware ramdom access memory (RAM) in Mb.
+method,string,"The HTTP request method
+(e.g. ""GET"", ""POST"", ""PATCH"", ""DELETE"")."
+referral_url,string,The URL for the HTTP referer.
+user_agent,string,"The User-Agent request header which includes the application type,
+operating system, software vendor or software version of the requesting
+software user agent."
+response_code,int32,"The response status code, for example
+200, 302, 404, or 500."
+parsed_user_agent,,The parsed user_agent string.
+verdict,Verdict,Describes reason a finding investigation was resolved.
+reputation,Reputation,Describes whether a finding was useful or not-useful.
+severity_score,uint32,Severity score for a finding set by an analyst.
+status,Status,Describes the workflow status of a finding.
+comments,string,Comment added by the Analyst.
+priority,Priority,Priority of the Alert or Finding set by analyst.
+root_cause,string,Root cause of the Alert or Finding set by analyst.
+reason,Reason,Reason for closing the Case or Alert.
+risk_score,uint32,Risk score for a finding set by an analyst.
+key,string,The key.
+value,string,The value.
+rbac_enabled,bool,Indicates whether this label can be used for Data RBAC
+city,string,The city.
+state,string,The state.
+country_or_region,string,The country or region.
+name,string,"Custom location name (e.g. building or site name like ""London Office"").
+For cloud environments, this is the region (e.g. ""us-west2"")."
+desk_name,string,"Desk name or individual location, typically for an employee in an
+office.
+(e.g. ""IN-BLR-BCPC-11-1121D"")."
+floor_name,string,"Floor name, number or a combination of the two for a building.
+(e.g. ""1-A"")."
+region_latitude,float,Deprecated: use region_coordinates.
+region_longitude,float,Deprecated: use region_coordinates.
+region_coordinates,google.type.LatLng,"Coordinates for the associated region.
+See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng
+for a description of the fields."
+js,int64,"Number of /JS tags found in the PDF file. Should be the same as
+javascript field in normal scenarios."
+javascript,int64,"Number of /JavaScript tags found in the PDF file. Should be the same as
+the js field in normal scenarios."
+launch_action_count,int64,Number of /Launch tags found in the PDF file.
+object_stream_count,int64,Number of object streams.
+endobj_count,int64,Number of object definitions (endobj keyword).
+header,string,PDF version.
+acroform,int64,Number of /AcroForm tags found in the PDF.
+autoaction,int64,Number of /AA tags found in the PDF.
+embedded_file,int64,Number of /EmbeddedFile tags found in the PDF.
+encrypted,int64,"Whether the document is encrypted or not. This is defined by the /Encrypt
+tag."
+flash,int64,Number of /RichMedia tags found in the PDF.
+jbig2_compression,int64,Number of /JBIG2Decode tags found in the PDF.
+obj_count,int64,Number of objects definitions (obj keyword).
+endstream_count,int64,Number of defined stream objects (stream keyword).
+page_count,int64,Number of pages in the PDF.
+stream_count,int64,Number of defined stream objects (stream keyword).
+openaction,int64,Number of /OpenAction tags found in the PDF.
+startxref,int64,Number of startxref keywords in the PDF.
+suspicious_colors,int64,Number of colors expressed with more than 3 bytes (CVE-2009-3459).
+trailer,int64,Number of trailer keywords in the PDF.
+xfa,int64,Number of \XFA tags found in the PDF.
+xref,int64,Number of xref keywords in the PDF.
+import_hash,string,Hash of PE imports.
+name,string,Name of the permission (e.g. chronicle.analyst.updateRule).
+description,string,Description of the permission (e.g. 'Ability to update detect rules').
+type,Permission.PermissionType,Type of the permission.
+platform,Noun.Platform,The platform operating system.
+platform_version,string,"The platform software version (
+e.g. ""Microsoft Windows 1803"")."
+platform_patch_level,string,"The platform software patch level (
+e.g. ""Build 17134.48"", ""SP1"")."
+giver,string,Name of the rank serial number hexdump.
+rank,int64,Rank position.
+ingestion_time,google.protobuf.Timestamp,Timestamp when the rank was ingested.
+rolling_max,int32,"The maximum number of assets per day accessing the resource over the
+trailing day_count days."
+day_count,int32,The number of days over which rolling_max is calculated.
+rolling_max_sub_domains,int32,"The maximum number of assets per day accessing the domain along with
+sub-domains over the trailing day_count days. This field is only valid for
+domains."
+day_max,int32,The max prevalence score in a day interval window.
+day_max_sub_domains,int32,"The max prevalence score in a day interval window across sub-domains. This
+field is only valid for domains."
+pid,string,The process ID.
+parent_pid,string,"The ID of the parent process.
+Deprecated: use parent_process.pid instead."
+parent_process,Process,Information about the parent process.
+file,File,Information about the file in use by the process.
+command_line,string,The command line command that created the process.
+command_line_history,string,The command line history of the process.
+product_specific_process_id,string,A product specific process id.
+access_mask,uint64,A bit mask representing the level of access.
+integrity_level_rid,uint64,The Microsoft Windows integrity level relative ID (RID) of the process.
+token_elevation_type,Process.TokenElevationType,"The elevation type of the process on Microsoft Windows. This determines if
+any privileges are removed when UAC is enabled."
+product_specific_parent_process_id,string,"A product specific id for the parent process.
+Please use parent_process.product_specific_process_id instead."
+registry_key,string,"Registry key associated with an application or system component
+(e.g., HKEY_, HKCU\Environment...)."
+registry_value_name,string,"Name of the registry value associated with an application or system
+component (e.g. TEMP)."
+registry_value_data,string,"Data associated with a registry value
+(e.g. %USERPROFILE%\Local Settings\Temp)."
+type,string,Deprecated: use resource_type instead.
+resource_type,Resource.ResourceType,Resource type.
+resource_subtype,string,"Resource sub-type (e.g. ""BigQuery"", ""Bigtable"")."
+id,string,Deprecated: Use resource.name or resource.product_object_id.
+name,string,"The full name of the resource. For example,
+Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123,
+and AWS: arn:aws:iam::123456789012:user/johndoe."
+parent,string,"The parent of the resource.
+For a database table, the parent is the database. For a storage object,
+the bucket name.  Deprecated: use resource_ancestors.name."
+product_object_id,string,"A vendor-specific identifier to uniquely identify the entity (a GUID,
+OID, or similar)"
+attribute,Attribute,Generic entity metadata attributes of the resource.
+name,string,System role name for user.
+description,string,System role description for user.
+type,Role.Type,System role type for well known roles.
+cert_signature,SSLCertificate.CertSignature,Certificate's signature and algorithm.
+extension,SSLCertificate.Extension,(DEPRECATED) certificate's extension.
+cert_extensions,google.protobuf.Struct,Certificate's extensions.
+first_seen_time,google.protobuf.Timestamp,Date the certificate was first retrieved by VirusTotal.
+issuer,SSLCertificate.Subject,Certificate's issuer data.
+ec,SSLCertificate.EC,EC public key information.
+serial_number,string,Certificate's serial number hexdump.
+signature_algorithm,string,"Algorithm used for the signature (for example, ""sha1RSA"")."
+size,int64,Certificate content length.
+subject,SSLCertificate.Subject,Certificate's subject data.
+thumbprint,string,Certificate's content SHA1 hash.
+thumbprint_sha256,string,Certificate's content SHA256 hash.
+validity,SSLCertificate.Validity,Certificate's validity period.
+version,string,"Certificate version (typically ""V1"", ""V2"" or ""V3"")."
+keyid,string,Key hexdump.
+serial_number,string,Serial number hexdump.
+signature,string,Signature.
+signature_algorithm,string,Algorithm.
+p,string,p component hexdump.
+q,string,q component hexdump.
+g,string,g component hexdump.
+pub,string,Public key hexdump.
+oid,string,Curve name.
+pub,string,Public key hexdump.
+ca,bool,Whether the subject acts as a certificate authority (CA) or not.
+subject_key_id,string,Identifies the public key being certified.
+authority_key_id,SSLCertificate.AuthorityKeyId,"Identifies the public key to be used to verify the signature on this
+certificate or CRL."
+key_usage,string,The purpose for which the certified public key is used.
+ca_info_access,string,"Authority information access locations are URLs that are added to a
+certificate in its authority information access extension."
+crl_distribution_points,string,"CRL distribution points to which a certificate user should refer to
+ascertain if the certificate has been revoked."
+extended_key_usage,string,"One or more purposes for which the certified public key may be used, in
+addition to or in place of the basic purposes indicated in the key usage
+extension field."
+subject_alternative_name,string,"Contains one or more alternative names, using any of a variety of name
+forms, for the entity that is bound by the CA to the certified public
+key."
+certificate_policies,string,"Different certificate policies will relate to different applications
+which may use the certified key."
+netscape_cert_comment,string,Used to include free-form text comments inside certificates.
+cert_template_name_dc,string,"BMP data value ""DomainController"". See MS Q291010."
+netscape_certificate,bool,"Identify whether the certificate subject is an SSL client, an SSL server,
+or a CA."
+pe_logotype,bool,Whether the certificate includes a logotype.
+old_authority_key_id,bool,Whether the certificate has an old authority key identifier extension.
+algorithm,string,"Any of ""RSA"", ""DSA"" or ""EC"". Indicates the algorithm used to generate the
+certificate."
+rsa,SSLCertificate.RSA,RSA public key information.
+key_size,int64,Key size.
+modulus,string,Key modulus hexdump.
+exponent,string,Key exponent hexdump.
+country_name,string,C: Country name.
+common_name,string,CN: CommonName.
+locality,string,L: Locality.
+organization,string,O: Organization.
+organizational_unit,string,OU: OrganizationalUnit.
+state_or_province_name,string,ST: StateOrProvinceName.
+expiry_time,google.protobuf.Timestamp,Expiry date.
+issue_time,google.protobuf.Timestamp,Issue date.
+confidence_score,int32,Confidence score of the verdict.
+verdict_time,google.protobuf.Timestamp,Timestamp at which the verdict was generated.
+verdict_response,SecurityResult.VerdictResponse,Details of the verdict.
+id,string,Unique association id generated by mandiant.
+country_code,string,Country from which the threat actor/ malware is originated.
+type,SecurityResult.Association.AssociationType,Signifies the type of association.
+name,string,Name of the threat actor/malware.
+description,string,Human readable description about the association.
+role,string,Role of the malware. Not applicable for threat actor.
+source_country,string,Name of the country the threat originated from.
+alias,SecurityResult.Association.AssociationAlias,Different aliases of the threat actor given by different sources.
+first_reference_time,google.protobuf.Timestamp,First time the threat actor was referenced or seen.
+last_reference_time,google.protobuf.Timestamp,Last time the threat actor was referenced or seen.
+industries_affected,string,List of industries the threat actor affects.
+associated_actors,SecurityResult.Association,"List of associated threat actors for a malware. Not applicable for threat
+actors."
+region_code,Location,"Name of the country, the threat is originating from."
+sponsor_region,Location,Sponsor region of the threat actor.
+targeted_regions,Location,Targeted regions.
+tags,string,Tags.
+name,string,Name of the alias.
+company,string,Name of the provider who gave the association's name.
+ioc_stats_type,SecurityResult.IoCStatsType,Describes the source of the IoCStat.
+first_level_source,string,"Name of first level IoC source, for example Mandiant or a third-party."
+second_level_source,string,"Name of the second-level IoC source, for example Crowdsourced Threat
+Analysis or Knowledge Graph."
+benign_count,int32,Count of responses where the IoC was identified as benign.
+quality,SecurityResult.ProductConfidence,Level of confidence in the IoC mapping extracted from the source.
+malicious_count,int32,Count of responses where the IoC was identified as malicious.
+response_count,int32,Total number of response from the source.
+source_count,int32,Number of sources from which information was extracted.
+source_provider,string,Source provider giving the ML verdict.
+benign_count,int32,Count of responses where this IoC was marked benign.
+malicious_count,int32,Count of responses where this IoC was marked malicious.
+confidence_score,int32,Confidence score of the verdict.
+mandiant_sources,SecurityResult.Source,List of mandiant sources from which the verdict was generated.
+third_party_sources,SecurityResult.Source,List of third-party sources from which the verdict was generated.
+name,string,Name of the IoC source.
+benign_count,int32,Count of responses where this IoC was marked benign.
+malicious_count,int32,Count of responses where this IoC was marked malicious.
+quality,SecurityResult.ProductConfidence,Quality of the IoC mapping extracted from the source.
+response_count,int32,Total response count from this source.
+source_count,int32,Number of sources from which intelligence was extracted.
+threat_intelligence_sources,SecurityResult.Source,Different threat intelligence sources from which IoC info was extracted.
+source_count,int32,Number of sources from which intelligence was extracted.
+response_count,int32,Total response count across all sources.
+neighbour_influence,string,Describes the neighbour influence of the verdict.
+verdict,SecurityResult.ProviderMLVerdict,ML Verdict provided by sources like Mandiant.
+analyst_verdict,SecurityResult.AnalystVerdict,Human analyst verdict provided by sources like Mandiant.
+source_count,int32,Number of sources from which intelligence was extracted.
+response_count,int32,Total response count across all sources.
+neighbour_influence,string,Describes the near neighbor influence of the verdict.
+verdict_type,SecurityResult.VerdictType,Type of verdict.
+source_provider,string,Source provider giving the machine learning verdict.
+benign_count,int32,Count of responses where this IoC was marked as benign.
+malicious_count,int32,Count of responses where this IoC was marked as malicious.
+confidence_score,int32,Confidence score of the verdict.
+ioc_stats,SecurityResult.IoCStats,List of IoCStats from which the verdict was generated.
+verdict_time,google.protobuf.Timestamp,Timestamp when the verdict was generated.
+verdict_response,SecurityResult.VerdictResponse,Details about the verdict.
+global_customer_count,int32,Global customer count over the last 30 days
+global_hits_count,int32,Global hit count over the last 30 days.
+pwn,bool,"Whether one or more Mandiant incident response customers had this
+indicator in their environment."
+category_details,string,Tags related to the verdict.
+pwn_first_tagged_time,google.protobuf.Timestamp,The timestamp of the first time a pwn was associated to this entity.
+sigcheck,FileMetadataSignatureInfo,Signature information extracted from the sigcheck tool.
+codesign,FileMetadataCodesign,Signature information extracted from the codesign utility.
+name,string,"Common name of the signers/certificate.
+The order of the signers matters. Each element is a higher level
+authority, the last being the root authority."
+status,string,"It can say ""Valid"" or state the problem with the certificate if any (e.g.
+""This certificate or one of the certificates in the certificate chain is
+not time valid."")."
+valid_usage,string,"Indicates which situations the certificate is valid for (e.g. ""Code
+Signing"")."
+cert_issuer,string,Company that issued the certificate.
+helo,string,The client's 'HELO'/'EHLO' string.
+mail_from,string,The client's 'MAIL FROM' string.
+rcpt_to,string,The client's 'RCPT TO' string(s).
+server_response,string,The server's response(s) to the client.
+message_path,string,The message's path (extracted from the headers).
+is_webmail,bool,If the message was sent via a webmail client.
+is_tls,bool,If the connection switched to TLS.
+name,string,The name of the software.
+version,string,The version of the software.
+permissions,Permission,"System permissions granted to the software.
+For example, ""android.permission.WRITE_EXTERNAL_STORAGE"""
+description,string,The description of the software.
+vendor_name,string,The name of the software vendor.
+tenant_id,bytes,A list of subtenant ids that this event belongs to.
+data_tap_config_name,string,A list of sink name values defined in DataTap configurations.
+interval,google.type.Interval,Interval duration of the leave.
+description,string,Description of the leave if available (e.g. 'Vacation').
+client,Tls.Client,Certificate information for the client certificate.
+server,Tls.Server,Certificate information for the server certificate.
+cipher,string,Cipher used during the connection.
+curve,string,Elliptical curve used for a given cipher.
+version,string,TLS version.
+version_protocol,string,Protocol.
+established,bool,Indicates whether the TLS negotiation was successful.
+next_protocol,string,Protocol to be used for tunnel.
+resumed,bool,"Indicates whether the TLS connection was resumed from a previous
+TLS negotiation."
+certificate,Certificate,Client certificate.
+ja3,string,"JA3 hash from the TLS ClientHello, as a hex-encoded string."
+server_name,string,"Host name of the server, that the client is connecting to."
+supported_ciphers,string,Ciphers supported by the client during client hello.
+certificate,Certificate,Server certificate.
+ja3s,string,"JA3 hash from the TLS ServerHello, as a hex-encoded string."
+tracker,string,Tracker name.
+id,string,"Tracker ID, if available."
+timestamp,google.protobuf.Timestamp,Tracker ingestion date.
+URL,string,Tracker script URL.
+URL,string,URL.
+categories,string,Categorisation done by VirusTotal partners.
+favicon,Favicon,Difference hash and MD5 hash of the URL's.
+html_meta,google.protobuf.Struct,Meta tags (only for URLs downloading HTML).
+last_final_url,string,"If the original URL redirects, where does it end."
+last_http_response_code,int32,HTTP response code of the last response.
+last_http_response_content_length,int64,Length in bytes of the content received.
+last_http_response_content_sha256,string,URL response body's SHA256 hash.
+last_http_response_cookies,google.protobuf.Struct,Website's cookies.
+last_http_response_headers,google.protobuf.Struct,Headers and values of the last HTTP response.
+tags,string,Tags.
+title,string,Webpage title.
+trackers,Tracker,Trackers found in the URL in a historical manner.
+product_object_id,string,"A vendor-specific identifier to uniquely identify the entity (e.g. a GUID,
+LDAP, OID, or similar)."
+userid,string,The ID of the user.
+user_display_name,string,"The display name of the user
+(e.g. ""John Locke"")."
+first_name,string,"First name of the user (e.g. ""John"")."
+middle_name,string,Middle name of the user.
+last_name,string,"Last name of the user (e.g. ""Locke"")."
+phone_numbers,string,Phone numbers for the user.
+personal_address,Location,Personal address of the user.
+attribute,Attribute,Generic entity metadata attributes of the user.
+first_seen_time,google.protobuf.Timestamp,"The first observed time for a user.
+The value is calculated on the basis of the
+first time the identifier was observed."
+account_type,User.AccountType,"Type of user account (for example, service, domain, or cloud). This is
+somewhat aligned to: https://attack.mitre.org/techniques/T1078/"
+groupid,string,"The ID of the group that the user belongs to.
+Deprecated in favor of the repeated group_identifiers field."
+group_identifiers,string,"Product object identifiers of the group(s) the user belongs to
+A vendor-specific identifier to uniquely identify the group(s) the user
+belongs to (a GUID, LDAP OID, or similar)."
+windows_sid,string,The Microsoft Windows SID of the user.
+email_addresses,string,Email addresses of the user.
+employee_id,string,Human capital management identifier.
+title,string,User job title.
+company_name,string,User job company name.
+department,string,User job department
+office_address,Location,User job office location.
+managers,User,User job manager(s).
+hire_date,google.protobuf.Timestamp,User job employment hire date.
+termination_date,google.protobuf.Timestamp,User job employment termination date.
+time_off,TimeOff,User time off leaves from active work.
+last_login_time,google.protobuf.Timestamp,User last login timestamp.
+last_password_change_time,google.protobuf.Timestamp,User last password change timestamp.
+password_expiration_time,google.protobuf.Timestamp,User password expiration timestamp.
+account_expiration_time,google.protobuf.Timestamp,User account expiration timestamp.
+account_lockout_time,google.protobuf.Timestamp,User account lockout timestamp.
+last_bad_password_attempt_time,google.protobuf.Timestamp,User last bad password attempt timestamp.
+user_authentication_status,Authentication.AuthenticationStatus,System authentication status for user.
+role_name,string,"System role name for user.
+Deprecated: use attribute.roles."
+role_description,string,"System role description for user.
+Deprecated: use attribute.roles."
+user_role,User.Role,"System role for user.
+Deprecated: use attribute.roles."
+vulnerabilities,Vulnerability,A list of vulnerabilities.
+about,Noun,"If the vulnerability is about a specific noun (e.g. executable),
+then add it here."
+name,string,"Name of the vulnerability (e.g. ""Unsupported OS Version detected"")."
+description,string,Description of the vulnerability.
+vendor,string,Vendor of scan that discovered vulnerability.
+scan_start_time,google.protobuf.Timestamp,"If the vulnerability was discovered during an asset scan, then this
+field should be populated with the time the scan started.
+This field can be left unset if the start time is not available or not
+applicable."
+scan_end_time,google.protobuf.Timestamp,"If the vulnerability was discovered during an asset scan, then this field
+should be populated with the time the scan ended.
+This field can be left unset if the end time is not available or not
+applicable."
+first_found,google.protobuf.Timestamp,"Products that maintain a history of vuln scans should populate first_found
+with the time that a scan first detected the vulnerability on this asset."
+last_found,google.protobuf.Timestamp,"Products that maintain a history of vuln scans should populate last_found
+with the time that a scan last detected the vulnerability on this asset."
+severity,Vulnerability.Severity,The severity of the vulnerability.
+severity_details,string,Vendor-specific severity
+cvss_base_score,float,"CVSS Base Score in the range of 0.0 to 10.0.
+Useful for sorting."
+cvss_vector,string,"Vector of CVSS properties (e.g. ""AV:L/AC:H/Au:N/C:N/I:P/A:C"")
+Can be linked to via:
+https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator"
+cvss_version,string,Version of CVSS Vector/Score.
+cve_id,string,"Common Vulnerabilities and Exposures Id.
+https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures
+https://cve.mitre.org/about/faqs.html#what_is_cve_id"
+cve_description,string,"Common Vulnerabilities and Exposures Description.
+https://cve.mitre.org/about/faqs.html#what_is_cve_record"
+vendor_vulnerability_id,string,Vendor specific vulnerability id (e.g. Microsoft security bulletin id).
+vendor_knowledge_base_article_id,string,"Vendor specific knowledge base article (e.g. ""KBXXXXXX"" from Microsoft).
+https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base
+https://access.redhat.com/knowledgebase"
+name,string,Certificate name.
+algorithm,string,Certificate algorithm.
+thumbprint,string,Certificate thumbprint.
+cert_issuer,string,Issuer of the certificate.
+serial_number,string,Certificate serial number.