Skip to main content

Chronicle

This Integration is part of the Chronicle Pack.#

Overview#


Use the Chronicle integration to retrieve Asset alerts or IOC Domain matches as Incidents. Use it to fetch a list of infected assets based on the indicator accessed. This integration also provides reputation and threat enrichment of indicators observed in the enterprise.

Note: The gcb-list-alerts command would fetch both Asset as well as User alerts depending upon the argument alert_type. In this case, the total number of alerts fetched might not match with the value of the page_size argument and this is a known behaviour with respect to the endpoint from which we are fetching the alerts.

Note: The gcb-list-rules command would filter rules depending upon the argument live_rule.In this case, the total number of rules fetched might not match with the value of the page_size argument and this is a known behaviour with respect to the endpoint from which we are fetching the rules.

Note: The commands and fetch incidents mechanism will do up to 3 internal retries with a gap of 15, 30, and 60 seconds (exponentially) between the retries.

Troubleshoot#

Note: If you are expecting a high volume of alerts from Chronicle, you can reduce the time required to fetch them by increasing the "How many incidents to fetch each time" parameter while decreasing the "Incidents Fetch Interval" parameter in the integration configuration.

Problem #1#

Duplication of rule detection incidents when fetched from Chronicle.

Solution #1#

FAQ - Fetch Detections#

Question #1#

If we have 3 rules added in the configuration (R1, R2, R3) and we are getting 429 or 500 errors in R2. Will my integration stop fetching the detections or will it fetch detections of rule R3?

Case #1: When HTTP 429 or 500 error resumes before 60 retry attempts:#
  • System will re-attempt to fetch the detection after 1 min for the same R2 rule. The system will re-attempt to get the detections for Rule R2, 60 times. If 429 or 500 error is recovered before 60 attempts, the system will fetch the detections for Rule R2 and then proceed ahead for Rule R3.
Case #2: When HTTP 429 or 500 error does not resume for 60 retry attempts:#
  • System will re-attempt after 1 min for the same R2 rule. The system will re-attempt to get the detections for Rule R2 60 times. If 429 error does not recover for 60 attempts, the system will skip Rule R2 and then proceed ahead for rule R3 to fetch its detections by adding a log.
Question #2#

What if R1 is an invalid rule id? Would it be able to fetch R2 and R3 detections?

  • There will not be any retry attempts for invalid rule ids. The system will skip the invalid rule ids and move to the next rule id. So if R1 is invalid, the system will skip it without any retry attempts and move to R2.
Question #3#

What if R1 is deleted rule id? Would it be able to fetch R2 and R3 detections?

  • There will not be any retry attempts for deleted rule ids. The system will skip the deleted rule ids and move to the next rule id. So if R1 is deleted, the system will skip it without any retry attempts and move to R2.

Configure Chronicle on Cortex XSOAR#


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Chronicle.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • User's Service Account JSON
    • Region: Select the region based on the location of the chronicle backstory instance. If region is not listed in the dropdown, choose the "Other" option and specify the region in the "Other Region" text field.
    • Other Region: Specify the region based on the location of the chronicle backstory instance. Only applicable if the "Other" option is selected in the Region dropdown.
    • Provide comma(',') separated categories (e.g. APT-Activity, Phishing). Indicators belonging to these "categories" would be considered as "malicious" when executing reputation commands.
    • Provide comma(',') separated categories (e.g. Unwanted, VirusTotal YARA Rule Match). Indicators belonging to these "categories" would be considered as "suspicious" when executing reputation commands.
    • Specify the "severity" of indicator that should be considered as "malicious" irrespective of the category. If you wish to consider all indicators with High severity as Malicious, set this parameter to 'High'. Allowed values are 'High', 'Medium' and 'Low'. This configuration is applicable to reputation commands only.
    • Specify the "severity" of indicator that should be considered as "suspicious" irrespective of the category. If you wish to consider all indicators with Medium severity as Suspicious, set this parameter to 'Medium'. Allowed values are 'High', 'Medium' and 'Low'. This configuration is applicable to reputation commands only.
    • Specify the numeric value of "confidence score". If the indicator's confidence score is equal or above the configured threshold, it would be considered as "malicious". The value provided should be greater than the suspicious threshold. This configuration is applicable to reputation commands only.
    • Specify the numeric value of "confidence score". If the indicator's confidence score is equal or above the configured threshold, it would be considered as "suspicious". The value provided should be smaller than the malicious threshold. This configuration is applicable to reputation commands only.
    • Select the confidence score level. If the indicator's confidence score level is equal or above the configured level, it would be considered as "malicious". The confidence level configured should have higher precedence than the suspicious level. This configuration is applicable to reputation commands only. Refer the "confidence score" level precedence UNKNOWN_SEVERITY < INFORMATIONAL < LOW < MEDIUM < HIGH.
    • Select the confidence score level. If the indicator's confidence score level is equal or above the configured level, it would be considered as "suspicious". The confidence level configured should have lesser precedence than the malicious level. This configuration is applicable to reputation commands only. Refer the "confidence score" level precedence UNKNOWN_SEVERITY < INFORMATIONAL < LOW < MEDIUM < HIGH.
    • Fetches incidents
    • First fetch time
    • How many incidents to fetch each time
    • Chronicle Alert Type (Select the type of data to consider for fetch incidents)
    • Time window (in minutes)
    • Select the severity of alerts to be filtered for Fetch Incidents. Available options are 'High', 'Medium', 'Low' and 'Unspecified' (If not selected, fetches all alerts).
    • Detections to fetch by Rule ID or Version ID
    • Fetch all rules detections
    • Filter detections by alert state
    • List Basis
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data#


Fetch-incidents feature can pull events from Google Chronicle which can be converted into actionable incidents for further investigation. It is the function that Cortex XSOAR calls every minute to import new incidents and can be enabled by the "Fetches incidents" parameter in the integration configuration.

Configuration Parameters for Fetch-incidents#

  • First fetch time interval: Default 3 days
  • How many incidents to fetch each time: Default 100
  • Select the severity of alerts to be filtered for Fetch Incidents. Available options are 'High', 'Medium', 'Low' and 'Unspecified' (If not selected, fetches all alerts). Only applicable for asset alerts.
  • Chronicle Alert Type (Select the type of data to consider for fetch incidents):
    • IOC Domain matches Default
    • Assets with alerts
    • Curated Rule Detection alerts
    • Detection alerts
    • User alerts
  • Time window (in minutes): Not applicable for IOC Domain matches
    • 15 Default
    • 30
    • 45
    • 60
  • Detections to fetch by Rule ID or Version ID Only applicable for Detection alerts and Curated Rule Detection alerts
  • Fetch all rules detections Only applicable for Detection alerts
  • Filter detections by alert state: Only applicable for Detection alerts and Curated Rule Detection alerts
    • ALERTING
    • NOT ALERTING
NameInitial Value
First fetch time interval. The UTC date or relative timestamp from where to start fetching incidents.

Supported formats: N minutes, N hours, N days, N weeks, N months, N years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ

For example: 10 minutes, 5 hours, 8 days, 2 weeks, 8 months, 2021-12-31, 01 Mar 2021, 01 Feb 2021 04:45:33, 2022-04-17T14:05:44Z
3 days
How many incidents to fetch each time.100
Select the severity of alerts to be filtered for Fetch Incidents. Available options are 'High', 'Medium', 'Low' and 'Unspecified' (If not selected, fetches all alerts). Only applicable for asset alerts.Not selected
Chronicle Alert Type (Select the type of data to consider for fetch incidents).IOC Domain matches (Default), Assets with alerts, Curated Rule Detection alerts, Detection alerts and User alerts
Time window (in minutes)15
Detections to fetch by Rule ID or Version IDempty
Fetch all rules detectionsNot selected
Filter detections by alert stateNot selected

Incident field mapping - Asset Alerts#

NameInitial Value
name<AlertName> for <Asset>
rawJSONSingle Raw JSON
detailsSingle Raw JSON
severitySeverity of Alert

Incident field mapping - IOC Domain matches#

NameInitial Value
nameIOC Domain Match: <Artifact>
rawJSONSingle Raw JSON
detailsSingle Raw JSON

Incident field mapping - Detection Alerts#

NameInitial Value
name<RuleName>
rawJSONSingle Raw JSON
detailsSingle Raw JSON

Incident field mapping - Curated Rule Detection alerts#

NameInitial Value
name<RuleName>
rawJSONSingle Raw JSON
detailsSingle Raw JSON
severityseverity
Descriptiondescription
Detection URLurlBackToProduct
Risk ScoreriskScore
Tagstags

Incident field mapping - User Alerts#

NameInitial Value
name<AlertName> for <User>
rawJSONSingle Raw JSON
detailsSingle Raw JSON

Commands#


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. gcb-list-iocs
  2. gcb-assets
  3. ip
  4. domain
  5. gcb-ioc-details
  6. gcb-list-alerts
  7. gcb-list-events
  8. gcb-list-detections
  9. gcb-list-rules
  10. gcb-create-rule
  11. gcb-get-rule
  12. gcb-delete-rule
  13. gcb-create-rule-version
  14. gcb-change-rule-alerting-status
  15. gcb-change-live-rule-status
  16. gcb-start-retrohunt
  17. gcb-get-retrohunt
  18. gcb-list-retrohunts
  19. gcb-cancel-retrohunt
  20. gcb-list-reference-list
  21. gcb-get-reference-list
  22. gcb-create-reference-list
  23. gcb-update-reference-list
  24. gcb-verify-reference-list
  25. gcb-test-rule-stream
  26. gcb-list-useraliases
  27. gcb-list-assetaliases
  28. gcb-list-curatedrules
  29. gcb-list-curatedrule-detections
  30. gcb-udm-search
  31. gcb-verify-value-in-reference-list
  32. gcb-verify-rule
  33. gcb-get-event

1. gcb-list-iocs#


Lists the IOC Domain matches within your enterprise for the specified time interval. The indicator of compromise (IOC) domain matches lists for which the domains that your security infrastructure has flagged as both suspicious and that have been seen recently within your enterprise.

Base Command#

gcb-list-iocs

Input#
Argument NameDescriptionRequired
preset_time_rangeFetches IOC Domain matches in the specified time interval. If configured, overrides the start_time argument.Optional
start_timeThe value of the start time for your request, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z) or relative time. If not supplied, the default is the UTC time corresponding to 3 days earlier than current time. Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours. Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun.Optional
page_sizeThe maximum number of IOCs to return. You can specify between 1 and 10000. Default is 10000.Optional
Context Output#
PathTypeDescription
Domain.NameStringThe domain name of the artifact.
GoogleChronicleBackstory.Iocs.ArtifactStringThe Indicator artifact.
GoogleChronicleBackstory.Iocs.IocIngestTimeDateTime(UTC) the IOC was first seen by Chronicle.
GoogleChronicleBackstory.Iocs.FirstAccessedTimeDateTime(UTC) the artifact was first seen within your enterprise.
GoogleChronicleBackstory.Iocs.LastAccessedTimeDateTime(UTC) the artifact was most recently seen within your enterprise.
GoogleChronicleBackstory.Iocs.Sources.CategoryStringSource Category represents the behavior of the artifact.
GoogleChronicleBackstory.Iocs.Sources.IntRawConfidenceScoreNumberThe numeric confidence score of the IOC reported by the source.
GoogleChronicleBackstory.Iocs.Sources.NormalizedConfidenceScoreStringThe normalized confidence score of the IOC reported by the source.
GoogleChronicleBackstory.Iocs.Sources.RawSeverityStringThe severity of the IOC as reported by the source.
GoogleChronicleBackstory.Iocs.Sources.SourceStringThe source that reported the IOC.
Command Example#

!gcb-list-iocs page_size=1 preset_time_range="Last 1 day"

Context Example#
{
"GoogleChronicleBackstory.Iocs": [
{
"FirstAccessedTime": "2018-10-03T02:12:51Z",
"Sources": [
{
"Category": "Spyware Reporting Server",
"RawSeverity": "Medium",
"NormalizedConfidenceScore": "Low",
"IntRawConfidenceScore": 0,
"Source": "ET Intelligence Rep List"
}
],
"LastAccessedTime": "2020-02-14T05:59:27Z",
"Artifact": "anx.tb.ask.com",
"IocIngestTime": "2020-02-06T22:00:00Z"
},
{
"Artifact": "0.0.0.1",
"IocIngestTime": "2023-11-30T19:26:41.266555Z",
"FirstAccessedTime": "2023-01-17T09:54:19Z",
"LastAccessedTime": "2023-01-17T09:54:19Z",
"Sources": [
{
"Category": "Unwanted",
"IntRawConfidenceScore": 0,
"NormalizedConfidenceScore": "Medium",
"RawSeverity": "Medium",
"Source": "Threat Intelligence"
}
]
}
],
"Domain": [
{
"Name": "anx.tb.ask.com"
}
]
}
Human Readable Output#

IOC Domain Matches#

ArtifactCategorySourceConfidenceSeverityIOC ingest timeFirst seenLast seen
anx.tb.ask.comSpyware Reporting ServerET Intelligence Rep ListLowMedium7 days agoa year ago3 hours ago
0.0.0.1UnwantedThreat IntelligenceMediumMedium3 days ago10 months ago10 months ago

2. gcb-assets#


Returns a list of the assets that accessed the input artifact (IP, domain, MD5, SHA1 and SHA256) during the specified time.

Base Command#

gcb-assets

Input#
Argument NameDescriptionRequired
artifact_valueThe artifact indicator associated with assets. The artifact type can be one of the following: IP, Domain, MD5, SHA1, or SHA256.Required
preset_time_rangeFetches assets that accessed the artifact during the interval specified. If configured, overrides the start_time and end_time arguments.Optional
start_timeThe value of the start time for your request, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z) or relative time. If not supplied, the default is the UTC time corresponding to 3 days earlier than current time. Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours. Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun.Optional
end_timeThe value of the end time for your request, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z) or relative time. If not supplied, the default is current UTC time. Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours. Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun.Optional
page_sizeThe maximum number of IOCs to return. You can specify between 1 and 10000. Default is 10000.Optional
Context Output#
PathTypeDescription
GoogleChronicleBackstory.Asset.HostNameStringThe hostname of the asset that accessed the artifact.
GoogleChronicleBackstory.Asset.IpAddressStringThe IP address of the asset that accessed the artifact.
GoogleChronicleBackstory.Asset.MacAddressStringThe MAC address of the asset that accessed the artifact.
GoogleChronicleBackstory.Asset.ProductIdStringThe Product ID of the asset that accessed the artifact.
GoogleChronicleBackstory.Asset.AccessedDomainStringThe domain artifact accessed by the asset.
GoogleChronicleBackstory.Asset.AccessedIPStringThe IP address artifact accessed by the asset.
GoogleChronicleBackstory.Asset.AccessedMD5StringThe MD5 file hash artifact accessed by the asset.
GoogleChronicleBackstory.Asset.AccessedSHA1StringThe SHA1 file hash artifact accessed by the asset.
GoogleChronicleBackstory.Asset.AccessedSHA256StringThe SHA256 file hash artifact accessed by the asset.
GoogleChronicleBackstory.Asset.FirstAccessedTimeDateThe time when the asset first accessed the artifact.
GoogleChronicleBackstory.Asset.LastAccessedTimeDateThe time when the asset last accessed the artifact.
Host.HostnameStringThe hostname of the asset that accessed the artifact.
Host.IDStringThe Product ID of the asset that accessed the artifact.
Host.IPStringThe IP address of the asset that accessed the artifact.
Host.MACAddressStringThe MAC address of the asset that accessed the artifact.
Command Example#

!gcb-assets artifact_value=bing.com preset_time_range="Last 1 day"

Context Example#
{
"GoogleChronicleBackstory.Asset": [
{
"FirstAccessedTime": "2018-10-18T04:38:44Z",
"AccessedDomain": "bing.com",
"HostName": "james-anderson-laptop",
"LastAccessedTime": "2020-02-14T07:13:33Z"
},
{
"FirstAccessedTime": "2018-10-18T02:01:51Z",
"AccessedDomain": "bing.com",
"HostName": "roger-buchmann-pc",
"LastAccessedTime": "2020-02-13T22:25:27Z"
}
],
"Host": [
{
"Hostname": "james-anderson-laptop"
},
{
"Hostname": "roger-buchmann-pc"
}
]
}
Human Readable Output#

Assets related to artifact - bing.com#

Host NameHost IPHost MACFirst Accessed TimeLast Accessed Time
james-anderson-laptop--2018-10-18T04:38:44Z2020-02-14T07:13:33Z
roger-buchmann-pc--2018-10-18T02:01:51Z2020-02-13T22:25:27Z

View assets in Chronicle

3. ip#


Checks the reputation of an IP address.

Base Command#

ip

Input#
Argument NameDescriptionRequired
ipThe IP address to check.Optional
Context Output#
PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
IP.AddressStringThe IP address of the artifact.
IP.Malicious.VendorStringFor malicious IPs, the vendor that made the decision.
IP.Malicious.DescriptionStringFor malicious IPs, the reason that the vendor made the decision.
GoogleChronicleBackstory.IP.IoCQueriedStringThe artifact that was queried.
GoogleChronicleBackstory.IP.Sources.Address.IpAddressStringThe IP address of the artifact.
GoogleChronicleBackstory.IP.Sources.Address.DomainStringThe domain name of the artifact.
GoogleChronicleBackstory.IP.Sources.Address.PortUnknownThe port numbers of the artifact.
GoogleChronicleBackstory.IP.Sources.CategoryStringThe behavior of the artifact.
GoogleChronicleBackstory.IP.Sources.ConfidenceScoreNumberThe confidence score indicating the accuracy and appropriateness of the assigned category.
GoogleChronicleBackstory.IP.Sources.FirstAccessedTimeDateThe time the IOC was first accessed within the enterprise.
GoogleChronicleBackstory.IP.Sources.LastAccessedTimeDateThe time the IOC was most recently seen within your enterprise.
GoogleChronicleBackstory.IP.Sources.SeverityStringImpact of the artifact on the enterprise.
Command Example#

!ip ip=23.20.239.12

Context Example#
{
"IP": {
"Address": "23.20.239.12"
},
"DBotScore": {
"Vendor": "Google Chronicle Backstory",
"Indicator": "23.20.239.12",
"Score": 0,
"Type": "ip"
},
"GoogleChronicleBackstory.IP": {
"Sources": [
{
"Category": "Known CnC for Mobile specific Family",
"FirstAccessedTime": "2018-12-05T00:00:00Z",
"Severity": "High",
"ConfidenceScore": 70,
"Address": [
{
"IpAddress": "23.20.239.12",
"Port": [
80
]
}
],
"LastAccessedTime": "2019-04-10T00:00:00Z"
},
{
"Category": "Blocked",
"FirstAccessedTime": "1970-01-01T00:00:00Z",
"Severity": "High",
"ConfidenceScore": "High",
"Address": [
{
"Domain": "mytemplatewebsite.com",
"Port": ""
},
{
"IpAddress": "23.20.239.12",
"Port": ""
}
],
"LastAccessedTime": "2020-02-16T08:56:06Z"
}
],
"IoCQueried": "23.20.239.12"
}
}
Human Readable Output#

IP: 23.20.239.12 found with Reputation: Unknown

Reputation Parameters#

DomainIP AddressCategoryConfidence ScoreSeverityFirst Accessed TimeLast Accessed Time
-23.20.239.12Known CnC for Mobile specific Family70High2018-12-05T00:00:00Z2019-04-10T00:00:00Z
mytemplatewebsite.com23.20.239.12BlockedHighHigh1970-01-01T00:00:00Z2020-02-16T08:56:06Z

View IoC details in Chronicle

4. domain#


Checks the reputation of a domain.

Base Command#

domain

Input#
Argument NameDescriptionRequired
domainThe domain name to check.Optional
Context Output#
PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
Domain.NameStringThe domain name of the artifact.
Domain.Malicious.VendorStringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionStringFor malicious domains, the reason that the vendor made the decision.
GoogleChronicleBackstory.Domain.IoCQueriedStringThe domain that queried.
GoogleChronicleBackstory.Domain.Sources.Address.IpAddressStringThe IP address of the artifact.
GoogleChronicleBackstory.Domain.Sources.Address.DomainStringThe domain name of the artifact.
GoogleChronicleBackstory.Domain.Sources.Address.PortUnknownThe port numbers of the artifact.
GoogleChronicleBackstory.Domain.Sources.CategoryStringThe behavior of the artifact.
GoogleChronicleBackstory.Domain.Sources.ConfidenceScoreNumberThe confidence score indicating the accuracy and appropriateness of the assigned category.
GoogleChronicleBackstory.Domain.Sources.FirstAccessedTimeDateThe time the IOC was first accessed within the enterprise.
GoogleChronicleBackstory.Domain.Sources.LastAccessedTimeDateThe time the IOC was most recently seen within your enterprise.
GoogleChronicleBackstory.Domain.Sources.SeverityStringImpact of the artifact on the enterprise.
Command Example#

!domain domain=bing.com

Context Example#
{
"GoogleChronicleBackstory.Domain": {
"Sources": [
{
"Category": "Observed serving executables",
"FirstAccessedTime": "2013-08-06T00:00:00Z",
"Severity": "Low",
"ConfidenceScore": 67,
"Address": [
{
"Domain": "bing.com",
"Port": [
80
]
}
],
"LastAccessedTime": "2020-01-14T00:00:00Z"
}
],
"IoCQueried": "bing.com"
},
"Domain": {
"Name": "bing.com"
},
"DBotScore": {
"Vendor": "Google Chronicle Backstory",
"Indicator": "bing.com",
"Score": 0,
"Type": "domain"
}
}
Human Readable Output#

Domain: bing.com found with Reputation: Unknown

Reputation Parameters#

DomainIP AddressCategoryConfidence ScoreSeverityFirst Accessed TimeLast Accessed Time
bing.com-Observed serving executables67Low2013-08-06T00:00:00Z2020-01-14T00:00:00Z

View IoC details in Chronicle

5. gcb-ioc-details#


Accepts an artifact indicator and returns any threat intelligence associated with the artifact. The threat intelligence information is drawn from your enterprise security systems and from Chronicle's IoC partners (for example, the DHS threat feed).

Base Command#

gcb-ioc-details

Input#
Argument NameDescriptionRequired
artifact_valueThe artifact indicator value. The supported artifact types are IP and domain.Required
Context Output#
PathTypeDescription
Domain.NameStringThe domain name of the artifact.
IP.AddressStringThe IP address of the of the artifact.
GoogleChronicleBackstory.IocDetails.IoCQueriedStringThe artifact entered by the user.
GoogleChronicleBackstory.IocDetails.Sources.Address.IpAddressStringThe IP address of the artifact.
GoogleChronicleBackstory.IocDetails.Sources.Address.DomainStringThe domain name of the artifact.
GoogleChronicleBackstory.IocDetails.Sources.Address.PortUnknownThe port numbers of the artifact.
GoogleChronicleBackstory.IocDetails.Sources.CategoryStringThe behavior of the artifact.
GoogleChronicleBackstory.IocDetails.Sources.ConfidenceScoreNumberThe confidence score indicating the accuracy and appropriateness of the assigned category.
GoogleChronicleBackstory.IocDetails.Sources.FirstAccessedTimeDateThe time the IOC was first accessed within the enterprise.
GoogleChronicleBackstory.IocDetails.Sources.LastAccessedTimeDateThe time the IOC was most recently seen within your enterprise.
GoogleChronicleBackstory.IocDetails.Sources.SeverityStringImpact of the artifact on the enterprise.
Command Example#

!gcb-ioc-details artifact_value=23.20.239.12

Context Example#
{
"IP": {
"Address": "23.20.239.12"
},
"GoogleChronicleBackstory.IocDetails": {
"Sources": [
{
"Category": "Known CnC for Mobile specific Family",
"FirstAccessedTime": "2018-12-05T00:00:00Z",
"Severity": "High",
"ConfidenceScore": 70,
"Address": [
{
"IpAddress": "23.20.239.12",
"Port": [
80
]
}
],
"LastAccessedTime": "2019-04-10T00:00:00Z"
},
{
"Category": "Blocked",
"FirstAccessedTime": "1970-01-01T00:00:00Z",
"Severity": "High",
"ConfidenceScore": "High",
"Address": [
{
"Domain": "mytemplatewebsite.com",
"Port": ""
},
{
"IpAddress": "23.20.239.12",
"Port": ""
}
],
"LastAccessedTime": "2020-02-16T08:56:06Z"
}
],
"IoCQueried": "23.20.239.12"
}
}
Human Readable Output#

IoC Details#

DomainIP AddressCategoryConfidence ScoreSeverityFirst Accessed TimeLast Accessed Time
-23.20.239.12Known CnC for Mobile specific Family70High2018-12-05T00:00:00Z2019-04-10T00:00:00Z
mytemplatewebsite.com23.20.239.12BlockedHighHigh1970-01-01T00:00:00Z2020-02-16T08:56:06Z

View IoC details in Chronicle

6. gcb-list-alerts#


List all the alerts tracked within your enterprise for the specified time range. Both the parsed alerts and their corresponding raw alert logs are returned.

Base Command#

gcb-list-alerts

Input#
Argument NameDescriptionRequired
preset_time_rangeFetch alerts for the specified time range. If preset_time_range is configured, overrides the start_time and end_time arguments.Optional
start_timeThe value of the start time for your request, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z) or relative time. If not supplied, the default is the UTC time corresponding to 3 days earlier than current time. Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours. Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun.Optional
end_timeThe value of the end time for your request, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z) or relative time. If not supplied, the default is current UTC time. Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours. Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun.Optional
page_sizeThe maximum number of IOCs to return. You can specify between 1 and 100000. Default is 10000.Optional
severityThe severity by which to filter the returned alerts. If not supplied, all alerts are fetched. This is applicable for asset alerts only. The possible values are "High", "Medium", "Low", or "Unspecified".Optional
alert_typeSpecify which type of alerts you want. The possible values are "Asset Alerts" or "User Alerts".Optional
Context Output#
PathTypeDescription
GoogleChronicleBackstory.Alert.AssetNameStringThe asset identifier. It can be IP Address, MAC Address, Hostname or Product ID.
GoogleChronicleBackstory.Alert.AlertInfo.NameStringThe name of the alert.
GoogleChronicleBackstory.Alert.AlertInfo.SeverityStringThe severity of the alert.
GoogleChronicleBackstory.Alert.AlertInfo.SourceProductStringThe source of the alert.
GoogleChronicleBackstory.Alert.AlertInfo.TimestampStringThe time of the alert in Chronicle.
GoogleChronicleBackstory.Alert.AlertCountsNumberThe total number of alerts.
GoogleChronicleBackstory.UserAlert.UserStringThe user identifier. It can be username or email address.
GoogleChronicleBackstory.UserAlert.AlertInfo.NameStringThe name of the user alert.
GoogleChronicleBackstory.UserAlert.AlertInfo.SourceProductStringThe source of the user alert.
GoogleChronicleBackstory.UserAlert.AlertInfo.TimestampStringThe time of the user alert in Chronicle.
GoogleChronicleBackstory.UserAlert.AlertInfo.RawLogStringThe raw log of the user alert.
GoogleChronicleBackstory.UserAlert.AlertCountsNumberThe total number of user alerts.
Command Example#

!gcb-list-alerts page_size=1 preset_time_range="Last 1 day"

Context Example#
{
"GoogleChronicleBackstory.Alert": [
{
"AssetName": "rosie-hayes-pc",
"AlertInfo": [
{
"Timestamp": "2020-02-14T03:02:36Z",
"SourceProduct": "Internal Alert",
"Name": "Authentication failure [32038]",
"Severity": "Medium"
}
],
"AlertCounts": 1
}
]
}
Human Readable Output#

Security Alert(s)#

AlertsAssetAlert NamesFirst SeenLast SeenSeveritiesSources
1rosie-hayes-pcAuthentication failure [32038]6 hours ago6 hours agoMediumInternal Alert

7. gcb-list-events#


List all of the events discovered within your enterprise on a particular device within the specified time range. If you receive the maximum number of events you specified using the page_size parameter (or 100, the default), there might still be more events within your Chronicle account. You can narrow the time range and issue the call again to ensure you have visibility into all possible events. This command returns more than 60 different types of events. Any event would have only specific output context set. Refer the UDM documentation to figure out the output properties specific to the event types.

Base Command#

gcb-list-events

Input#
Argument NameDescriptionRequired
asset_identifier_typeSpecify the identifier type of the asset you are investigating. The possible values are Host Name, IP Address, MAC Address or Product ID.Required
asset_identifierValue of the asset identifier.Required
preset_time_rangeGet events that are discovered during the interval specified. If configured, overrides the start_time and end_time arguments.Optional
start_timeThe value of the start time for your request. The format of Date should comply with RFC 3339 (e.g. 2002-10-02T15:00:00Z) or relative time. If not supplied, the product considers UTC time corresponding to 2 hours earlier than current time. Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours. Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun.Optional
end_timeThe value of the end time for your request. The format of Date should comply with RFC 3339 (e.g. 2002-10-02T15:00:00Z) or relative time. If not supplied, the product considers current UTC time. Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours. Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun.Optional
page_sizeSpecify the maximum number of events to fetch. You can specify between 1 and 10000. Default is 10000.Optional
reference_timeSpecify the reference time for the asset you are investigating, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z) or relative time. If not supplied, the product considers start time as reference time. Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours. Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun.Optional
Context Output#
PathTypeDescription
GoogleChronicleBackstory.Events.eventTypeStringSpecifies the type of the event.
GoogleChronicleBackstory.Events.eventTimestampDateThe GMT timestamp when the event was generated.
GoogleChronicleBackstory.Events.collectedTimestampDateThe GMT timestamp when the event was collected by the vendor's local collection infrastructure.
GoogleChronicleBackstory.Events.descriptionStringHuman-readable description of the event.
GoogleChronicleBackstory.Events.productEventTypeStringShort, descriptive, human-readable, and product-specific event name or type.
GoogleChronicleBackstory.Events.productLogIdStringA vendor-specific event identifier to uniquely identify the event (a GUID). Users might use this identifier to search the vendor's proprietary console for the event in question.
GoogleChronicleBackstory.Events.productNameStringSpecifies the name of the product.
GoogleChronicleBackstory.Events.productVersionStringSpecifies the version of the product.
GoogleChronicleBackstory.Events.urlBackToProductStringURL linking to a relevant website where you can view more information about this specific event or the general event category.
GoogleChronicleBackstory.Events.vendorNameStringSpecifies the product vendor's name.
GoogleChronicleBackstory.Events.principal.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.principal.emailStringEmail address.
GoogleChronicleBackstory.Events.principal.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.principal.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.principal.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.principal.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.principal.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.principal.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.principal.macStringMAC addresses associated with a device.
GoogleChronicleBackstory.Events.principal.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.principal.urlStringStandard URL.
GoogleChronicleBackstory.Events.principal.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.principal.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.principal.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.principal.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.principal.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.principal.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.principal.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.principal.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.principal.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.principal.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.principal.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.principal.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.principal.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.principal.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.principal.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.principal.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.principal.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.principal.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.principal.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.principal.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.principal.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.principal.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.principal.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.principal.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.principal.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.principal.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.principal.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.principal.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.target.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.target.emailStringEmail address.
GoogleChronicleBackstory.Events.target.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.target.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.target.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.target.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.target.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.target.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.target.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.target.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.target.urlStringStandard URL.
GoogleChronicleBackstory.Events.target.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.target.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.target.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.target.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.target.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.target.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.target.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.target.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.target.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.target.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.target.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.target.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.target.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.target.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.target.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.target.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.target.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.target.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.target.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.target.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.target.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.target.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.target.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.target.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.target.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.target.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.target.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.target.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.target.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.target.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.target.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.intermediary.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.intermediary.emailStringEmail address.
GoogleChronicleBackstory.Events.intermediary.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.intermediary.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.intermediary.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.intermediary.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.intermediary.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.intermediary.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.intermediary.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.intermediary.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.intermediary.urlStringStandard URL.
GoogleChronicleBackstory.Events.intermediary.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.intermediary.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.intermediary.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.intermediary.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.intermediary.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.intermediary.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.intermediary.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.intermediary.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.intermediary.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.intermediary.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.intermediary.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.intermediary.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.intermediary.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.intermediary.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.intermediary.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.intermediary.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.intermediary.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.intermediary.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.intermediary.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.intermediary.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.intermediary.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.intermediary.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.intermediary.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.intermediary.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.intermediary.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.intermediary.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.intermediary.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.src.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.src.emailStringEmail address.
GoogleChronicleBackstory.Events.src.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.src.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.src.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.src.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.src.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.src.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.src.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.src.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.src.urlStringStandard URL.
GoogleChronicleBackstory.Events.src.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.src.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.src.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.src.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.src.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.src.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.src.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.src.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.src.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.src.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.src.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.src.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.src.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.src.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.src.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.src.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.src.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.src.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.src.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.src.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.src.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.src.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.src.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.src.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.src.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.src.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.src.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.src.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.src.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.src.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.src.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.observer.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.observer.emailStringEmail address.
GoogleChronicleBackstory.Events.observer.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.observer.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.observer.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.observer.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.observer.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.observer.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.observer.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.observer.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.observer.urlStringStandard URL.
GoogleChronicleBackstory.Events.observer.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.observer.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.observer.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.observer.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.observer.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.observer.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.observer.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.observer.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.observer.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.observer.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.observer.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.observer.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.observer.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.observer.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.observer.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.observer.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.observer.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.observer.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.observer.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.observer.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.observer.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.observer.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.observer.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.observer.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.observer.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.observer.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.observer.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.observer.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.about.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.about.emailStringEmail address.
GoogleChronicleBackstory.Events.about.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.about.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.about.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.about.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.about.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.about.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.about.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.about.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.about.urlStringStandard URL.
GoogleChronicleBackstory.Events.about.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.about.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.about.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.about.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.about.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.about.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.about.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.about.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.about.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.about.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.about.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.about.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.about.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.about.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.about.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.about.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.about.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.about.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.about.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.about.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.about.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.about.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.about.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.about.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.about.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.about.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.about.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.about.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.about.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.about.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.about.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.network.applicationProtocolStringIndicates the network application protocol.
GoogleChronicleBackstory.Events.network.directionStringIndicates the direction of network traffic.
GoogleChronicleBackstory.Events.network.emailStringSpecifies the email address for the sender/recipient.
GoogleChronicleBackstory.Events.network.ipProtocolStringIndicates the IP protocol.
GoogleChronicleBackstory.Events.network.receivedBytesStringSpecifies the number of bytes received.
GoogleChronicleBackstory.Events.network.sentBytesStringSpecifies the number of bytes sent.
GoogleChronicleBackstory.Events.network.dhcp.clientHostnameStringHostname for the client.
GoogleChronicleBackstory.Events.network.dhcp.clientIdentifierStringClient identifier.
GoogleChronicleBackstory.Events.network.dhcp.fileStringFilename for the boot image.
GoogleChronicleBackstory.Events.network.dhcp.flagsStringValue for the DHCP flags field.
GoogleChronicleBackstory.Events.network.dhcp.hlenStringHardware address length.
GoogleChronicleBackstory.Events.network.dhcp.hopsStringDHCP hop count.
GoogleChronicleBackstory.Events.network.dhcp.htypeStringHardware address type.
GoogleChronicleBackstory.Events.network.dhcp.leaseTimeSecondsStringClient-requested lease time for an IP address in seconds.
GoogleChronicleBackstory.Events.network.dhcp.opcodeStringBOOTP op code.
GoogleChronicleBackstory.Events.network.dhcp.requestedAddressStringClient identifier.
GoogleChronicleBackstory.Events.network.dhcp.secondsStringSeconds elapsed since the client began the address acquisition/renewal process.
GoogleChronicleBackstory.Events.network.dhcp.snameStringName of the server which the client has requested to boot from.
GoogleChronicleBackstory.Events.network.dhcp.transactionIdStringClient transaction ID.
GoogleChronicleBackstory.Events.network.dhcp.typeStringDHCP message type.
GoogleChronicleBackstory.Events.network.dhcp.chaddrStringIP address for the client hardware.
GoogleChronicleBackstory.Events.network.dhcp.ciaddrStringIP address for the client.
GoogleChronicleBackstory.Events.network.dhcp.giaddrStringIP address for the relay agent.
GoogleChronicleBackstory.Events.network.dhcp.siaddrStringIP address for the next bootstrap server.
GoogleChronicleBackstory.Events.network.dhcp.yiaddrStringYour IP address.
GoogleChronicleBackstory.Events.network.dns.authoritativeStringSet to true for authoritative DNS servers.
GoogleChronicleBackstory.Events.network.dns.idStringStores the DNS query identifier.
GoogleChronicleBackstory.Events.network.dns.responseStringSet to true if the event is a DNS response.
GoogleChronicleBackstory.Events.network.dns.opcodeStringStores the DNS OpCode used to specify the type of DNS query (standard, inverse, server status, etc.).
GoogleChronicleBackstory.Events.network.dns.recursionAvailableStringSet to true if a recursive DNS lookup is available.
GoogleChronicleBackstory.Events.network.dns.recursionDesiredStringSet to true if a recursive DNS lookup is requested.
GoogleChronicleBackstory.Events.network.dns.responseCodeStringStores the DNS response code as defined by RFC 1035, Domain Names - Implementation and Specification.
GoogleChronicleBackstory.Events.network.dns.truncatedStringSet to true if this is a truncated DNS response.
GoogleChronicleBackstory.Events.network.dns.questions.nameStringStores the domain name.
GoogleChronicleBackstory.Events.network.dns.questions.classStringStores the code specifying the class of the query.
GoogleChronicleBackstory.Events.network.dns.questions.typeStringStores the code specifying the type of the query.
GoogleChronicleBackstory.Events.network.dns.answers.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.answers.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.answers.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.answers.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.answers.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.answers.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.authority.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.authority.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.authority.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.additional.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.additional.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.additional.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.email.fromStringStores the from email address.
GoogleChronicleBackstory.Events.network.email.replyToStringStores the reply_to email address.
GoogleChronicleBackstory.Events.network.email.toStringStores the to email addresses.
GoogleChronicleBackstory.Events.network.email.ccStringStores the cc email addresses.
GoogleChronicleBackstory.Events.network.email.bccStringStores the bcc email addresses.
GoogleChronicleBackstory.Events.network.email.mailIdStringStores the mail (or message) ID.
GoogleChronicleBackstory.Events.network.email.subjectStringStores the email subject line.
GoogleChronicleBackstory.Events.network.ftp.commandStringStores the FTP command.
GoogleChronicleBackstory.Events.network.http.methodStringStores the HTTP request method.
GoogleChronicleBackstory.Events.network.http.referralUrlStringStores the URL for the HTTP referer.
GoogleChronicleBackstory.Events.network.http.responseCodeStringStores the HTTP response status code, which indicates whether a specific HTTP request has been successfully completed.
GoogleChronicleBackstory.Events.network.http.useragentStringStores the User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.
GoogleChronicleBackstory.Events.authentication.authTypeStringType of system an authentication event is associated with (Chronicle UDM).
GoogleChronicleBackstory.Events.authentication.mechanismStringMechanism(s) used for authentication.
GoogleChronicleBackstory.Events.securityResult.aboutStringProvide a description of the security result.
GoogleChronicleBackstory.Events.securityResult.actionStringSpecify a security action.
GoogleChronicleBackstory.Events.securityResult.categoryStringSpecify a security category.
GoogleChronicleBackstory.Events.securityResult.confidenceStringSpecify a confidence with regards to a security event as estimated by the product.
GoogleChronicleBackstory.Events.securityResult.confidenceDetailsStringAdditional detail with regards to the confidence of a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.priorityStringSpecify a priority with regards to a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.priorityDetailsStringVendor-specific information about the security result priority.
GoogleChronicleBackstory.Events.securityResult.ruleIdStringIdentifier for the security rule.
GoogleChronicleBackstory.Events.securityResult.ruleNameStringName of the security rule.
GoogleChronicleBackstory.Events.securityResult.severityStringSeverity of a security event as estimated by the product vendor using values defined by the Chronicle UDM.
GoogleChronicleBackstory.Events.securityResult.severityDetailsStringSeverity for a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.threatNameStringName of the security threat.
GoogleChronicleBackstory.Events.securityResult.urlBackToProductStringURL to direct you to the source product console for this security event.
Command Example#

!gcb-list-events asset_identifier_type="Host Name" asset_identifier="ray-xxx-laptop" start_time="2020-01-01T00:00:00Z" page_size="1"

Context Example#
{
"GoogleChronicleBackstory.Events": [
{
"principal": {
"ip": [
"10.0.XX.XX"
],
"mac": [
"88:a6:XX:XX:XX:XX"
],
"hostname": "ray-xxx-laptop"
},
"target": {
"ip": [
"8.8.8.8"
]
},
"network": {
"applicationProtocol": "DNS",
"dns": {
"questions": [
{
"type": 1,
"name": "is5-ssl.mzstatic.com"
}
],
"answers": [
{
"type": 1,
"data": "104.118.212.43",
"name": "is5-ssl.mzstatic.com",
"ttl": 11111
}
],
"response": true
}
},
"collectedTimestamp": "2020-01-02T00:00:00Z",
"productName": "ExtraHop",
"eventTimestamp": "2020-01-01T23:59:38Z",
"eventType": "NETWORK_DNS"
}
]
}
Human Readable Output#

Event(s) Details#

Event TimestampEvent TypePrincipal Asset IdentifierTarget Asset IdentifierQueried Domain
2020-01-01T23:59:38ZNETWORK_DNSray-xxx-laptop8.8.8.8ninthdecimal.com

View events in Chronicle

Maximum number of events specified in page_size has been returned. There might still be more events in your Chronicle account. To fetch the next set of events, execute the command with the start time as 2020-01-01T23:59:38Z

8. gcb-list-detections#


Return the detections for the specified version of a rule, the latest version of a rule, all versions of a rule, or all versions of all rules.

Base Command#

gcb-list-detections

Input#
Argument NameDescriptionRequired
idUnique identifier for a rule or specific version of a rule, defined and returned by the server. You can specify exactly one rule identifier. Use the following format to specify the id: ru{UUID} or {ruleId}@v{int64}_{int64}. If not specified then detections for all versions of all rules are returned.Optional
detection_start_time(Deprecated)Time to begin returning detections, filtering on a detection's detectionTime. If not specified, the start time is treated as open-ended.
Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours.
Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun.
Optional
detection_end_time(Deprecated)Time to stop returning detections, filtering on a detection's detectionTime. If not specified, the end time is treated as open-ended.
Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours.
Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun.
Optional
start_timeTime to begin returning detections, filtering by the detection field specified in the listBasis parameter. If not specified, the start time is treated as open-ended.
Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours.
Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun.
Optional
end_timeTime to stop returning detections, filtering by the detection field specified by the listBasis parameter. If not specified, the end time is treated as open-ended.
Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours.
Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun.
Optional
detection_for_all_versionsWhether the user wants to retrieve detections for all versions of a rule with a given rule identifier.

Note: If this option is set to true, rule id is required.
Optional
list_basisSort detections by "DETECTION_TIME" or by "CREATED_TIME". If not specified, it defaults to "DETECTION_TIME". Detections are returned in descending order of the timestamp.

Note: Requires either "start_time" or "end_time" argument.
Optional
alert_stateFilter detections on if they are ALERTING or NOT_ALERTING.
Avoid specifying to return all detections.
Optional
page_sizeSpecify the limit on the number of detections to display. You can specify between 1 and 1000.Optional
page_tokenA page token received from a previous call. Provide this to retrieve the subsequent page. If the page token is configured, overrides the detection start and end time arguments.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.Detections.idStringIdentifier for the detection.
GoogleChronicleBackstory.Detections.ruleIdStringIdentifier for the rule generating the detection.
GoogleChronicleBackstory.Detections.ruleVersionStringIdentifier for the rule version generating the detection.
GoogleChronicleBackstory.Detections.ruleNameStringName of the rule generating the detection, as parsed from ruleText.
GoogleChronicleBackstory.Detections.timeWindowStartTimeDateThe start time of the window the detection was found in.
GoogleChronicleBackstory.Detections.timeWindowEndTimeDateThe end time of the window the detection was found in.
GoogleChronicleBackstory.Detections.alertStateStringIndicates whether the rule generating this detection currently has alerting enabled or disabled.
GoogleChronicleBackstory.Detections.urlBackToProductStringURL pointing to the Chronicle UI for this detection.
GoogleChronicleBackstory.Detections.typeStringType of detection.
GoogleChronicleBackstory.Detections.createdTimeDateTime the detection was created.
GoogleChronicleBackstory.Detections.detectionTimeDateThe time period the detection was found in.
GoogleChronicleBackstory.Detections.ruleTypeStringWhether the rule generating this detection is a single event or multi-event rule.
GoogleChronicleBackstory.Detections.detectionFields.keyStringThe key for a field specified in the rule, for MULTI_EVENT rules.
GoogleChronicleBackstory.Detections.detectionFields.valueStringThe value for a field specified in the rule, for MULTI_EVENT rules.
GoogleChronicleBackstory.Detections.collectionElements.labelStringThe variable a given set of UDM events belongs to.
GoogleChronicleBackstory.Detections.collectionElements.references.principalAssetIdentifierStringSpecifies the principal asset identifier of the event.
GoogleChronicleBackstory.Detections.collectionElements.references.targetAssetIdentifierStringSpecifies the target asset identifier of the event.
GoogleChronicleBackstory.Detections.collectionElements.references.eventTypeStringSpecifies the type of the event.
GoogleChronicleBackstory.Detections.collectionElements.references.eventTimestampDateThe GMT timestamp when the event was generated.
GoogleChronicleBackstory.Detections.collectionElements.references.ingestedTimestampDateThe GMT timestamp when the event was ingested in the vendor's instance.
GoogleChronicleBackstory.Detections.collectionElements.references.descriptionStringHuman-readable description of the event.
GoogleChronicleBackstory.Detections.collectionElements.references.productEventTypeStringShort, descriptive, human-readable, and product-specific event name or type.
GoogleChronicleBackstory.Detections.collectionElements.references.productLogIdStringA vendor-specific event identifier to uniquely identify the event (a GUID). Users might use this identifier to search the vendor's proprietary console for the event in question.
GoogleChronicleBackstory.Detections.collectionElements.references.productNameStringSpecifies the name of the product.
GoogleChronicleBackstory.Detections.collectionElements.references.productVersionStringSpecifies the version of the product.
GoogleChronicleBackstory.Detections.collectionElements.references.urlBackToProductStringURL linking to a relevant website where you can view more information about this specific event or the general event category.
GoogleChronicleBackstory.Detections.collectionElements.references.vendorNameStringSpecifies the product vendor's name.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.emailStringEmail address.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.platformStringPlatform operating system.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.macStringMAC addresses associated with a device.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Detections.collectionElements.references.principal.urlStringStandard URL.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.pidStringStores the process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.useridStringStores the user ID.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.target.emailStringEmail address.
GoogleChronicleBackstory.Detections.collectionElements.references.target.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Detections.collectionElements.references.target.platformStringPlatform operating system.
GoogleChronicleBackstory.Detections.collectionElements.references.target.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Detections.collectionElements.references.target.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Detections.collectionElements.references.target.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Detections.collectionElements.references.target.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Detections.collectionElements.references.target.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Detections.collectionElements.references.target.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Detections.collectionElements.references.target.urlStringStandard URL.
GoogleChronicleBackstory.Detections.collectionElements.references.target.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.target.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.pidStringStores the process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.target.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.target.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.target.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.useridStringStores the user ID.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.emailStringEmail address.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.platformStringPlatform operating system.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.urlStringStandard URL.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.pidStringStores the process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.useridStringStores the user ID.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.src.emailStringEmail address.
GoogleChronicleBackstory.Detections.collectionElements.references.src.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Detections.collectionElements.references.src.platformStringPlatform operating system.
GoogleChronicleBackstory.Detections.collectionElements.references.src.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Detections.collectionElements.references.src.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Detections.collectionElements.references.src.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Detections.collectionElements.references.src.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Detections.collectionElements.references.src.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Detections.collectionElements.references.src.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Detections.collectionElements.references.src.urlStringStandard URL.
GoogleChronicleBackstory.Detections.collectionElements.references.src.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.src.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.pidStringStores the process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.src.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.src.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.src.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.useridStringStores the user ID.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.emailStringEmail address.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.platformStringPlatform operating system.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Detections.collectionElements.references.observer.urlStringStandard URL.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.pidStringStores the process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.useridStringStores the user ID.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.about.emailStringEmail address.
GoogleChronicleBackstory.Detections.collectionElements.references.about.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Detections.collectionElements.references.about.platformStringPlatform operating system.
GoogleChronicleBackstory.Detections.collectionElements.references.about.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Detections.collectionElements.references.about.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Detections.collectionElements.references.about.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Detections.collectionElements.references.about.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Detections.collectionElements.references.about.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Detections.collectionElements.references.about.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Detections.collectionElements.references.about.urlStringStandard URL.
GoogleChronicleBackstory.Detections.collectionElements.references.about.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.about.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.pidStringStores the process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.about.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.about.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.about.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.useridStringStores the user ID.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.network.applicationProtocolStringIndicates the network application protocol.
GoogleChronicleBackstory.Detections.collectionElements.references.network.directionStringIndicates the direction of network traffic.
GoogleChronicleBackstory.Detections.collectionElements.references.network.emailStringSpecifies the email address for the sender/recipient.
GoogleChronicleBackstory.Detections.collectionElements.references.network.ipProtocolStringIndicates the IP protocol.
GoogleChronicleBackstory.Detections.collectionElements.references.network.receivedBytesStringSpecifies the number of bytes received.
GoogleChronicleBackstory.Detections.collectionElements.references.network.sentBytesStringSpecifies the number of bytes sent.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.clientHostnameStringHostname for the client.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.clientIdentifierStringClient identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.fileStringFilename for the boot image.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.flagsStringValue for the DHCP flags field.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.hlenStringHardware address length.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.hopsStringDHCP hop count.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.htypeStringHardware address type.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.leaseTimeSecondsStringClient-requested lease time for an IP address in seconds.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.opcodeStringBOOTP op code.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.requestedAddressStringClient identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.secondsStringSeconds elapsed since the client began the address acquisition/renewal process.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.snameStringName of the server which the client has requested to boot from.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.transactionIdStringClient transaction ID.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.typeStringDHCP message type.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.chaddrStringIP address for the client hardware.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.ciaddrStringIP address for the client.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.giaddrStringIP address for the relay agent.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.siaddrStringIP address for the next bootstrap server.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.yiaddrStringYour IP address.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.authoritativeStringSet to true for authoritative DNS servers.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.idStringStores the DNS query identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.responseStringSet to true if the event is a DNS response.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.opcodeStringStores the DNS OpCode used to specify the type of DNS query (standard, inverse, server status, etc.).
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.recursionAvailableStringSet to true if a recursive DNS lookup is available.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.recursionDesiredStringSet to true if a recursive DNS lookup is requested.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.responseCodeStringStores the DNS response code as defined by RFC 1035, Domain Names - Implementation and Specification.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.truncatedStringSet to true if this is a truncated DNS response.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.questions.nameStringStores the domain name.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.questions.classStringStores the code specifying the class of the query.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.questions.typeStringStores the code specifying the type of the query.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.answers.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.answers.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.answers.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.answers.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.answers.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.answers.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.authority.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.authority.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.authority.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.authority.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.authority.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.authority.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.additional.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.additional.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.additional.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.additional.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.additional.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.additional.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.email.fromStringStores the from email address.
GoogleChronicleBackstory.Detections.collectionElements.references.network.email.replyToStringStores the reply_to email address.
GoogleChronicleBackstory.Detections.collectionElements.references.network.email.toStringStores the to email addresses.
GoogleChronicleBackstory.Detections.collectionElements.references.network.email.ccStringStores the cc email addresses.
GoogleChronicleBackstory.Detections.collectionElements.references.network.email.bccStringStores the bcc email addresses.
GoogleChronicleBackstory.Detections.collectionElements.references.network.email.mailIdStringStores the mail (or message) ID.
GoogleChronicleBackstory.Detections.collectionElements.references.network.email.subjectStringStores the email subject line.
GoogleChronicleBackstory.Detections.collectionElements.references.network.ftp.commandStringStores the FTP command.
GoogleChronicleBackstory.Detections.collectionElements.references.network.http.methodStringStores the HTTP request method.
GoogleChronicleBackstory.Detections.collectionElements.references.network.http.referralUrlStringStores the URL for the HTTP referer.
GoogleChronicleBackstory.Detections.collectionElements.references.network.http.responseCodeStringStores the HTTP response status code, which indicates whether a specific HTTP request has been successfully completed.
GoogleChronicleBackstory.Detections.collectionElements.references.network.http.useragentStringStores the User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.
GoogleChronicleBackstory.Detections.collectionElements.references.authentication.authTypeStringType of system an authentication event is associated with (Chronicle UDM).
GoogleChronicleBackstory.Detections.collectionElements.references.authentication.mechanismStringMechanism(s) used for authentication.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.aboutStringProvide a description of the security result.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.actionStringSpecify a security action.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.categoryStringSpecify a security category.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.confidenceStringSpecify a confidence with regards to a security event as estimated by the product.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.confidenceDetailsStringAdditional detail with regards to the confidence of a security event as estimated by the product vendor.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.priorityStringSpecify a priority with regards to a security event as estimated by the product vendor.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.priorityDetailsStringVendor-specific information about the security result priority.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.ruleIdStringIdentifier for the security rule.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.ruleNameStringName of the security rule.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.severityStringSeverity of a security event as estimated by the product vendor using values defined by the Chronicle UDM.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.severityDetailsStringSeverity for a security event as estimated by the product vendor.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.threatNameStringName of the security threat.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.urlBackToProductStringURL to direct you to the source product console for this security event.
GoogleChronicleBackstory.Token.nameStringThe name of the command to which the value of the nextPageToken corresponds.
GoogleChronicleBackstory.Token.nextPageTokenStringA page token that can be provided to the next call to view the next page of detections. Absent if this is the last page.
Command Example#

!gcb-list-detections id=ru_746bd6d6-6b84-4007-b74c-ec90c7306a71 page_size=2

Context Example#
{
"GoogleChronicleBackstory": {
"Detections": [
{
"alertState": "NOT_ALERTING",
"collectionElements": [
{
"label": "event",
"references": [
{
"eventTimestamp": "2020-12-24T03:00:02.559Z",
"eventType": "NETWORK_DNS",
"ingestedTimestamp": "2020-12-24T03:03:17.129868Z",
"network": {
"applicationProtocol": "DNS",
"dns": {
"questions": [
{
"name": "is5-ssl.mzstatic.com",
"type": 1
}
]
}
},
"principal": {
"hostname": "ray-xxx-laptop",
"ip": [
"10.0.XX.XX"
],
"mac": [
"88:a6:XX:XX:XX:XX"
]
},
"principalAssetIdentifier": "ray-xxx-laptop",
"productName": "ExtraHop",
"securityResult": [
{
"action": [
"UNKNOWN_ACTION"
]
}
],
"target": {
"ip": [
"10.0.XX.XX"
]
},
"targetAssetIdentifier": "10.0.XX.XX"
},
{
"eventTimestamp": "2020-12-24T03:00:40.566Z",
"eventType": "NETWORK_DNS",
"ingestedTimestamp": "2020-12-24T03:03:17.129868Z",
"network": {
"applicationProtocol": "DNS",
"dns": {
"questions": [
{
"name": "is5-ssl.mzstatic.com",
"type": 1
}
]
}
},
"principal": {
"hostname": "ray-xxx-laptop",
"ip": [
"10.0.XX.XX"
],
"mac": [
"88:a6:XX:XX:XX:XX"
]
},
"principalAssetIdentifier": "ray-xxx-laptop",
"productName": "ExtraHop",
"securityResult": [
{
"action": [
"UNKNOWN_ACTION"
]
}
],
"target": {
"ip": [
"10.0.XX.XX"
]
},
"targetAssetIdentifier": "10.0.XX.XX"
}
]
}
],
"createdTime": "2020-12-24T03:13:46.116199Z",
"detectionFields": [
{
"key": "client_ip",
"value": "10.0.XX.XX"
}
],
"detectionTime": "2020-12-24T04:00:00Z",
"id": "de_bea17243-d3b3-14bf-6b57-74e1a2422c68",
"ruleId": "ru_746bd6d6-6b84-4007-b74c-ec90c7306a71",
"ruleName": "SampleRule",
"ruleType": "MULTI_EVENT",
"ruleVersion": "ru_746bd6d6-6b84-4007-b74c-ec90c7306a71@v_1604081489_593503000",
"timeWindowEndTime": "2020-12-24T04:00:00Z",
"timeWindowStartTime": "2020-12-24T03:00:00Z",
"type": "RULE_DETECTION",
"urlBackToProduct": "https://dummy-chronicle/alert?alertId=de_bea17243-d3b3-14bf-6b57-74e1a2422c68"
},
{
"alertState": "NOT_ALERTING",
"collectionElements": [
{
"label": "event",
"references": [
{
"eventTimestamp": "2020-12-24T03:00:11.959Z",
"eventType": "NETWORK_DNS",
"ingestedTimestamp": "2020-12-24T03:03:17.200062Z",
"network": {
"applicationProtocol": "DNS",
"dns": {
"answers": [
{
"data": "10.0.XX.XX",
"name": "is5-ssl.mzstatic.com",
"ttl": 11111,
"type": 1
}
],
"questions": [
{
"name": "is5-ssl.mzstatic.com",
"type": 1
}
],
"response": true
}
},
"principal": {
"hostname": "ray-xxx-laptop",
"ip": [
"10.0.XX.XX"
],
"mac": [
"88:a6:XX:XX:XX:XX"
]
},
"principalAssetIdentifier": "ray-xxx-laptop",
"productName": "ExtraHop",
"securityResult": [
{
"action": [
"UNKNOWN_ACTION"
]
}
],
"target": {
"ip": [
"10.0.XX.XX"
]
},
"targetAssetIdentifier": "10.0.XX.XX"
},
{
"eventTimestamp": "2020-12-24T03:01:43.953Z",
"eventType": "NETWORK_DNS",
"ingestedTimestamp": "2020-12-24T03:03:17.200062Z",
"network": {
"applicationProtocol": "DNS",
"dns": {
"answers": [
{
"data": "10.0.XX.XX",
"name": "is5-ssl.mzstatic.com",
"ttl": 11111,
"type": 1
}
],
"questions": [
{
"name": "is5-ssl.mzstatic.com",
"type": 1
}
],
"response": true
}
},
"principal": {
"hostname": "ray-xxx-laptop",
"ip": [
"10.0.XX.XX"
],
"mac": [
"88:a6:XX:XX:XX:XX"
]
},
"principalAssetIdentifier": "ray-xxx-laptop",
"productName": "ExtraHop",
"securityResult": [
{
"action": [
"UNKNOWN_ACTION"
]
}
],
"target": {
"ip": [
"10.0.XX.XX"
]
},
"targetAssetIdentifier": "10.0.XX.XX"
}
]
}
],
"createdTime": "2020-12-24T03:13:46.449491Z",
"detectionFields": [
{
"key": "client_ip",
"value": "10.0.XX.XX"
}
],
"detectionTime": "2020-12-24T04:00:00Z",
"id": "de_d6194710-acd4-c1de-e440-d1c6a7a50fc1",
"ruleId": "ru_746bd6d6-6b84-4007-b74c-ec90c7306a71",
"ruleName": "SampleRule",
"ruleType": "MULTI_EVENT",
"ruleVersion": "ru_746bd6d6-6b84-4007-b74c-ec90c7306a71@v_1604081489_593503000",
"timeWindowEndTime": "2020-12-24T04:00:00Z",
"timeWindowStartTime": "2020-12-24T03:00:00Z",
"type": "RULE_DETECTION",
"urlBackToProduct": "https://dummy-chronicle/alert?alertId=de_d6194710-acd4-c1de-e440-d1c6a7a50fc1"
}
],
"Token": {
"name": "gcb-list-detections",
"nextPageToken": "foobar_page_token"
}
}
}
Human Readable Output#

Detection(s) Details For Rule: SampleRule#

Detection IDDetection TypeDetection TimeEventsAlert State
de_bea17243-d3b3-14bf-6b57-74e1a2422c68RULE_DETECTION2020-12-24T04:00:00ZEvent Timestamp: 2020-12-24T03:00:02.559Z
Event Type: NETWORK_DNS
Principal Asset Identifier: ray-xxx-laptop
Target Asset Identifier: 10.0.XX.XX
Queried Domain: is5-ssl.mzstatic.com

Event Timestamp: 2020-12-24T03:00:40.566Z
Event Type: NETWORK_DNS
Principal Asset Identifier: ray-xxx-laptop
Target Asset Identifier: 10.0.XX.XX
Queried Domain: is5-ssl.mzstatic.com
NOT_ALERTING
de_d6194710-acd4-c1de-e440-d1c6a7a50fc1RULE_DETECTION2020-12-24T04:00:00ZEvent Timestamp: 2020-12-24T03:00:11.959Z
Event Type: NETWORK_DNS
Principal Asset Identifier: ray-xxx-laptop
Target Asset Identifier: 10.0.XX.XX
Queried Domain: is5-ssl.mzstatic.com

Event Timestamp: 2020-12-24T03:01:43.953Z
Event Type: NETWORK_DNS
Principal Asset Identifier: ray-xxx-laptop
Target Asset Identifier: 10.0.XX.XX
Queried Domain: is5-ssl.mzstatic.com
NOT_ALERTING

View all detections for this rule in Chronicle by clicking on SampleRule and to view individual detection in Chronicle click on its respective Detection ID.

Note: If a specific version of the rule is provided then detections for that specific version will be fetched. Maximum number of detections specified in page_size has been returned. To fetch the next set of detections, execute the command with the page token as foobar_page_token.

9. gcb-list-rules#


List the latest versions of all Rules.

Base Command#

gcb-list-rules

Input#
Argument NameDescriptionRequired
live_ruleTo filter live rules.Optional
page_sizeSpecify the maximum number of Rules to return. You can specify between 1 and 1000. Default is 100.Optional
page_tokenA page token, received from a previous call. Provide this to retrieve the subsequent page.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.Rules.ruleIdStringUnique identifier for a Rule.
GoogleChronicleBackstory.Rules.versionIdStringUnique identifier for a specific version of a rule.
GoogleChronicleBackstory.Rules.ruleNameStringName of the rule, as parsed from ruleText.
GoogleChronicleBackstory.Rules.ruleTextStringSource code for the rule, as defined by the user.
GoogleChronicleBackstory.Rules.liveRuleEnabledBooleanWhether the rule is enabled to run as a "Live Rule".
GoogleChronicleBackstory.Rules.alertingEnabledBooleanWhether the rule is enabled to generate Alerts.
GoogleChronicleBackstory.Rules.versionCreateTimeStringA string representing the time in ISO-8601 format.
GoogleChronicleBackstory.Rules.compilationStateStringCompilation state of the rule. It can be SUCCEEDED or FAILED.
GoogleChronicleBackstory.Rules.compilationErrorStringA compilation error if compilationState is FAILED, absent if compilationState is SUCCEEDED.
GoogleChronicleBackstory.Rules.Metadata.severityStringSeverity for the rule.
GoogleChronicleBackstory.Rules.Metadata.authorStringName of author for the rule.
GoogleChronicleBackstory.Rules.Metadata.descriptionStringDescription of the rule.
GoogleChronicleBackstory.Rules.Metadata.referenceStringReference link for the rule.
GoogleChronicleBackstory.Rules.Metadata.createdStringTime at which the rule is created.
GoogleChronicleBackstory.Rules.Metadata.updatedStringTime at which the rule is updated.
GoogleChronicleBackstory.Token.nameStringThe name of the command to which the value of the nextPageToken corresponds.
GoogleChronicleBackstory.Token.nextPageTokenStringA page token that can be provided to the next call to view the next page of Rules. Absent if this is the last page.
Command Example#

!gcb-list-rules page_size=2

Context Example#
{
"GoogleChronicleBackstory": {
"rules": [
{
"ruleId": "ru_c5b129e4-9e20-44ad-ad23-78117bd2a2af",
"versionId": "ru_c5b129e4-9e20-44ad-ad23-78117bd2a2af@v_1614773287_876527000",
"ruleName": "malicious_extensions",
"metadata": {
"author": "analyst5",
"description": "Use to detects malicious extentions from email attachments.",
"severity": "High"
},
"ruleText": "rule malicious_extensions {\n meta:\n author = \"analyst5\"\n description = \"Use to detects malicious extentions from email attachments.\"\n severity = \"High\"\n\n events:\n $event.metadata.event_type = \"EMAIL_TRANSACTION\"\n $event.about.file.mime_type = /^.*\\.(com|exe|bat|cmd|cpl|jar|js|msi|rar|reg)$/\n\n condition:\n $event\n \n}\n",
"alertingEnabled": true,
"versionCreateTime": "2021-03-03T12:08:07.876527Z",
"compilationState": "SUCCEEDED"
},
{
"ruleId": "ru_d63cfaeb-23d7-4e0a-b342-5f880f6129f9",
"versionId": "ru_d63cfaeb-23d7-4e0a-b342-5f880f6129f9@v_1614369854_162095000",
"ruleName": "empire_monkey",
"metadata": {
"version": "0.01",
"created": "2019/04/02",
"category": "process_creation",
"product": "windows",
"mitre": "t1086, execution",
"author": "Markus Neis",
"description": "Detects EmpireMonkey APT reported Activity License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.",
"reference": "https://tdm.socprime.com/tdm/info/jFbYfF51ECXh"
},
"ruleText": "rule empire_monkey {\n\tmeta:\n\t\tauthor = \"Markus Neis\"\n\t\tdescription = \"Detects EmpireMonkey APT reported Activity License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.\"\n\t\treference = \"https://tdm.socprime.com/tdm/info/jFbYfF51ECXh\"\n\t\tversion = \"0.01\"\n\t\tcreated = \"2019/04/02\"\n\t\tcategory = \"process_creation\"\n\t\tproduct = \"windows\"\n\t\tmitre = \"t1086, execution\"\n\n\tevents:\n(re.regex($selection_cutil.target.process.command_line, `.*/i:%APPDATA%\\\\logs\\.txt scrobj\\.dll`) and (re.regex($selection_cutil.target.process.file.full_path, `.*\\\\cutil\\.exe`) or $selection_cutil.metadata.description = \"Microsoft(C) Registerserver\"))\n\n\tcondition:\n\t\t$selection_cutil\n}\n",
"versionCreateTime": "2021-02-26T20:04:14.162095Z",
"compilationState": "SUCCEEDED"
}
],
"nextPageToken": "foobar_page_token"
}
}
Human Readable Output#

Rule(s) Details#

Rule IDRule NameCompilation State
ru_42f02f52-544c-4b6e-933c-df17648d5831email_executionSUCCEEDED
ru_f13faad1-0041-476c-a05a-40e01c942796rule_1616480950177SUCCEEDED

Maximum number of rules specified in page_size has been returned. To fetch the next set of detections, execute the command with the page token as foobar_page_token.

10. gcb-create-rule#


Creates a new rule. By default the live rule status will be set to disabled.

Base Command#

gcb-create-rule

Input#

Argument NameDescriptionRequired
rule_textRule text in YARA-L 2.0 format for the rule to be created.Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.Rules.ruleIdStringUnique identifier for a Rule.
GoogleChronicleBackstory.Rules.versionIdStringUnique identifier for a specific version of a rule.
GoogleChronicleBackstory.Rules.ruleNameStringName of the rule, as parsed from ruleText.
GoogleChronicleBackstory.Rules.ruleTextStringSource code for the rule, as defined by the user.
GoogleChronicleBackstory.Rules.liveRuleEnabledBooleanWhether the rule is enabled to run as a Live Rule.
GoogleChronicleBackstory.Rules.alertingEnabledBooleanWhether the rule is enabled to generate Alerts.
GoogleChronicleBackstory.Rules.versionCreateTimeStringA string representing the time in ISO-8601 format.
GoogleChronicleBackstory.Rules.compilationStateStringCompilation state of the rule. It can be SUCCEEDED or FAILED.
GoogleChronicleBackstory.Rules.compilationErrorStringA compilation error if compilationState is FAILED, absent if compilationState is SUCCEEDED.
GoogleChronicleBackstory.Rules.ruleTypeStringIndicates the type of event in rule. It can be SINGLE_EVENT or MULTI_EVENT.
GoogleChronicleBackstory.Rules.metadata.severityStringSeverity for the rule.
GoogleChronicleBackstory.Rules.metadata.authorStringName of author for the rule.
GoogleChronicleBackstory.Rules.metadata.descriptionStringDescription of the rule.
GoogleChronicleBackstory.Rules.metadata.referenceStringReference link for the rule.
GoogleChronicleBackstory.Rules.metadata.createdStringTime at which the rule is created.
GoogleChronicleBackstory.Rules.metadata.updatedStringTime at which the rule is updated.

Command Example#

!gcb-create-rule rule_text="rule demoRuleCreatedFromAPI {meta: author = \"securityuser\" description = \"single event rule that should generate detections\" events: $e.metadata.event_type = \"NETWORK_DNS\" condition: $e}"

Context Example#

{
"GoogleChronicleBackstory": {
"Rules": {
"compilationState": "SUCCEEDED",
"metadata": {
"author": "securityuser",
"description": "single event rule that should generate detections"
},
"ruleId": "ru_b28005ec-e027-4300-9dcc-0c6ef5dda8e6",
"ruleName": "demoRuleCreatedFromAPI",
"ruleText": "rule demoRuleCreatedFromAPI {meta: author = \"securityuser\" description = \"single event rule that should generate detections\" events: $e.metadata.event_type = \"NETWORK_DNS\" condition: $e}\n",
"ruleType": "SINGLE_EVENT",
"versionCreateTime": "2022-06-23T06:21:36.217135Z",
"versionId": "ru_b28005ec-e027-4300-9dcc-0c6ef5dda8e6@v_1655965296_217135000"
}
}
}

Human Readable Output#

Rule Detail#

Rule IDVersion IDAuthorRule NameDescriptionVersion Creation TimeCompilation StatusRule Text
ru_b28005ec-e027-4300-9dcc-0c6ef5dda8e6ru_b28005ec-e027-4300-9dcc-0c6ef5dda8e6@v_1655965296_217135000securityuserdemoRuleCreatedFromAPIsingle event rule that should generate detections2022-06-23T06:21:36.217135ZSUCCEEDEDrule demoRuleCreatedFromAPI {meta: author = "securityuser" description = "single event rule that should generate detections" events: $e.metadata.event_type = "NETWORK_DNS" condition: $e}

11. gcb-get-rule#


Retrieves the rule details of specified Rule ID or Version ID.

Base Command#

gcb-get-rule

Input#

Argument NameDescriptionRequired
idRule ID or Version ID of the rule to be retrieved.Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.Rules.ruleIdStringUnique identifier for a Rule.
GoogleChronicleBackstory.Rules.versionIdStringUnique identifier for a specific version of a rule.
GoogleChronicleBackstory.Rules.ruleNameStringName of the rule, as parsed from ruleText.
GoogleChronicleBackstory.Rules.ruleTextStringSource code for the rule, as defined by the user.
GoogleChronicleBackstory.Rules.liveRuleEnabledBooleanWhether the rule is enabled to run as a Live Rule.
GoogleChronicleBackstory.Rules.alertingEnabledBooleanWhether the rule is enabled to generate Alerts.
GoogleChronicleBackstory.Rules.versionCreateTimeStringA string representing the time in ISO-8601 format.
GoogleChronicleBackstory.Rules.compilationStateStringCompilation state of the rule. It can be SUCCEEDED or FAILED.
GoogleChronicleBackstory.Rules.compilationErrorStringA compilation error if compilationState is FAILED, absent if compilationState is SUCCEEDED.
GoogleChronicleBackstory.Rules.ruleTypeStringIndicates the type of event in rule. It can be SINGLE_EVENT or MULTI_EVENT.
GoogleChronicleBackstory.Rules.metadata.severityStringSeverity for the rule.
GoogleChronicleBackstory.Rules.metadata.authorStringName of author for the rule.
GoogleChronicleBackstory.Rules.metadata.descriptionStringDescription of the rule.
GoogleChronicleBackstory.Rules.metadata.referenceStringReference link for the rule.
GoogleChronicleBackstory.Rules.metadata.createdStringTime at which the rule is created.
GoogleChronicleBackstory.Rules.metadata.updatedStringTime at which the rule is updated.

Command Example#

!gcb-get-rule id=ru_99bfa421-2bf2-4440-9ac8-6b1acab170e7

Context Example#

{
"GoogleChronicleBackstory": {
"Rules": {
"compilationState": "SUCCEEDED",
"metadata": {
"author": "securityuser",
"description": "single event rule that should generate detections"
},
"ruleId": "ru_99bfa421-2bf2-4440-9ac8-6b1acab170e7",
"ruleName": "demoRuleCreatedFromAPI",
"ruleText": "rule demoRuleCreatedFromAPI {meta: author = \"securityuser\" description = \"single event rule that should generate detections\" events: $e.metadata.event_type = \"NETWORK_DNS\" condition: $e}\n",
"ruleType": "SINGLE_EVENT",
"versionCreateTime": "2022-06-22T13:28:20.905647Z",
"versionId": "ru_99bfa421-2bf2-4440-9ac8-6b1acab170e7@v_1655904500_905647000"
}
}
}

Human Readable Output#

Rule Details#

Rule IDVersion IDAuthorRule NameDescriptionVersion Creation TimeCompilation StatusRule Text
ru_99bfa421-2bf2-4440-9ac8-6b1acab170e7ru_99bfa421-2bf2-4440-9ac8-6b1acab170e7@v_1655904500_905647000securityuserdemoRuleCreatedFromAPIsingle event rule that should generate detections2022-06-22T13:28:20.905647ZSUCCEEDEDrule demoRuleCreatedFromAPI {meta: author = "securityuser" description = "single event rule that should generate detections" events: $e.metadata.event_type = "NETWORK_DNS" condition: $e}

12. gcb-delete-rule#


Deletes the rule specified by Rule ID.

Base Command#

gcb-delete-rule

Input#

Argument NameDescriptionRequired
rule_idID of the rule to be deleted.Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.DeleteRule.ruleIdStringUnique identifier for a Rule.
GoogleChronicleBackstory.DeleteRule.actionStatusStringWhether the rule is successfully deleted or not.

Command Example#

!gcb-delete-rule rule_id=ru_1e0b123a-5ad8-47d1-94fb-0b874a526f9b

Context Example#

{
"GoogleChronicleBackstory": {
"DeleteRule": {
"actionStatus": "SUCCESS",
"ruleId": "ru_1e0b123a-5ad8-47d1-94fb-0b874a526f9b"
}
}
}

Human Readable Output#

Rule with ID ru_1e0b123a-5ad8-47d1-94fb-0b874a526f9b deleted successfully.#

Rule IDAction Status
ru_1e0b123a-5ad8-47d1-94fb-0b874a526f9bSUCCESS

13. gcb-create-rule-version#


Creates a new version of an existing rule.

Base Command#

gcb-create-rule-version

Input#

Argument NameDescriptionRequired
rule_idRule ID for a Rule for which to create a new version.Required
rule_textRule text in YARA-L 2.0 format for the new version of the rule to be created.Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.Rules.ruleIdStringUnique identifier for a Rule.
GoogleChronicleBackstory.Rules.versionIdStringUnique identifier for a specific version of a rule.
GoogleChronicleBackstory.Rules.ruleNameStringName of the rule, as parsed from ruleText.
GoogleChronicleBackstory.Rules.ruleTextStringSource code for the rule, as defined by the user.
GoogleChronicleBackstory.Rules.liveRuleEnabledBooleanWhether the rule is enabled to run as a Live Rule.
GoogleChronicleBackstory.Rules.alertingEnabledBooleanWhether the rule is enabled to generate Alerts.
GoogleChronicleBackstory.Rules.versionCreateTimeStringA string representing the time in ISO-8601 format.
GoogleChronicleBackstory.Rules.compilationStateStringCompilation state of the rule. It can be SUCCEEDED or FAILED.
GoogleChronicleBackstory.Rules.compilationErrorStringA compilation error if compilationState is FAILED, absent if compilationState is SUCCEEDED.
GoogleChronicleBackstory.Rules.ruleTypeStringIndicates the type of event in rule. It can be SINGLE_EVENT or MULTI_EVENT.
GoogleChronicleBackstory.Rules.metadata.severityStringSeverity for the rule.
GoogleChronicleBackstory.Rules.metadata.authorStringName of author for the rule.
GoogleChronicleBackstory.Rules.metadata.descriptionStringDescription of the rule.
GoogleChronicleBackstory.Rules.metadata.referenceStringReference link for the rule.
GoogleChronicleBackstory.Rules.metadata.createdStringTime at which the rule is created.
GoogleChronicleBackstory.Rules.metadata.updatedStringTime at which the rule is updated.

Command Example#

!gcb-create-rule-version rule_id=ru_99bfa421-2bf2-4440-9ac8-6b1acab170e7 rule_text="rule demoRuleCreatedFromAPI {meta: author = \"securityuser\" description = \"single event rule that should generate detections\" events: $e.metadata.event_type = \"NETWORK_DNS\" condition: $e}"

Context Example#

{
"GoogleChronicleBackstory": {
"Rules": {
"compilationState": "SUCCEEDED",
"metadata": {
"author": "securityuser",
"description": "single event rule that should generate detections"
},
"ruleId": "ru_99bfa421-2bf2-4440-9ac8-6b1acab170e7",
"ruleName": "demoRuleCreatedFromAPI",
"ruleText": "rule demoRuleCreatedFromAPI {meta: author = \"securityuser\" description = \"single event rule that should generate detections\" events: $e.metadata.event_type = \"NETWORK_DNS\" condition: $e}\n",
"ruleType": "SINGLE_EVENT",
"versionCreateTime": "2022-06-23T06:22:15.343423Z",
"versionId": "ru_99bfa421-2bf2-4440-9ac8-6b1acab170e7@v_1655965335_343423000"
}
}
}

Human Readable Output#

New Rule Version Details#

Rule IDVersion IDAuthorRule NameDescriptionVersion Creation TimeCompilation StatusRule Text
ru_99bfa421-2bf2-4440-9ac8-6b1acab170e7ru_99bfa421-2bf2-4440-9ac8-6b1acab170e7@v_1655965335_343423000securityuserdemoRuleCreatedFromAPIsingle event rule that should generate detections2022-06-23T06:22:15.343423ZSUCCEEDEDrule demoRuleCreatedFromAPI {meta: author = "securityuser" description = "single event rule that should generate detections" events: $e.metadata.event_type = "NETWORK_DNS" condition: $e}

14. gcb-change-rule-alerting-status#


Updates the alerting status for a rule specified by Rule ID.

Base Command#

gcb-change-rule-alerting-status

Input#

Argument NameDescriptionRequired
rule_idID of the rule.Required
alerting_statusNew alerting status for the Rule. Possible values are 'enable' or 'disable'.Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.RuleAlertingChange.ruleIdStringUnique identifier for a Rule.
GoogleChronicleBackstory.RuleAlertingChange.actionStatusStringWhether the alerting status for the rule is successfully updated or not.
GoogleChronicleBackstory.RuleAlertingChange.alertingStatusStringNew alerting status for the rule.

Command Example#

!gcb-change-rule-alerting-status alerting_status=enable rule_id=ru_99bfa421-2bf2-4440-9ac8-6b1acab170e7

Context Example#

{
"GoogleChronicleBackstory": {
"RuleAlertingChange": {
"actionStatus": "SUCCESS",
"alertingStatus": "enable",
"ruleId": "ru_99bfa421-2bf2-4440-9ac8-6b1acab170e7"
}
}
}

Human Readable Output#

Alerting Status#

Alerting status for the rule with ID ru_99bfa421-2bf2-4440-9ac8-6b1acab170e7 has been successfully enabled.

Rule IDAction Status
ru_99bfa421-2bf2-4440-9ac8-6b1acab170e7SUCCESS

15. gcb-change-live-rule-status#


Updates the live rule status for a rule specified by Rule ID.

Base Command#

gcb-change-live-rule-status

Input#

Argument NameDescriptionRequired
rule_idID of the rule.Required
live_rule_statusNew live rule status for the Rule. Possible values are 'enable' or 'disable'.Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.LiveRuleStatusChange.ruleIdStringUnique identifier for a Rule.
GoogleChronicleBackstory.LiveRuleStatusChange.actionStatusStringWhether the live rule status for the rule is successfully updated or not.
GoogleChronicleBackstory.LiveRuleStatusChange.liveRuleStatusStringNew live rule status for the rule.

Command Example#

!gcb-change-live-rule-status live_rule_status=enable rule_id=ru_99bfa421-2bf2-4440-9ac8-6b1acab170e7

Context Example#

{
"GoogleChronicleBackstory": {
"LiveRuleStatusChange": {
"actionStatus": "SUCCESS",
"liveRuleStatus": "enable",
"ruleId": "ru_99bfa421-2bf2-4440-9ac8-6b1acab170e7"
}
}
}

Human Readable Output#

Live Rule Status#

Live rule status for the rule with ID ru_99bfa421-2bf2-4440-9ac8-6b1acab170e7 has been successfully enabled.

Rule IDAction Status
ru_99bfa421-2bf2-4440-9ac8-6b1acab170e7SUCCESS

16. gcb-start-retrohunt#


Initiate a retrohunt for the specified rule.

Base Command#

gcb-start-retrohunt

Input#

Argument NameDescriptionRequired
rule_idRule ID or Version ID of the rule whose retrohunt is to be started.Required
start_timeStart time for the time range of logs being processed. The format of Date should comply with RFC 3339 (e.g. 2002-10-02T15:00:00Z) or relative time. If not supplied, the product considers UTC time corresponding to 1 week earlier than current time.
Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours.
Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun. Default is 1 week.
Optional
end_timeEnd time for the time range of logs being processed. The format of Date should comply with RFC 3339 (e.g. 2002-10-02T15:00:00Z) or relative time. If not supplied, the product considers UTC time corresponding to 10 minutes earlier than current time.
Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours.
Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun. Default is 10 min.
Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.RetroHunt.retrohuntIdStringUnique identifier for a retrohunt, defined and returned by the server.
GoogleChronicleBackstory.RetroHunt.ruleIdStringUnique identifier for a Rule.
GoogleChronicleBackstory.RetroHunt.versionIdStringUnique identifier for a specific version of a rule.
GoogleChronicleBackstory.RetroHunt.eventStartTimeDateStart time for the time range of logs being processed.
GoogleChronicleBackstory.RetroHunt.eventEndTimeDateEnd time for the time range of logs being processed.
GoogleChronicleBackstory.RetroHunt.retrohuntStartTimeDateStart time for the retrohunt.
GoogleChronicleBackstory.RetroHunt.stateStringCurrent state of the retrohunt. It can be STATE_UNSPECIFIED, RUNNING, DONE, or CANCELLED.

Command Example#

!gcb-start-retrohunt rule_id=ru_4bec682c-305a-40a9-bbc6-81fa5487cb49 start_time="52 weeks"

Context Example#

{
"GoogleChronicleBackstory": {
"RetroHunt": {
"eventEndTime": "2022-06-16T06:58:19.994598Z",
"eventStartTime": "2021-06-17T07:08:19.991404Z",
"retrohuntId": "oh_4c02f3a7-fe3c-49a0-82ba-ab255dd87723",
"retrohuntStartTime": "2022-06-16T07:08:21.958022Z",
"ruleId": "ru_4bec682c-305a-40a9-bbc6-81fa5487cb49",
"state": "RUNNING",
"versionId": "ru_4bec682c-305a-40a9-bbc6-81fa5487cb49@v_1655362604_042191000"
}
}
}

Human Readable Output#

Retrohunt Details#

Retrohunt IDRule IDVersion IDEvent Start TimeEvent End TimeRetrohunt Start TimeState
oh_4c02f3a7-fe3c-49a0-82ba-ab255dd87723ru_4bec682c-305a-40a9-bbc6-81fa5487cb49ru_4bec682c-305a-40a9-bbc6-81fa5487cb49@v_1655362604_0421910002021-06-17T07:08:19.991404Z2022-06-16T06:58:19.994598Z2022-06-16T07:08:21.958022ZRUNNING

17. gcb-get-retrohunt#


Get retrohunt for a specific version of rule.

Base Command#

gcb-get-retrohunt

Input#

Argument NameDescriptionRequired
idRule ID or Version ID of the rule whose retrohunt is to be retrieved.Required
retrohunt_idUnique identifier for a retrohunt, defined and returned by the server. You must specify exactly one retrohunt identifier.Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.RetroHunt.retrohuntIdStringUnique identifier for a retrohunt, defined and returned by the server.
GoogleChronicleBackstory.RetroHunt.ruleIdStringUnique identifier for a Rule.
GoogleChronicleBackstory.RetroHunt.versionIdStringUnique identifier for a specific version of a rule.
GoogleChronicleBackstory.RetroHunt.eventStartTimeDateStart time for the time range of logs being processed.
GoogleChronicleBackstory.RetroHunt.eventEndTimeDateEnd time for the time range of logs being processed.
GoogleChronicleBackstory.RetroHunt.retrohuntStartTimeDateStart time for the retrohunt.
GoogleChronicleBackstory.RetroHunt.retrohuntEndTimeDateEnd time for the retrohunt.
GoogleChronicleBackstory.RetroHunt.stateStringCurrent state of the retrohunt. It can be STATE_UNSPECIFIED, RUNNING, DONE or CANCELLED.
GoogleChronicleBackstory.RetroHunt.progressPercentageNumberPercentage progress towards retrohunt completion (0.00 to 100.00).

Command Example#

!gcb-get-retrohunt id=ru_7ba19ccc-be0d-40d3-91dc-ab3c41251818 retrohunt_id=oh_cbb6b859-5c9d-4af9-8d74-1a58321078ad

Context Example#

{
"GoogleChronicleBackstory": {
"RetroHunt": {
"eventEndTime": "2022-06-15T13:03:06.834384Z",
"eventStartTime": "2022-06-08T13:03:04.793333Z",
"progressPercentage": 100,
"retrohuntEndTime": "2022-06-15T13:05:46.894926Z",
"retrohuntId": "oh_cbb6b859-5c9d-4af9-8d74-1a58321078ad",
"retrohuntStartTime": "2022-06-15T13:05:12.774180Z",
"ruleId": "ru_7ba19ccc-be0d-40d3-91dc-ab3c41251818",
"state": "DONE",
"versionId": "ru_7ba19ccc-be0d-40d3-91dc-ab3c41251818@v_1655291303_302767000"
}
}
}

Human Readable Output#

Retrohunt Details#

Retrohunt IDRule IDVersion IDEvent Start TimeEvent End TimeRetrohunt Start TimeRetrohunt End TimeStateProgress Percentage
oh_cbb6b859-5c9d-4af9-8d74-1a58321078adru_7ba19ccc-be0d-40d3-91dc-ab3c41251818ru_7ba19ccc-be0d-40d3-91dc-ab3c41251818@v_1655291303_3027670002022-06-08T13:03:04.793333Z2022-06-15T13:03:06.834384Z2022-06-15T13:05:12.774180Z2022-06-15T13:05:46.894926ZDONE100

18. gcb-list-retrohunts#


List retrohunts for a rule.

Base Command#

gcb-list-retrohunts

Input#

Argument NameDescriptionRequired
idRule ID or Version ID of the rule whose retrohunts are to be listed. If not supplied, retohunts for all versions of all rules will be listed.Optional
retrohunts_for_all_versionsWhether to retrieve retrohunts for all versions of a rule with a given rule identifier.
Note: If this option is set to true, rule id is required. Possible values are: true, false. Default is false.
Optional
stateFilter retrohunts based on their status. The possible values are "RUNNING", "DONE", or "CANCELLED".Optional
page_sizeSpecify the maximum number of retohunts to return. You can specify between 1 and 1000. Default is 100.Optional
page_tokenA page token, received from a previous call. Provide this to retrieve the subsequent page.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.RetroHunt.retrohuntIdStringUnique identifier for a retrohunt, defined and returned by the server.
GoogleChronicleBackstory.RetroHunt.ruleIdStringUnique identifier for a Rule.
GoogleChronicleBackstory.RetroHunt.versionIdStringUnique identifier for a specific version of a rule.
GoogleChronicleBackstory.RetroHunt.eventStartTimeDateStart time for the time range of logs being processed.
GoogleChronicleBackstory.RetroHunt.eventEndTimeDateEnd time for the time range of logs being processed.
GoogleChronicleBackstory.RetroHunt.retrohuntStartTimeDateStart time for the retrohunt.
GoogleChronicleBackstory.RetroHunt.retrohuntEndTimeDateEnd time for the retrohunt.
GoogleChronicleBackstory.RetroHunt.stateStringCurrent state of the retrohunt. It can be STATE_UNSPECIFIED, RUNNING, DONE or CANCELLED.
GoogleChronicleBackstory.RetroHunt.progressPercentageNumberPercentage progress towards retrohunt completion (0.00 to 100.00).

Command Example#

!gcb-list-retrohunts page_size=3

Context Example#

{
"GoogleChronicleBackstory": {
"RetroHunt": [
{
"eventEndTime": "2022-06-16T06:58:19.994598Z",
"eventStartTime": "2021-06-17T07:08:19.991404Z",
"progressPercentage": 6.59,
"retrohuntId": "oh_4c02f3a7-fe3c-49a0-82ba-ab255dd87723",
"retrohuntStartTime": "2022-06-16T07:08:21.958022Z",
"ruleId": "ru_4bec682c-305a-40a9-bbc6-81fa5487cb49",
"state": "RUNNING",
"versionId": "ru_4bec682c-305a-40a9-bbc6-81fa5487cb49@v_1655362604_042191000"
},
{
"eventEndTime": "2022-06-01T11:00:00Z",
"eventStartTime": "2020-11-25T11:00:00Z",
"progressPercentage": 6.69,
"retrohuntEndTime": "2022-06-16T07:08:35.116493Z",
"retrohuntId": "oh_5fd39b3d-5814-4ce3-ad4f-244aa943d020",
"retrohuntStartTime": "2022-06-16T07:06:57.738997Z",
"ruleId": "ru_4bec682c-305a-40a9-bbc6-81fa5487cb49",
"state": "CANCELLED",
"versionId": "ru_4bec682c-305a-40a9-bbc6-81fa5487cb49@v_1655362604_042191000"
},
{
"eventEndTime": "2022-06-16T06:47:45.116641Z",
"eventStartTime": "2021-06-17T06:57:45.113155Z",
"progressPercentage": 85.44,
"retrohuntId": "oh_93cedd70-a6b6-480a-8d78-a894aff43e05",
"retrohuntStartTime": "2022-06-16T06:57:47.233306Z",
"ruleId": "ru_4bec682c-305a-40a9-bbc6-81fa5487cb49",
"state": "RUNNING",
"versionId": "ru_4bec682c-305a-40a9-bbc6-81fa5487cb49@v_1655362604_042191000"
}
],
"nextPageToken": "dummy-token"
}
}

Human Readable Output#

Retrohunt Details#

Retrohunt IDRule IDVersion IDEvent Start TimeEvent End TimeRetrohunt Start TimeRetrohunt End TimeStateProgress Percentage
oh_4c02f3a7-fe3c-49a0-82ba-ab255dd87723ru_4bec682c-305a-40a9-bbc6-81fa5487cb49ru_4bec682c-305a-40a9-bbc6-81fa5487cb49@v_1655362604_0421910002021-06-17T07:08:19.991404Z2022-06-16T06:58:19.994598Z2022-06-16T07:08:21.958022ZRUNNING6.59
oh_5fd39b3d-5814-4ce3-ad4f-244aa943d020ru_4bec682c-305a-40a9-bbc6-81fa5487cb49ru_4bec682c-305a-40a9-bbc6-81fa5487cb49@v_1655362604_0421910002020-11-25T11:00:00Z2022-06-01T11:00:00Z2022-06-16T07:06:57.738997Z2022-06-16T07:08:35.116493ZCANCELLED6.69
oh_93cedd70-a6b6-480a-8d78-a894aff43e05ru_4bec682c-305a-40a9-bbc6-81fa5487cb49ru_4bec682c-305a-40a9-bbc6-81fa5487cb49@v_1655362604_0421910002021-06-17T06:57:45.113155Z2022-06-16T06:47:45.116641Z2022-06-16T06:57:47.233306ZRUNNING85.44

Maximum number of retrohunts specified in page_size has been returned. To fetch the next set of retrohunts, execute the command with the page token as dummy-token

19. gcb-cancel-retrohunt#


Cancel a retrohunt for a specified rule.

Base Command#

gcb-cancel-retrohunt

Input#

Argument NameDescriptionRequired
idRule ID or Version ID of the rule whose retrohunt is to be cancelled.Required
retrohunt_idUnique identifier for a retrohunt, defined and returned by the server. You must specify exactly one retrohunt identifier.Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.RetroHunt.idStringUnique identifier for a Rule.
GoogleChronicleBackstory.RetroHunt.retrohuntIdStringUnique identifier for a retrohunt, defined and returned by the server.
GoogleChronicleBackstory.RetroHunt.cancelledBooleanWhether the retrohunt is cancelled or not.

Command Example#

!gcb-cancel-retrohunt id=ru_4bec682c-305a-40a9-bbc6-81fa5487cb49 retrohunt_id=oh_5fd39b3d-5814-4ce3-ad4f-244aa943d020

Context Example#

{
"GoogleChronicleBackstory": {
"RetroHunt": {
"cancelled": true,
"id": "ru_4bec682c-305a-40a9-bbc6-81fa5487cb49",
"retrohuntId": "oh_5fd39b3d-5814-4ce3-ad4f-244aa943d020"
}
}
}

Human Readable Output#

Cancelled Retrohunt#

Retrohunt for the rule with ID ru_4bec682c-305a-40a9-bbc6-81fa5487cb49 has been successfully cancelled.

IDRetrohunt IDAction Status
ru_4bec682c-305a-40a9-bbc6-81fa5487cb49oh_5fd39b3d-5814-4ce3-ad4f-244aa943d020SUCCESS

20. gcb-list-reference-list#


Retrieve all the reference lists.

Base Command#

gcb-list-reference-list

Input#

Argument NameDescriptionRequired
page_sizeNumber of results to retrieve in the response. Maximum size allowed is 1000. Default is 100.Optional
page_tokenThe next page token to retrieve the next set of results.Optional
viewSelect option to control the returned response. BASIC will return the metadata for the list, but not the full contents. FULL will return everything. Possible values are: BASIC, FULL. Default is BASIC.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.ReferenceLists.nameStringUnique name of the list.
GoogleChronicleBackstory.ReferenceLists.descriptionStringDescription of the list.
GoogleChronicleBackstory.ReferenceLists.createTimeDateTime when the list was created.
GoogleChronicleBackstory.ReferenceLists.linesStringList of line items.
GoogleChronicleBackstory.ReferenceLists.contentTypeStringContent type of the reference list.

Command Example#

!gcb-list-reference-list page_size=3

Context Example#

{
"GoogleChronicleBackstory": {
"ReferenceLists": [
{
"createTime": "2022-06-14T06:06:35.787791Z",
"description": "sample list",
"contentType": "PLAIN_TEXT",
"name": "test_1"
},
{
"createTime": "2022-06-15T06:43:45.685951Z",
"description": "sample list",
"contentType": "PLAIN_TEXT",
"name": "Builtin"
},
{
"createTime": "2022-06-14T10:01:23.994415Z",
"description": "sample",
"contentType": "PLAIN_TEXT",
"name": "Certificate_Asset"
}
],
"nextPageToken": "dummy-token"
}
}

Human Readable Output#

Reference List Details#

NameContent TypeCreation TimeDescription
test_1PLAIN_TEXT2022-06-14T06:06:35.787791Zsample list
BuiltinPLAIN_TEXT2022-06-15T06:43:45.685951Zsample list
Certificate_AssetPLAIN_TEXT2022-06-14T10:01:23.994415Zsample

Maximum number of reference lists specified in page_size has been returned. To fetch the next set of lists, execute the command with the page token as dummy-token

21. gcb-get-reference-list#


Returns the specified list.

Base Command#

gcb-get-reference-list

Input#

Argument NameDescriptionRequired
nameProvide a unique name of the list to retrieve the result.Required
viewSelect option to control the returned response. BASIC will return the metadata for the list, but not the full contents. FULL will return everything. Possible values are: FULL, BASIC. Default is FULL.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.ReferenceList.nameStringUnique name of the list.
GoogleChronicleBackstory.ReferenceList.descriptionStringDescription of the list.
GoogleChronicleBackstory.ReferenceList.createTimeDateTime when the list was created.
GoogleChronicleBackstory.ReferenceList.linesStringList of line items.
GoogleChronicleBackstory.ReferenceList.contentTypeStringContent type of the reference list.

Command Example#

!gcb-get-reference-list name=test1

Context Example#

{
"GoogleChronicleBackstory": {
"ReferenceList": {
"createTime": "2022-06-10T08:59:34.885679Z",
"description": "update",
"contentType": "PLAIN_TEXT",
"lines": [
"line_item_1",
"// comment",
"line_item_2"
],
"name": "test1"
}
}
}

Human Readable Output#

Reference List Details#

NameContent TypeDescriptionCreation TimeContent
test1PLAIN_TEXTupdate2022-06-10T08:59:34.885679Zline_item_1,
// comment,
line_item_2

22. gcb-create-reference-list#


Create a new reference list.

Base Command#

gcb-create-reference-list

Input#

Argument NameDescriptionRequired
nameProvide a unique name of the list to create a reference list.Required
descriptionDescription of the list.Required
linesEnter the content to be added into the reference list.
Format accepted is: "Line 1, Line 2, Line 3".
Required
delimiterDelimiter by which the content of the list is separated.
Eg: " , " , " : ", " ; ". Default is ,.
Optional
content_typeSelect the content type for reference list. Possible values are: PLAIN_TEXT, CIDR, REGEX. Default is PLAIN_TEXT.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.ReferenceList.nameStringUnique name of the list.
GoogleChronicleBackstory.ReferenceList.descriptionStringDescription of the list.
GoogleChronicleBackstory.ReferenceList.linesStringList of line items.
GoogleChronicleBackstory.ReferenceList.createTimeDateTime when the list was created.
GoogleChronicleBackstory.ReferenceList.contentTypeStringContent type of the reference list.

Command Example#

!gcb-create-reference-list description="List created for readme" lines=L1,L2,L3 name=XSOAR_GoogleChronicle_Backstory_README_List_

Context Example#

{
"GoogleChronicleBackstory": {
"ReferenceList": {
"createTime": "2022-06-16T07:45:37.285791Z",
"description": "List created for readme",
"contentType": "PLAIN_TEXT",
"lines": [
"L1",
"L2",
"L3"
],
"name": "XSOAR_GoogleChronicle_Backstory_README_List_"
}
}
}

Human Readable Output#

Reference List Details#

NameContent TypeDescriptionCreation TimeContent
XSOARGoogleChronicle_Backstory_README_ListPLAIN_TEXTList created for readme2022-06-16T07:45:37.285791ZL1,
L2,
L3

23. gcb-update-reference-list#


Updates an existing reference list.

Base Command#

gcb-update-reference-list

Input#

Argument NameDescriptionRequired
nameProvide a unique name of the list to update.Required
linesEnter the content to be updated into the reference list.
Format accepted is: "Line 1, Line 2, Line 3".

Note: Use gcb-get-reference-list to retrieve the content and description of the list.
Required
descriptionDescription to be updated of the list.Optional
delimiterDelimiter by which the content of the list is separated.
Eg: " , " , " : ", " ; ". Default is ,.
Optional
content_typeSelect the content type for reference list. Possible values are: PLAIN_TEXT, CIDR, REGEX.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.ReferenceList.nameStringUnique name of the list.
GoogleChronicleBackstory.ReferenceList.descriptionStringDescription of the list.
GoogleChronicleBackstory.ReferenceList.linesStringList of line items.
GoogleChronicleBackstory.ReferenceList.createTimeDateTime when the list was created.
GoogleChronicleBackstory.ReferenceList.contentTypeStringContent type of the reference list.

Command Example#

!gcb-update-reference-list lines=Line1,Line2,Line3 name=XSOAR_GoogleChronicle_Backstory_README_List

Context Example#

{
"GoogleChronicleBackstory": {
"ReferenceList": {
"createTime": "2022-06-16T07:11:11.380991Z",
"description": "list created for readme",
"contentType": "PLAIN_TEXT",
"lines": [
"Line1",
"Line2",
"Line3"
],
"name": "XSOAR_GoogleChronicle_Backstory_README_List"
}
}
}

Human Readable Output#

Updated Reference List Details#

NameContent TypeDescriptionCreation TimeContent
XSOAR_GoogleChronicle_Backstory_README_ListPLAIN_TEXTlist created for readme2022-06-16T07:11:11.380991ZLine1,
Line2,
Line3

24. gcb-verify-reference-list#


Validates list content and returns any errors found for each line.

Base Command#

gcb-verify-reference-list

Input#

Argument NameDescriptionRequired
linesEnter the content to be validated in the reference list.
Format accepted is: 'Line 1, Line 2, Line 3'.
Required
content_typeSelect the content type for reference list. Possible values are: PLAIN_TEXT, CIDR, REGEX. Default is PLAIN_TEXT.Optional
delimiterDelimiter by which the content of the list is separated.
Eg: " , " , " : ", " ; ". Default is ,.
Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.VerifyReferenceList.successBooleanWhether lines content are valid or not.
GoogleChronicleBackstory.VerifyReferenceList.errors.linenumberNumberThe line number where the error occurred.
GoogleChronicleBackstory.VerifyReferenceList.errors.errorMessageStringThe error message describing the invalid pattern.
GoogleChronicleBackstory.VerifyReferenceList.command_nameStringThe name of the command.

Command example#

!gcb-verify-reference-list lines="1.2.3.4" content_type=CIDR

Context Example#

{
"GoogleChronicleBackstory": {
"VerifyReferenceList": {
"command_name": "gcb-verify-reference-list",
"errors": [
{
"errorMessage": "invalid cidr pattern 1.2.3.4",
"lineNumber": 1
}
],
"success": false
}
}
}

Human Readable Output#

The following lines contain invalid CIDR pattern.#

Line NumberMessage
1invalid cidr pattern 1.2.3.4

25. gcb-test-rule-stream#


Test a rule over a specified time range. Return any errors and any detections up to the specified maximum.

Base Command#

gcb-test-rule-stream

Input#

Argument NameDescriptionRequired
rule_textRule text in YARA-L 2.0 format for the rule to stream.Required
start_timeStart time for the time range of the rule being tested. The format of Date should comply with RFC 3339 (e.g. 2022-10-02T15:00:00Z) or relative time.

Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours.
Example: 2022-05-01T00:00:00Z, 2022-05-01, 2 days, 5 hours, 01 Mar 2022, 01 Feb 2022 04:45:33, 15 Jun.


Note: The time window between start_time and end_time cannot be greater than 2 weeks.
Required
end_timeEnd time for the time range of the rule being tested. The format of Date should comply with RFC 3339 (e.g. 2022-10-02T15:00:00Z) or relative time.

Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours.
Example: 2022-05-01T00:00:00Z, 2022-05-01, 2 days, 5 hours, 01 Mar 2022, 01 Feb 2022 04:45:33, 15 Jun.


Note: The time window between start_time and end_time cannot be greater than 2 weeks.
Required
max_resultsMaximum number of results to return. Specify a value between 1 and 10,000. Default is 1000.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.StreamRules.list.detection.typeStringType of detection.
GoogleChronicleBackstory.StreamRules.list.detection.detection.ruleNameStringName of the rule generating the detection, as parsed from ruleText.
GoogleChronicleBackstory.StreamRules.list.detection.detection.ruleTypeStringWhether the rule generating this detection is a single event or multi-event rule.
GoogleChronicleBackstory.StreamRules.list.detection.detection.ruleLabelsUnknownInformation about the rule
GoogleChronicleBackstory.StreamRules.list.detection.idStringIdentifier for the detection.
GoogleChronicleBackstory.StreamRules.list.detection.timeWindow.startTimeDateThe start time of the window the detection was found in.
GoogleChronicleBackstory.StreamRules.list.detection.timeWindow.endTimeDateThe end time of the window the detection was found in.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.metadata.productLogIdStringA vendor-specific event identifier to uniquely identify the event (a GUID). Users might use this identifier to search the vendor's proprietary console for the event in question.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.metadata.eventTimestampDateThe GMT timestamp when the event was generated.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.metadata.eventTypeStringSpecifies the type of the event.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.metadata.vendorNameStringSpecifies the product vendor's name.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.metadata.productNameStringSpecifies the name of the product.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.metadata.productEventTypeStringShort, descriptive, human-readable, and product-specific event name or type.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.metadata.ingestedTimestampDateThe GMT timestamp when the event was ingested in the vendor's instance.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.metadata.idStringStores the ID of metadata.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.useridStringStores the user ID.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.emailAddressesUnknownStores the email addresses for the user.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.productObjectIdStringStores the products object ID.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.attribute.labelsUnknownStores users session metrics
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.phoneNumbersUnknownStores the phone numbers for the user.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.personalAddress.cityStringStores city of user.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.personalAddress.stateStringStores state of user.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.personalAddress.nameStringStores address name of user.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.companyNameStringStores users company name.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.departmentUnknownStores users departments
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.officeAddress.nameStringStores company official address name.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.process.pidStringStores the process ID.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.aboutUnknownStores event labels.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.securityResultUnknownProvide a description of the security result.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.network.applicationProtocolStringIndicates the network application protocol.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.network.dns.questionsUnknownStores the domain name.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.network.dns.answersUnknownStores dns associated data.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.labelStringThe variable a given set of UDM events belongs to.
GoogleChronicleBackstory.StreamRules.list.detection.detectionTimeDateThe time period the detection was found in.

Command example#

!gcb-test-rule-stream rule_text="rule demoRuleCreatedFromAPIVersion2 {meta:author = \"securityuser2\" description = \"double event rule that should generate detections\" events: $e.metadata.event_type = \"NETWORK_DNS\" condition:$e}" start_time="2022-11-24T00:00:00Z" end_time="2022-12-08T00:00:00Z" max_results=1

Context Example#

{
"GoogleChronicleBackstory": {
"StreamRules": [
{
"detection": {
"collectionElements": [
{
"label": "e",
"references": [
{
"event": {
"about": [
{
"labels": [
{
"key": "Category ID",
"value": "DnsQuery"
}
]
}
],
"metadata": {
"eventTimestamp": "2022-11-24T06:56:59.165381Z",
"eventType": "NETWORK_DNS",
"id": "AAAAABUCUis+2ym6lpWhubmxGDAAAAAAAQAAAN4AAAA=",
"ingestedTimestamp": "2022-11-24T06:57:02.729226Z",
"productEventType": "22",
"productLogId": "278953",
"productName": "Microsoft-Windows-Sysmon",
"vendorName": "Microsoft"
},
"network": {
"applicationProtocol": "DNS",
"dns": {
"answers": [
{
"data": "activedir.stackedpads.local",
"type": 5
}
],
"questions": [
{
"name": "7121e16d-a937-41b2-b7a4-4f38cf48d65c._msdcs.stackedpads.local"
}
]
}
},
"principal": {
"administrativeDomain": "NT AUTHORITY",
"hostname": "activedir.stackedpads.local",
"process": {
"file": {
"fullPath": "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2205.7-0\\MsMpEng.exe"
},
"pid": "3224",
"productSpecificProcessId": "SYSMON:{3be6fa21-31d0-62c8-5500-000000001100}"
},
"user": {
"userid": "SYSTEM",
"windowsSid": "S-1-5-18"
}
},
"securityResult": [
{
"severity": "INFORMATIONAL",
"summary": "Dns query"
},
{
"ruleName": "EventID: 22",
"summary": "QueryStatus: 0"
}
]
}
}
]
}
],
"detection": [
{
"ruleLabels": [
{
"key": "author",
"value": "securityuser2"
},
{
"key": "description",
"value": "double event rule that should generate detections"
}
],
"ruleName": "demoRuleCreatedFromAPIVersion2",
"ruleType": "SINGLE_EVENT"
}
],
"detectionTime": "2022-11-24T06:56:59.165381Z",
"id": "de_681b4417-27dc-ba3a-7db9-0388a7954c07",
"timeWindow": {
"endTime": "2022-11-24T06:56:59.165381Z",
"startTime": "2022-11-24T06:56:59.165381Z"
},
"type": "RULE_DETECTION"
}
}
]
}
}

Human Readable Output#

Detection(s)#

Detection IDDetection TypeDetection TimeEvents
de_681b4417-27dc-ba3a-7db9-0388a7954c07RULE_DETECTION2022-11-24T06:56:59.165381ZEvent Timestamp: 2022-11-24T06:56:59.165381Z
Event Type: NETWORK_DNS
Principal Asset Identifier: activedir.stackedpads.local
Queried Domain: 7121e16d-a937-41b2-b7a4-4f38cf48d65c._msdcs.stackedpads.local

26. gcb-list-useraliases#


Lists all the aliases of a user in an enterprise for a specified user identifier and time period.

Base Command#

gcb-list-useraliases

Input#

Argument NameDescriptionRequired
start_timeThe value of the start time for your request.
The date format should comply with RFC 3339 (e.g., 2023-01-02T15:00:00Z) or relative time.
If not supplied, the product considers UTC time corresponding to 3 days earlier than the current time.

Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours.
Example: 2023-04-25T00:00:00Z, 2023-04-25, 2 days, 5 hours, 01 Mar 2023, 01 Feb 2023 04:45:33, 15 Jun.
Optional
end_timeThe value of the end time for your request.
The date format should comply with RFC 3339 (e.g., 2023-01-02T15:00:00Z) or relative time.
If not supplied, the product considers the current UTC time.

Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours.
Example: 2023-04-25T00:00:00Z, 2023-04-25, 2 days, 5 hours, 01 Mar 2023, 01 Feb 2023 04:45:33, 15 Jun.
Optional
page_sizeSpecify the maximum number of users aliases to fetch. You can specify between 1 and 10000. Default is 10000.Optional
user_identifier_typeSpecify the identifier type of the user indicator. Possible values are: Email, Username, Windows SID, Employee ID, Product object ID.Required
user_identifierValue of the user identifier.Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.UserAliases.user.emailStringEmail associated with the user alias.
GoogleChronicleBackstory.UserAliases.user.usernameStringUsername associated with the user alias.
GoogleChronicleBackstory.UserAliases.user.windows_sidStringWindows Security Identifier (SID) associated with the user alias.
GoogleChronicleBackstory.UserAliases.user.employee_idStringEmployee ID associated with the user alias.
GoogleChronicleBackstory.UserAliases.user.product_object_idStringProduct object ID associated with the user alias.
GoogleChronicleBackstory.UserAliases.user.aliases.metadata.collectedTimestampDateCollected timestamp of the user alias metadata.
GoogleChronicleBackstory.UserAliases.user.aliases.metadata.vendorNameStringVendor name associated with the user alias metadata.
GoogleChronicleBackstory.UserAliases.user.aliases.metadata.productNameStringProduct name associated with the user alias metadata.
GoogleChronicleBackstory.UserAliases.user.aliases.metadata.entityTypeStringEntity type of the user alias metadata.
GoogleChronicleBackstory.UserAliases.user.aliases.metadata.interval.startTimeDateStart time of the interval from which user aliases are found.
GoogleChronicleBackstory.UserAliases.user.aliases.metadata.interval.endTimeDateEnd time of the interval from which user aliases are found.
GoogleChronicleBackstory.UserAliases.user.aliases.entity.asset.productObjectIdStringProduct object ID associated with the user alias entity asset.
GoogleChronicleBackstory.UserAliases.user.aliases.entity.asset.hostnameStringHostname associated with the user alias entity asset.
GoogleChronicleBackstory.UserAliases.user.aliases.entity.asset.assetIdStringAsset ID associated with the user alias entity asset.
GoogleChronicleBackstory.UserAliases.user.aliases.entity.asset.ipStringIP address associated with the user alias entity asset.
GoogleChronicleBackstory.UserAliases.user.aliases.entity.asset.vulnerabilities.nameStringName of the vulnerability associated with the user alias entity asset.
GoogleChronicleBackstory.UserAliases.user.aliases.entity.asset.vulnerabilities.descriptionStringDescription of the vulnerability associated with the user alias entity asset.
GoogleChronicleBackstory.UserAliases.user.aliases.entity.asset.vulnerabilities.scanStartTimeDateStart time of the vulnerability scan associated with the user alias entity asset.
GoogleChronicleBackstory.UserAliases.user.aliases.entity.asset.vulnerabilities.scanEndTimeDateEnd time of the vulnerability scan associated with the user alias entity asset.
GoogleChronicleBackstory.UserAliases.user.aliases.entity.asset.vulnerabilities.firstFoundDateTimestamp of the first detection of the vulnerability associated with the user alias entity asset.
GoogleChronicleBackstory.UserAliases.user.aliases.entity.asset.vulnerabilities.lastFoundDateTimestamp of the last detection of the vulnerability associated with the user alias entity asset.
GoogleChronicleBackstory.UserAliases.user.aliases.metadata.descriptionStringDescription of the user alias metadata.
GoogleChronicleBackstory.UserAliases.user.aliases.entity.asset.platformSoftwareUnknownPlatform software associated with the user alias entity asset.
GoogleChronicleBackstory.UserAliases.user.aliases.entity.asset.platformSoftware.platformVersionStringPlatform version of the platform software associated with the user alias entity asset.
GoogleChronicleBackstory.UserAliases.user.aliases.entity.asset.networkDomainStringNetwork domain associated with the user alias entity asset.
GoogleChronicleBackstory.UserAliases.user.aliases.entity.asset.attribute.labels.keyStringKey of the label associated with the user alias entity asset attribute.
GoogleChronicleBackstory.UserAliases.user.aliases.entity.asset.attribute.labels.valueStringValue of the label associated with the user alias entity asset attribute.
GoogleChronicleBackstory.UserAliases.user.aliases.metadata.productEntityIdStringProduct entity ID associated with the user alias metadata.
GoogleChronicleBackstory.UserAliases.user.aliases.entity.user.useridStringID of the user.
GoogleChronicleBackstory.UserAliases.user.aliases.entity.user.userDisplayNameStringDisplay name of the user.
GoogleChronicleBackstory.UserAliases.user.aliases.entity.user.productObjectIdStringStores the product's object ID.
GoogleChronicleBackstory.UserAliases.user.aliases.entity.user.titleStringTitle of the user.
GoogleChronicleBackstory.UserAliases.user.aliases.entity.user.companyNameStringUser's company name.
GoogleChronicleBackstory.UserAliases.user.aliases.relations.entity.asset.hostnameStringHostname associated with the relations entity asset.
GoogleChronicleBackstory.UserAliases.user.aliases.relations.entity.asset.hardwareUnknownHardware information associated with the relations entity asset.
GoogleChronicleBackstory.UserAliases.user.aliases.relations.entity.asset.systemLastUpdateTimeDateLast update time of the system associated with the relations entity asset.
GoogleChronicleBackstory.UserAliases.user.aliases.relations.entityTypeStringEntity type of the relations entity.
GoogleChronicleBackstory.UserAliases.user.aliases.relations.relationshipStringRelationship between entities in the relations.

Command example#

!gcb-list-useraliases user_identifier_type="Product object ID" user_identifier="test_product_entity_id"

Context Example#

{
"GoogleChronicleBackstory.UserAliases(val.user.email == obj.user.email && val.user.username == obj.user.username && val.user.windows_sid == obj.user.windows_sid && val.user.employee_id == obj.user.employee_id && val.user.product_object_id == obj.user.product_object_id ) ": {
"user": {
"email": "xyz@example.com",
"aliases": [
{
"metadata": {
"productEntityId": "test_product_entity_id",
"collectedTimestamp": "2022-01-15T07:47:01.666265Z",
"vendorName": "test_vendor_name",
"productName": "test_product_name",
"entityType": "USER",
"interval": {
"startTime": "2023-04-26T00:00:00Z",
"endTime": "2023-01-08T06:47:56.197021Z"
}
},
"entity": {
"user": {
"userid": "admin",
"productObjectId": "test_product_entity_id"
}
},
"relations": [
{
"entity": {
"asset": {
"hostname": "Test_data123",
"systemLastUpdateTime": "2023-01-14T06:14:06Z"
}
},
"entityType": "ASSET",
"relationship": "OWNS"
}
]
},
{
"metadata": {
"productEntityId": "test_product_entity_id_1",
"collectedTimestamp": "2023-01-08T06:47:56.197021Z",
"vendorName": "vendor_name",
"productName": "Configuration Management Database (CMDB)",
"entityType": "USER",
"interval": {
"startTime": "2023-01-08T06:47:56.197021Z",
"endTime": "2023-06-12T00:00:00Z"
}
},
"entity": {
"user": {
"userid": "admin",
"productObjectId": "test_product_entity_id_1"
}
},
"relations": [
{
"entity": {
"asset": {
"hostname": "IP Address",
"systemLastUpdateTime": "2023-01-08T06:35:16Z"
}
},
"entityType": "ASSET",
"relationship": "OWNS"
}
]
}
]
}
}
}

Human Readable Output#

User Aliases:#

User IDProduct Object IDProduct NameVendor NameStart TimeEnd Time
admintest_product_entity_idtest_product_nametest_vendor_name2023-04-26T00:00:00Z2023-01-08T06:47:56.197021Z
admintest_product_entity_id_1Configuration Management Database (CMDB)vendor_name2023-01-08T06:47:56.197021Z2023-06-12T00:00:00Z

27. gcb-list-assetaliases#


Lists all the aliases of an asset in an enterprise for the specified asset identifier and time period.

Base Command#

gcb-list-assetaliases

Input#

Argument NameDescriptionRequired
start_timeThe value of the start time for your request.
The date format should comply with RFC 3339 (e.g., 2023-01-02T15:00:00Z) or relative time.
If not supplied, the product considers UTC time corresponding to 3 days earlier than the current time.

Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours.
Example: 2023-04-25T00:00:00Z, 2023-04-25, 2 days, 5 hours, 01 Mar 2023, 01 Feb 2023 04:45:33, 15 Jun.
Optional
end_timeThe value of the end time for your request.
The date format should comply with RFC 3339 (e.g., 2023-01-02T15:00:00Z) or relative time.
If not supplied, the product considers the current UTC time.

Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours.
Example: 2023-04-25T00:00:00Z, 2023-04-25, 2 days, 5 hours, 01 Mar 2023, 01 Feb 2023 04:45:33, 15 Jun.
Optional
page_sizeSpecify the maximum number of assets aliases to fetch. You can specify between 1 and 10000. Default is 10000.Optional
asset_identifier_typeSpecify the identifier type of the asset indicator. Possible values are: Host Name, IP Address, MAC Address, Product ID.Required
asset_identifierValue of the asset identifier.Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.AssetAliases.asset.product_idStringProduct ID associated with the asset alias.
GoogleChronicleBackstory.AssetAliases.asset.macStringMAC address associated with the asset alias.
GoogleChronicleBackstory.AssetAliases.asset.assetIpAddressStringIP address associated with the asset alias.
GoogleChronicleBackstory.AssetAliases.asset.hostnameStringHostname associated with the asset alias.
GoogleChronicleBackstory.AssetAliases.asset.aliases.metadata.interval.startTimeDateStart time of the interval from which asset aliases are found.
GoogleChronicleBackstory.AssetAliases.asset.aliases.metadata.interval.endTimeDateEnd time of the interval from which asset aliases are found.
GoogleChronicleBackstory.AssetAliases.asset.aliases.entity.asset.ipStringThe IP address of the asset.
GoogleChronicleBackstory.AssetAliases.asset.aliases.metadata.collectedTimestampDateThe timestamp when the data was collected.
GoogleChronicleBackstory.AssetAliases.asset.aliases.metadata.vendorNameStringThe name of the vendor.
GoogleChronicleBackstory.AssetAliases.asset.aliases.metadata.productNameStringThe name of the product.
GoogleChronicleBackstory.AssetAliases.asset.aliases.metadata.entityTypeStringThe type of the entity.
GoogleChronicleBackstory.AssetAliases.asset.aliases.metadata.descriptionStringA description of the entity.
GoogleChronicleBackstory.AssetAliases.asset.aliases.entity.asset.productObjectIdStringThe unique identifier of the product.
GoogleChronicleBackstory.AssetAliases.asset.aliases.entity.asset.hostnameStringThe hostname of the asset.
GoogleChronicleBackstory.AssetAliases.asset.aliases.entity.asset.assetIdStringThe identifier of the asset.
GoogleChronicleBackstory.AssetAliases.asset.aliases.entity.asset.platformSoftwareUnknownThe software running on the asset.
GoogleChronicleBackstory.AssetAliases.asset.aliases.entity.asset.vulnerabilities.nameStringThe name of the vulnerability.
GoogleChronicleBackstory.AssetAliases.asset.aliases.entity.asset.vulnerabilities.descriptionStringA description of the vulnerability.
GoogleChronicleBackstory.AssetAliases.asset.aliases.entity.asset.vulnerabilities.scanStartTimeDateThe start time of the vulnerability scan.
GoogleChronicleBackstory.AssetAliases.asset.aliases.entity.asset.vulnerabilities.scanEndTimeDateThe end time of the vulnerability scan.
GoogleChronicleBackstory.AssetAliases.asset.aliases.entity.asset.vulnerabilities.firstFoundDateThe first time the vulnerability was found.
GoogleChronicleBackstory.AssetAliases.asset.aliases.entity.asset.vulnerabilities.lastFoundDateThe most recent time the vulnerability was found.
GoogleChronicleBackstory.AssetAliases.asset.aliases.entity.asset.platformSoftware.platformVersionStringThe version of the platform software.
GoogleChronicleBackstory.AssetAliases.asset.aliases.entity.asset.networkDomainStringThe network domain of the asset.
GoogleChronicleBackstory.AssetAliases.asset.aliases.entity.asset.attribute.labels.keyStringThe key of an attribute label associated with the asset.
GoogleChronicleBackstory.AssetAliases.asset.aliases.entity.asset.attribute.labels.valueStringThe value of an attribute label associated with the asset.

Command example#

!gcb-list-assetaliases asset_identifier_type="Host Name" asset_identifier="windows-endpoint"

Context Example#

{
"GoogleChronicleBackstory.AssetAliases(val.asset.asset_ip_address == obj.asset.asset_ip_address && val.asset.product_id == obj.asset.product_id && val.asset.mac == obj.asset.mac && val.asset.hostname == obj.asset.hostname)": {
"asset": {
"hostname": "example.com",
"aliases": [
{
"metadata": {
"interval": {
"startTime": "2023-01-01T00:00:00Z",
"endTime": "2023-01-01T00:00:01Z"
}
},
"entity": {
"asset": {
"hostname": "windows-endpoint"
}
}
},
{
"metadata": {
"interval": {
"startTime": "2023-01-01T00:00:00Z",
"endTime": "2023-01-01T00:00:01Z"
}
},
"entity": {
"asset": {
"hostname": "windows-endpoint",
"assetId": "test_asset_id"
}
}
}
]
}
}
}

Human Readable Output#

Asset Aliases:#

Asset IDHost NameStart TimeEnd Time
windows-endpoint2023-01-01T00:00:00Z2023-01-01T00:00:01Z
test_asset_idwindows-endpoint2023-01-01T00:00:00Z2023-01-01T00:00:01Z

28. gcb-list-curatedrules#


List curated rules.

Base Command#

gcb-list-curatedrules

Input#

Argument NameDescriptionRequired
page_tokenPage token received from a previous call. Use to retrieve the next page.Optional
page_sizeSpecify the maximum number of rules to return. You can specify between 1 and 1000.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.CuratedRules.ruleIdStringUnique identifier for a rule, defined and returned by the server.
GoogleChronicleBackstory.CuratedRules.ruleNameStringName of the rule.
GoogleChronicleBackstory.CuratedRules.severityStringSeverity of the rule ("Info", "Low", or "High").
GoogleChronicleBackstory.CuratedRules.ruleTypeStringType of the rule ("SINGLE_EVENT" or "MULTI_EVENT").
GoogleChronicleBackstory.CuratedRules.precisionStringPrecision of the rule ("BROAD" or "PRECISE").
GoogleChronicleBackstory.CuratedRules.tacticsStringList of MITRE tactic IDs covered by the rule.
GoogleChronicleBackstory.CuratedRules.techniquesStringList of MITRE technique IDs covered by the rule.
GoogleChronicleBackstory.CuratedRules.updateTimeDateString representing the time the rule was last updated, in RFC 3339 format.
GoogleChronicleBackstory.CuratedRules.ruleSetStringUnique identifier of the Chronicle rule set containing the rule.
GoogleChronicleBackstory.CuratedRules.descriptionStringDescription of the rule.
GoogleChronicleBackstory.CuratedRules.metadata.false_positivesStringMetadata for the rule.
GoogleChronicleBackstory.CuratedRules.metadata.referenceStringReference for the rule.
GoogleChronicleBackstory.Token.nameStringThe name of the command to which the value of the nextPageToken corresponds.
GoogleChronicleBackstory.Token.nextPageTokenStringA page token that can be provided to the next call to view the next page of Rules. Absent if this is the last page.

Command example#

!gcb-list-curatedrules page_size="2"

Context Example#

{
"GoogleChronicleBackstory": {
"CuratedRules": [
{
"ruleId": "ur_ttp_GCP__Global",
"ruleName": "GCE SSH Keys",
"severity": "Low",
"ruleType": "SINGLE_EVENT",
"precision": "BROAD",
"tactics": [
"TA0000"
],
"techniques": [
"T0000.000"
],
"updateTime": "2023-05-01T21:56:43.352504Z",
"ruleSet": "00000000-0000-0000-0000-000000000000",
"description": "Identifies the addition of project-wide SSH keys where there were previously none."
},
{
"ruleId": "ur_ttp_GCP__Editor",
"ruleName": "GCP Service Account Editor",
"severity": "Low",
"ruleType": "MULTI_EVENT",
"precision": "BROAD",
"tactics": [
"TA0000"
],
"techniques": [
"T0000.000"
],
"updateTime": "2023-05-01T21:56:43.352504Z",
"ruleSet": "00000000-0000-0000-0000-000000000000",
"description": "Identifies a new Service Account created with Editor role within the project."
}
],
"Token": {
"name": "gcb-list-curatedrules",
"nextPageToken": "next_page_token"
}
}
}

Human Readable Output#

Curated Rules:#

Rule IDRule NameSeverityRule TypeRule SetDescription
ur_ttp_GCP__GlobalGCE SSH KeysLowSINGLE_EVENT00000000-0000-0000-0000-000000000000Identifies the addition of project-wide SSH keys where there were previously none.
ur_ttp_GCP__EditorGCP Service Account EditorLowMULTI_EVENT00000000-0000-0000-0000-000000000000Identifies a new Service Account created with Editor role within the project.

Maximum number of curated rules specified in page_size has been returned. To fetch the next set of curated rules, execute the command with the page token as next_page_token.

29. gcb-list-curatedrule-detections#


Return the detections for the specified curated rule identifier.

Base Command#

gcb-list-curatedrule-detections

Input#

Argument NameDescriptionRequired
idUnique identifier for a curated rule, defined and returned by the server. You can specify exactly one curated rule identifier.Required
alert_stateFilter detections based on whether the alert state is ALERTING or NOT_ALERTING.
Do not specify to return all detections. Possible values are: ALERTING, NOT_ALERTING.
Optional
page_sizeSpecify the limit on the number of detections to display. You can specify between 1 and 1000. Default is 100.Optional
page_tokenA page token received from a previous call. Provide this to retrieve the subsequent page. If the page token is configured, overrides the detection start and end time arguments.Optional
list_basisSort detections by "DETECTION_TIME" or by "CREATED_TIME". If not specified, it defaults to "DETECTION_TIME". Detections are returned in descending order of the timestamp. Possible values are: DETECTION_TIME, CREATED_TIME.Optional
start_timeStart time of the time range to return detections for, filtering by the detection field specified in the list_basis parameter. If not specified, the start time is treated as open-ended.
Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours.
Example: 2023-05-01T00:00:00Z, 2023-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2023 04:45:33, 15 Jun.
Optional
end_timeEnd time of the time range to return detections for, filtering by the detection field specified by the list_basis parameter. If not specified, the end time is treated as open-ended.
Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours.
Example: 2023-05-01T00:00:00Z, 2023-05-01, 2 days, 5 hours, 01 Mar 2023, 01 Feb 2021 04:45:33, 15 Jun.
Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.CuratedRuleDetections.idStringIdentifier for the detection.
GoogleChronicleBackstory.CuratedRuleDetections.ruleIdStringIdentifier for the rule generating the detection.
GoogleChronicleBackstory.CuratedRuleDetections.ruleNameStringName of the rule generating the detection, as parsed from ruleText.
GoogleChronicleBackstory.CuratedRuleDetections.ruleSetStringThe identifier of the Chronicle rule set that generated this detection.
GoogleChronicleBackstory.CuratedRuleDetections.ruleSetDisplayNameStringThe display name of the Chronicle rule set that generated this detection.
GoogleChronicleBackstory.CuratedRuleDetections.tagsUnknownA list of MITRE tactic and technique IDs covered by the Chronicle rule.
GoogleChronicleBackstory.CuratedRuleDetections.timeWindowStartTimeDateThe start time of the window the detection was found in.
GoogleChronicleBackstory.CuratedRuleDetections.timeWindowEndTimeDateThe end time of the window the detection was found in.
GoogleChronicleBackstory.CuratedRuleDetections.alertStateStringIndicates whether the rule generating this detection currently has alerting enabled or disabled.
GoogleChronicleBackstory.CuratedRuleDetections.descriptionStringDescription of the Chronicle rule that generated the detection.
GoogleChronicleBackstory.CuratedRuleDetections.urlBackToProductStringURL pointing to the Chronicle UI for this detection.
GoogleChronicleBackstory.CuratedRuleDetections.typeStringType of detection.
GoogleChronicleBackstory.CuratedRuleDetections.createdTimeDateTime the detection was created.
GoogleChronicleBackstory.CuratedRuleDetections.detectionTimeDateThe time period the detection was found in.
GoogleChronicleBackstory.CuratedRuleDetections.lastUpdatedTimeDateThe time period the detection was updated.
GoogleChronicleBackstory.CuratedRuleDetections.riskScoreNumberRisk score of detection.
GoogleChronicleBackstory.CuratedRuleDetections.severityStringSeverity of the detection ("INFORMATIONAL" or "LOW" or "HIGH").
GoogleChronicleBackstory.CuratedRuleDetections.summaryStringSummary for the generated detection.
GoogleChronicleBackstory.CuratedRuleDetections.ruleTypeStringWhether the rule generating this detection is a single event or multi-event rule.
GoogleChronicleBackstory.CuratedRuleDetections.detectionFields.keyStringThe key for a field specified in the rule, for MULTI_EVENT rules.
GoogleChronicleBackstory.CuratedRuleDetections.detectionFields.sourceStringThe source for a field specified in the rule, for MULTI_EVENT rules.
GoogleChronicleBackstory.CuratedRuleDetections.detectionFields.valueStringThe value for a field specified in the rule, for MULTI_EVENT rules.
GoogleChronicleBackstory.CuratedRuleDetections.outcomes.keyStringThe key for a field specified in the outcomes of detection, for "MULTI_EVENT" rules.
GoogleChronicleBackstory.CuratedRuleDetections.outcomes.sourceStringThe source for a field specified in the outcomes of detection, for "MULTI_EVENT" rules.
GoogleChronicleBackstory.CuratedRuleDetections.outcomes.valueStringThe value for a field specified in the outcomes of detection, for "MULTI_EVENT" rules.
GoogleChronicleBackstory.CuratedRuleDetections.ruleLabels.keyStringThe key for a field specified in the Chronicle rule metadata.
GoogleChronicleBackstory.CuratedRuleDetections.ruleLabels.valueStringThe value for a field specified in the Chronicle rule metadata.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.labelStringThe variable a given set of UDM events belongs to.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principalAssetIdentifierStringSpecifies the principal asset identifier of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.targetAssetIdentifierStringSpecifies the target asset identifier of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.collectedTimestampDateThe GMT timestamp when the event was collected.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.eventTypeStringSpecifies the type of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.eventTimestampDateThe GMT timestamp when the event was generated.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.idStringThe event ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.ingestedTimestampDateThe GMT timestamp when the event was ingested in the vendor's instance.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.ingestionLabels.keyStringThe key for a field specified in the ingestion labels of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.ingestionLabels.valueStringThe value for a field specified in the ingestion labels of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.logTypeStringType of log.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.descriptionStringHuman-readable description of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.productEventTypeStringShort, descriptive, human-readable, and product-specific event name or type.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.productLogIdStringA vendor-specific event identifier to uniquely identify the event (a GUID). Users might use this identifier to search the vendor's proprietary console for the event in question.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.productNameStringSpecifies the name of the product.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.productVersionStringSpecifies the version of the product.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.urlBackToProductStringURL linking to a relevant website where you can view more information about this specific event or the general event category.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.vendorNameStringSpecifies the product vendor's name.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.emailStringEmail address.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.platformStringPlatform operating system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipGeoArtifact.ipStringIP address associated with a network connection for IP Geolocation.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipGeoArtifact.location.countryOrRegionStringAssociated country or region for IP Geolocation.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipGeoArtifact.location.regionCoordinates.latitudeNumberLatitude coordinate of the region for IP Geolocation.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipGeoArtifact.location.regionCoordinates.longitudeNumberLongitude coordinate of the region for IP Geolocation.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipGeoArtifact.location.regionLatitudeNumberLatitude of the region for IP Geolocation.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipGeoArtifact.location.regionLongitudeNumberLongitude of the region for IP Geolocation.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipGeoArtifact.location.stateStringAssociated state of IP Geolocation.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipGeoArtifact.network.asnStringAssociated ASN with a network connection for IP Geolocation.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipGeoArtifact.network.carrierNameStringAssociated carrier name with a network connection for IP Geolocation.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipGeoArtifact.network.dnsDomainStringAssociated DNS domain with a network connection for IP Geolocation.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipGeoArtifact.network.organizationNameStringAssociated organization name with a network connection for IP Geolocation.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipLocation.countryOrRegionStringAssociated country or region for IP location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipLocation.regionCoordinates.latitudeNumberLatitude coordinate of the region for IP location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipLocation.regionCoordinates.longitudeNumberLongitude coordinate of the region for IP location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipLocation.regionLatitudeNumberLatitude of the region for IP location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipLocation.regionLongitudeNumberLongitude of the region for IP location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipLocation.stateStringAssociated state of IP location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.labels.keyStringThe key for a field specified in the principal labels of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.labels.valueStringThe value for a field specified in the principal labels of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.location.countryOrRegionStringAssociated country or region for principal location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.location.regionCoordinates.latitudeNumberLatitude coordinate of the region for the principal location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.location.regionCoordinates.longitudeNumberLongitude coordinate of the region for the principal location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.location.regionLatitudeNumberLatitude of the region for the principal location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.location.regionLongitudeNumberLongitude of the region for the principal location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.location.stateStringAssociated state of principal location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.resource.attribute.cloud.project.nameStringAssociated name of the project specified in the principal resource.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.resource.attribute.cloud.project.resourceSubtypeStringAssociated resource sub-type of the project specified in the principal resource.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.resource.attribute.labels.keyStringThe key for a field specified in the principal resource labels of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.resource.attribute.labels.valueStringThe value for a field specified in the principal resource labels of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.attribute.cloud.environmentStringAssociated environment specified in the principal user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.attribute.cloud.project.idStringAssociated ID of the project specified in the principal user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.attribute.permissions.nameStringAssociated name of the permission specified in the principal user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.attribute.permissions.typeStringAssociated type of the permission specified in the principal user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.attribute.roles.descriptionStringAssociated description of the role specified in the principal user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.attribute.roles.nameStringAssociated name of the role specified in the principal user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.attribute.roles.typeStringAssociated type of the role specified in the principal user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.macStringMAC addresses associated with a device.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.urlStringStandard URL.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.pidStringStores the process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.productObjectIdStringStores the product object ID for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.useridStringStores the user ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.emailStringEmail address.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.platformStringPlatform operating system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.administrativeDomainStringDomain for which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.applicationStringApplication of the target related to the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.cloud.availabilityZoneStringAssociated availability zone specified in the event target.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.cloud.environmentStringAssociated environment specified in the event target.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.cloud.project.nameStringAssociated name of the project specified in the event target.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.cloud.vpcUnknownAssociated VPC specified in the event target.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.resource.nameStringAssociated resource name specified in the event target.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.resource.productObjectIdStringAssociated product object ID specified in the event target.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.resource.resourceTypeStringAssociated resource type specified in the event target.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.resource.attribute.labels.keyStringThe key for a field specified in the principal resource labels of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.resource.attribute.labels.valueStringThe value for a field specified in the principal resource labels of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.urlStringStandard URL.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.pidStringStores the process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.attribute.cloud.environmentStringAssociated environment specified in the target user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.attribute.cloud.project.idStringAssociated ID of the project specified in the target user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.attribute.roles.nameStringAssociated name of the role specified in the target user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.attribute.roles.typeStringAssociated type of the role specified in the target user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.emailAddressesUnknownStores the email addresses for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.productObjectIdStringStores the human resources product object ID for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.useridStringStores the user ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.emailStringEmail address.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.platformStringPlatform operating system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.urlStringStandard URL.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.pidStringStores the process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.user.useridStringStores the user ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.emailStringEmail address.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.platformStringPlatform operating system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.urlStringStandard URL.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.pidStringStores the process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.user.useridStringStores the user ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.emailStringEmail address.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.platformStringPlatform operating system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.urlStringStandard URL.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.pidStringStores the process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.user.useridStringStores the user ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.emailStringEmail address.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.platformStringPlatform operating system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.urlStringStandard URL.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.pidStringStores the process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.user.useridStringStores the user ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.applicationProtocolStringIndicates the network application protocol.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.directionStringIndicates the direction of network traffic.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.emailStringSpecifies the email address for the sender/recipient.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.ipProtocolStringIndicates the IP protocol.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.receivedBytesStringSpecifies the number of bytes received.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.sentBytesStringSpecifies the number of bytes sent.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.clientHostnameStringHostname for the client.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.clientIdentifierStringClient identifier.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.fileStringFilename for the boot image.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.flagsStringValue for the DHCP flags field.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.hlenStringHardware address length.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.hopsStringDHCP hop count.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.htypeStringHardware address type.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.leaseTimeSecondsStringClient-requested lease time for an IP address in seconds.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.opcodeStringBOOTP op code.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.requestedAddressStringClient identifier.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.secondsStringSeconds elapsed since the client began the address acquisition/renewal process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.snameStringName of the server which the client has requested to boot from.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.transactionIdStringClient transaction ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.typeStringDHCP message type.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.chaddrStringIP address for the client hardware.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.ciaddrStringIP address for the client.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.giaddrStringIP address for the relay agent.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.siaddrStringIP address for the next bootstrap server.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.yiaddrStringYour IP address.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.authoritativeStringSet to true for authoritative DNS servers.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.idStringStores the DNS query identifier.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.responseStringSet to true if the event is a DNS response.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.opcodeStringStores the DNS OpCode used to specify the type of DNS query (standard, inverse, server status, etc.).
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.recursionAvailableStringSet to true if a recursive DNS lookup is available.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.recursionDesiredStringSet to true if a recursive DNS lookup is requested.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.responseCodeStringStores the DNS response code as defined by RFC 1035, Domain Names - Implementation and Specification.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.truncatedStringSet to true if this is a truncated DNS response.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.questions.nameStringStores the domain name.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.questions.classStringStores the code specifying the class of the query.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.questions.typeStringStores the code specifying the type of the query.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.answers.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.answers.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.answers.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.answers.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.answers.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.answers.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.authority.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.authority.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.authority.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.authority.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.authority.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.authority.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.additional.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.additional.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.additional.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.additional.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.additional.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.additional.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.email.fromStringStores the from email address.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.email.replyToStringStores the reply_to email address.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.email.toStringStores the to email addresses.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.email.ccStringStores the cc email addresses.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.email.bccStringStores the bcc email addresses.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.email.mailIdStringStores the mail (or message) ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.email.subjectStringStores the email subject line.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.ftp.commandStringStores the FTP command.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.http.methodStringStores the HTTP request method.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.http.referralUrlStringStores the URL for the HTTP referer.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.http.responseCodeStringStores the HTTP response status code, which indicates whether a specific HTTP request has been successfully completed.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.http.useragentStringStores the User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.authentication.authTypeStringType of system an authentication event is associated with (Chronicle UDM).
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.authentication.mechanismStringMechanism(s) used for authentication.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.aboutStringProvide a description of the security result.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.actionUnknownSpecify a security action.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.categoryStringSpecify a security category.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.categoryDetailsUnknownSpecify a security category details.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.detectionFields.keyStringThe key for a field specified in the security result, for MULTI_EVENT rules.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.detectionFields.valueStringThe value for a field specified in the security result, for MULTI_EVENT rules.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.confidenceStringSpecify a confidence with regards to a security event as estimated by the product.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.confidenceDetailsStringAdditional details with regards to the confidence of a security event as estimated by the product vendor.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.priorityStringSpecify a priority with regards to a security event as estimated by the product vendor.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.priorityDetailsStringVendor-specific information about the security result priority.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.ruleIdStringIdentifier for the security rule.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.ruleNameStringName of the security rule.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.severityStringSeverity of a security event as estimated by the product vendor using values defined by the Chronicle UDM.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.severityDetailsStringSeverity for a security event as estimated by the product vendor.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.threatNameStringName of the security threat.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.urlBackToProductStringURL to direct you to the source product console for this security event.
GoogleChronicleBackstory.Token.nameStringThe name of the command to which the value of the nextPageToken corresponds.
GoogleChronicleBackstory.Token.nextPageTokenStringA page token that can be provided to the next call to view the next page of detections. Absent if this is the last page.

Command example#

!gcb-list-curatedrule-detections page_size="2"

Context Example#

{
"GoogleChronicleBackstory": {
"CuratedRuleDetections": [
{
"type": "GCTI_FINDING",
"createdTime": "2023-06-14T18:38:30.569526Z",
"lastUpdatedTime": "2023-06-14T18:38:30.569526Z",
"id": "de_50fd0957-0959-0000-d556-c6f8000016b1",
"collectionElements": [
{
"references": [
{
"eventTimestamp": "2023-06-14T17:27:39.239875241Z",
"collectedTimestamp": "2023-06-14T17:27:42.956025244Z",
"eventType": "RESOURCE_DELETION",
"vendorName": "Google Cloud Platform",
"productName": "Google Cloud Platform",
"productEventType": "google.cloud.secretmanager.v1.SecretManagerService.DeleteSecret",
"urlBackToProduct": "url_0000",
"ingestedTimestamp": "2023-06-14T17:27:44.382729Z",
"id": "000000000000000000000001",
"logType": "GCP_CLOUD_AUDIT",
"eventSeverity": "INFORMATIONAL",
"principalAssetIdentifier": "0.0.0.1",
"principal": {
"user": {
"emailAddresses": [
"secret-migration@test-is-00001.iam.gserviceaccount.com"
],
"productObjectId": "000000000000000000000001",
"attribute": {
"roles": [
{
"name": "roles/secretmanager.admin",
"type": "SERVICE_ACCOUNT"
}
],
"permissions": [
{
"name": "secretmanager.secrets.delete",
"type": "ADMIN_WRITE"
}
]
}
},
"ip": [
"0.0.0.1"
],
"location": {
"state": "State",
"countryOrRegion": "Country",
"regionLatitude": 10.0,
"regionLongitude": 10.0,
"regionCoordinates": {
"latitude": 10.0,
"longitude": 10.0
}
},
"resource": {
"attribute": {
"cloud": {
"project": {
"name": "projects/0000000/secrets/gsm_secret_1",
"resourceSubtype": "secretmanager.googleapis.com/Secret"
}
},
"labels": [
{
"key": "request_type",
"value": "type.googleapis.com/google.cloud.secretmanager.v1.DeleteSecretRequest"
}
]
}
},
"labels": [
{
"key": "request_attributes_time",
"value": "2023-06-14T17:27:39.245079752Z"
}
],
"ipGeoArtifact": [
{
"ip": "0.0.0.1",
"location": {
"state": "State",
"countryOrRegion": "India",
"regionLatitude": 10.0,
"regionLongitude": 10.0,
"regionCoordinates": {
"latitude": 10.0,
"longitude": 10.0
}
},
"network": {
"asn": "00001",
"dnsDomain": "broad_band.in",
"carrierName": "broad band.",
"organizationName": "broad band services limited"
}
}
]
},
"target": {
"application": "secretmanager.googleapis.com",
"resource": {
"name": "gsm_secret_1",
"attribute": {
"labels": [
{
"key": "request_name",
"value": "projects/test-is-00001/secrets/gsm_secret_1"
}
]
}
},
"cloud": {
"environment": "GOOGLE_CLOUD_PLATFORM",
"project": {
"name": "test-is-00001"
}
}
},
"securityResult": [
{
"categoryDetails": [
"projects/test-is-00001/logs/cloudaudit.googleapis.com"
],
"action": [
"ALLOW"
],
"severity": "INFORMATIONAL",
"detectionFields": [
{
"key": "resource_name",
"value": "projects/0000001/secrets/gsm_secret_1"
},
{
"key": "key_id",
"value": "000000000000000000000001"
}
]
}
],
"network": {
"http": {
"userAgent": "grpc-python-asyncio/1.51.3 grpc-c/29.0.0 (windows; chttp2),gzip(gfe)"
}
}
}
],
"label": "e"
}
],
"detectionTime": "2023-06-14T17:28:00Z",
"tags": [
"TA0040",
"T1485"
],
"ruleName": "GCP Secret Manager Mass Deletion",
"summary": "Rule Detection",
"description": "Identifies mass deletion of secrets in GCP Secret Manager.",
"severity": "LOW",
"urlBackToProduct": "https://dummy-chronicle/alert?alertId=de_50fd0957-0959-0000-d556-c6f8000016b1",
"ruleId": "ur_ttp_GCP__MassSecretDeletion",
"alertState": "ALERTING",
"ruleType": "MULTI_EVENT",
"detectionFields": [
{
"key": "resource",
"value": "secretmanager.googleapis.com"
},
{
"key": "principaluser",
"value": "secret@google.com",
"source": "udm.principal.user.email_addresses"
}
],
"ruleLabels": [
{
"key": "rule_name",
"value": "GCP Secret Manager Mass Deletion"
},
{
"key": "false_positives",
"value": "This may be common behavior in dev, testing, or deprecated projects."
}
],
"outcomes": [
{
"key": "risk_score",
"value": "35"
},
{
"key": "resource_name",
"value": "gsm_secret_1, gsm_secret_10",
"source": "udm.target.resource.name"
},
{
"key": "ip",
"value": "0.0.0.1",
"source": "udm.principal.ip"
}
],
"ruleSet": "9d7537ae-0ae2-0000-b5e2-507c00008ae9",
"ruleSetDisplayName": "Service Disruption",
"riskScore": 35,
"timeWindowStartTime": "2023-06-14T17:18:00Z",
"timeWindowEndTime": "2023-06-14T17:28:00Z"
},
{
"type": "GCTI_FINDING",
"createdTime": "2023-06-14T18:38:30.569526Z",
"lastUpdatedTime": "2023-06-14T18:38:30.569526Z",
"id": "de_662d8ff5-8eea-deb8-274e-f3410c7b935a",
"collectionElements": [
{
"references": [
{
"eventTimestamp": "2023-06-14T17:27:39.239875241Z",
"collectedTimestamp": "2023-06-14T17:27:42.956025244Z",
"eventType": "RESOURCE_DELETION",
"vendorName": "Google Cloud Platform",
"productName": "Google Cloud Platform",
"productEventType": "google.cloud.secretmanager.v1.SecretManagerService.DeleteSecret",
"urlBackToProduct": "url_0000",
"ingestedTimestamp": "2023-06-14T17:27:44.382729Z",
"id": "000000000000000000000001",
"logType": "GCP_CLOUD_AUDIT",
"eventSeverity": "INFORMATIONAL",
"principalAssetIdentifier": "0.0.0.1",
"principal": {
"user": {
"emailAddresses": [
"secret-migration@test-is-00001.iam.gserviceaccount.com"
],
"productObjectId": "000000000000000000000001",
"attribute": {
"roles": [
{
"name": "roles/secretmanager.admin",
"type": "SERVICE_ACCOUNT"
}
],
"permissions": [
{
"name": "secretmanager.secrets.delete",
"type": "ADMIN_WRITE"
}
]
}
},
"ip": [
"0.0.0.1"
],
"location": {
"state": "State",
"countryOrRegion": "Country",
"regionLatitude": 10.0,
"regionLongitude": 10.0,
"regionCoordinates": {
"latitude": 10.0,
"longitude": 10.0
}
},
"resource": {
"attribute": {
"cloud": {
"project": {
"name": "projects/0000000/secrets/gsm_secret_1",
"resourceSubtype": "secretmanager.googleapis.com/Secret"
}
},
"labels": [
{
"key": "request_type",
"value": "type.googleapis.com/google.cloud.secretmanager.v1.DeleteSecretRequest"
}
]
}
},
"labels": [
{
"key": "request_attributes_time",
"value": "2023-06-14T17:27:39.245079752Z"
}
],
"ipGeoArtifact": [
{
"ip": "0.0.0.1",
"location": {
"state": "State",
"countryOrRegion": "India",
"regionLatitude": 10.0,
"regionLongitude": 10.0,
"regionCoordinates": {
"latitude": 10.0,
"longitude": 10.0
}
},
"network": {
"asn": "00001",
"dnsDomain": "broad_band.in",
"carrierName": "broad band.",
"organizationName": "broad band services limited"
}
}
]
},
"target": {
"application": "secretmanager.googleapis.com",
"resource": {
"name": "gsm_secret_1",
"attribute": {
"labels": [
{
"key": "request_name",
"value": "projects/test-is-00001/secrets/gsm_secret_1"
}
]
}
},
"cloud": {
"environment": "GOOGLE_CLOUD_PLATFORM",
"project": {
"name": "test-is-00001"
}
}
},
"securityResult": [
{
"categoryDetails": [
"projects/test-is-00001/logs/cloudaudit.googleapis.com"
],
"action": [
"ALLOW"
],
"severity": "INFORMATIONAL",
"detectionFields": [
{
"key": "resource_name",
"value": "projects/0000001/secrets/gsm_secret_1"
},
{
"key": "key_id",
"value": "000000000000000000000001"
}
]
}
],
"network": {
"http": {
"userAgent": "grpc-python-asyncio/1.51.3 grpc-c/29.0.0 (windows; chttp2),gzip(gfe)"
}
}
}
],
"label": "e"
}
],
"detectionTime": "2023-06-14T17:28:00Z",
"tags": [
"TA0040",
"T1485"
],
"ruleName": "GCP Secret Manager Mass Deletion",
"summary": "Rule Detection",
"description": "Identifies mass deletion of secrets in GCP Secret Manager.",
"severity": "LOW",
"urlBackToProduct": "https://dummy-chronicle/alert?alertId=de_662d8ff5-8eea-deb8-274e-f3410c7b935a",
"ruleId": "ur_ttp_GCP__MassSecretDeletion",
"alertState": "ALERTING",
"ruleType": "MULTI_EVENT",
"detectionFields": [
{
"key": "resource",
"value": "secretmanager.googleapis.com"
},
{
"key": "principaluser",
"value": "secret@google.com",
"source": "udm.principal.user.email_addresses"
}
],
"ruleLabels": [
{
"key": "rule_name",
"value": "GCP Secret Manager Mass Deletion"
},
{
"key": "false_positives",
"value": "This may be common behavior in dev, testing, or deprecated projects."
}
],
"outcomes": [
{
"key": "risk_score",
"value": "35"
},
{
"key": "resource_name",
"value": "gsm_secret_1, gsm_secret_10",
"source": "udm.target.resource.name"
},
{
"key": "ip",
"value": "0.0.0.1",
"source": "udm.principal.ip"
}
],
"ruleSet": "9d7537ae-0ae2-0000-b5e2-507c00008ae9",
"ruleSetDisplayName": "Service Disruption",
"riskScore": 35,
"timeWindowStartTime": "2023-06-14T17:18:00Z",
"timeWindowEndTime": "2023-06-14T17:28:00Z"
}
],
"Token": {
"name": "gcb-list-curatedrule-detections",
"nextPageToken": "next_page_token"
}
}
}

Human Readable Output#

Curated Detection(s) Details For Rule: [GCP Secret Manager Mass Deletion](https://dummy-chronicle/ruleDetections?ruleId=ur_ttp_GCP__MassSecretDeletion#

Detection IDDescriptionDetection TypeDetection TimeEventsAlert StateDetection SeverityDetection Risk-Score
de_50fd0957-0959-0000-d556-c6f8000016b1Identifies mass deletion of secrets in GCP Secret Manager.GCTI_FINDING2023-06-14T17:28:00ZEvent Timestamp: 2023-06-14T17:27:39.239875241Z
Event Type: RESOURCE_DELETION
Principal Asset Identifier: 0.0.0.1
ALERTINGLOW35
de_662d8ff5-8eea-deb8-274e-f3410c7b935aIdentifies mass deletion of secrets in GCP Secret Manager.GCTI_FINDING2023-06-14T17:28:00ZEvent Timestamp: 2023-06-14T17:27:39.239875241Z
Event Type: RESOURCE_DELETION
Principal Asset Identifier: 0.0.0.1
ALERTINGLOW35

View all Curated Detections for this rule in Chronicle by clicking on GCP Secret Manager Mass Deletion and to view individual detection in Chronicle click on its respective Detection ID. Maximum number of detections specified in page_size has been returned. To fetch the next set of detections, execute the command with the page token as next_page_token.

30. gcb-udm-search#


Lists the events for the specified UDM Search query.

Base Command#

gcb-udm-search

Input#

Argument NameDescriptionRequired
start_timeThe value of the start time for your request. The date format should comply with RFC 3339 (e.g., 2023-01-02T15:00:00Z) or relative time. If not supplied, the product considers UTC time corresponding to 3 days earlier than the current time. Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours. If the date is supplied in duration, it will be calculated as time.now() - duration. Example: 2023-04-25T00:00:00Z, 2023-04-25, 2 days, 5 hours, 01 Mar 2023, 01 Feb 2023 04:45:33, 15 Jun.Optional
end_timeThe value of the end time for your request. The date format should comply with RFC 3339 (e.g., 2023-01-02T15:00:00Z) or relative time. If not supplied, the product considers current UTC time. Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours. If the date is supplied in duration, it will be calculated as time.now() - duration. Example: 2023-04-25T00:00:00Z, 2023-04-25, 2 days, 5 hours, 01 Mar 2023, 01 Feb 2023 04:45:33, 15 Jun.Optional
limitSpecify the maximum number of matched events to return. You can specify between 1 and 1000. Default is 200.Optional
queryUDM search query.Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.Events.eventTypeStringSpecifies the type of the event.
GoogleChronicleBackstory.Events.eventTimestampDateThe GMT timestamp when the event was generated.
GoogleChronicleBackstory.Events.idStringThe event ID.
GoogleChronicleBackstory.Events.ingestedTimestampDateThe GMT timestamp when the event was ingested in the vendor's instance.
GoogleChronicleBackstory.Events.ingestionLabels.keyStringThe key for a field specified in the ingestion labels of the event.
GoogleChronicleBackstory.Events.ingestionLabels.valueStringThe value for a field specified in the ingestion labels of the event.
GoogleChronicleBackstory.Events.collectedTimestampDateThe GMT timestamp when the event was collected by the vendor's local collection infrastructure.
GoogleChronicleBackstory.Events.logTypeStringType of log.
GoogleChronicleBackstory.Events.descriptionStringHuman-readable description of the event.
GoogleChronicleBackstory.Events.productEventTypeStringShort, descriptive, human-readable, and product-specific event name or type.
GoogleChronicleBackstory.Events.productLogIdStringA vendor-specific event identifier to uniquely identify the event (a GUID). Users might use this identifier to search the vendor's proprietary console for the event in question.
GoogleChronicleBackstory.Events.productNameStringSpecifies the name of the product.
GoogleChronicleBackstory.Events.productVersionStringSpecifies the version of the product.
GoogleChronicleBackstory.Events.urlBackToProductStringURL linking to a relevant website where you can view more information about this specific event or the general event category.
GoogleChronicleBackstory.Events.vendorNameStringSpecifies the product vendor's name.
GoogleChronicleBackstory.Events.principal.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.principal.emailStringEmail address.
GoogleChronicleBackstory.Events.principal.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.principal.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.principal.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.principal.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.principal.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.principal.ipGeoArtifact.ipStringIP address associated with a network connection for IP Geolocation.
GoogleChronicleBackstory.Events.principal.ipGeoArtifact.location.countryOrRegionStringAssociated country or region for IP Geolocation.
GoogleChronicleBackstory.Events.principal.ipGeoArtifact.location.regionCoordinates.latitudeNumberLatitude coordinate of the region for IP Geolocation.
GoogleChronicleBackstory.Events.principal.ipGeoArtifact.location.regionCoordinates.longitudeNumberLongitude coordinate of the region for IP Geolocation.
GoogleChronicleBackstory.Events.principal.ipGeoArtifact.location.regionLatitudeNumberLatitude of the region for IP Geolocation.
GoogleChronicleBackstory.Events.principal.ipGeoArtifact.location.regionLongitudeNumberLongitude of the region for IP Geolocation.
GoogleChronicleBackstory.Events.principal.ipGeoArtifact.location.stateStringAssociated state of IP Geolocation.
GoogleChronicleBackstory.Events.principal.ipGeoArtifact.network.asnStringAssociated ASN with a network connection for IP Geolocation.
GoogleChronicleBackstory.Events.principal.ipGeoArtifact.network.carrierNameStringAssociated carrier name with a network connection for IP Geolocation.
GoogleChronicleBackstory.Events.principal.ipGeoArtifact.network.dnsDomainStringAssociated DNS domain with a network connection for IP Geolocation.
GoogleChronicleBackstory.Events.principal.ipGeoArtifact.network.organizationNameStringAssociated organization name with a network connection for IP Geolocation.
GoogleChronicleBackstory.Events.principal.ipLocation.countryOrRegionStringAssociated country or region for IP location.
GoogleChronicleBackstory.Events.principal.ipLocation.regionCoordinates.latitudeNumberLatitude coordinate of the region for IP location.
GoogleChronicleBackstory.Events.principal.ipLocation.regionCoordinates.longitudeNumberLongitude coordinate of the region for IP location.
GoogleChronicleBackstory.Events.principal.ipLocation.regionLatitudeNumberLatitude of the region for IP location.
GoogleChronicleBackstory.Events.principal.ipLocation.regionLongitudeNumberLongitude of the region for IP location.
GoogleChronicleBackstory.Events.principal.ipLocation.stateStringAssociated state of IP location.
GoogleChronicleBackstory.Events.principal.labels.keyStringThe key for a field specified in the principal labels of the event.
GoogleChronicleBackstory.Events.principal.labels.valueStringThe value for a field specified in the principal labels of the event.
GoogleChronicleBackstory.Events.principal.location.countryOrRegionStringAssociated country or region for the principal location.
GoogleChronicleBackstory.Events.principal.location.regionCoordinates.latitudeNumberLatitude coordinate of the region for the principal location.
GoogleChronicleBackstory.Events.principal.location.regionCoordinates.longitudeNumberLongitude coordinate of the region for the principal location.
GoogleChronicleBackstory.Events.principal.location.regionLatitudeNumberLatitude of the region for the principal location.
GoogleChronicleBackstory.Events.principal.location.regionLongitudeNumberLongitude of the region for the principal location.
GoogleChronicleBackstory.Events.principal.location.stateStringAssociated state of the principal location.
GoogleChronicleBackstory.Events.principal.resource.attribute.cloud.project.nameStringAssociated name of the project specified in the principal resource.
GoogleChronicleBackstory.Events.principal.resource.attribute.cloud.project.resourceSubtypeStringAssociated resource sub-type of the project specified in the principal resource.
GoogleChronicleBackstory.Events.principal.resource.attribute.labels.keyStringThe key for a field specified in the principal resource labels of the event.
GoogleChronicleBackstory.Events.principal.resource.attribute.labels.valueStringThe value for a field specified in the principal resource labels of the event.
GoogleChronicleBackstory.Events.principal.user.attribute.cloud.environmentStringAssociated environment specified in the principal user.
GoogleChronicleBackstory.Events.principal.user.attribute.cloud.project.idStringAssociated ID of the project specified in the principal user.
GoogleChronicleBackstory.Events.principal.user.attribute.permissions.nameStringAssociated name of the permission specified in the principal user.
GoogleChronicleBackstory.Events.principal.user.attribute.permissions.typeStringAssociated type of the permission specified in the principal user.
GoogleChronicleBackstory.Events.principal.user.attribute.roles.descriptionStringAssociated description of the role specified in the principal user.
GoogleChronicleBackstory.Events.principal.user.attribute.roles.nameStringAssociated name of the role specified in the principal user.
GoogleChronicleBackstory.Events.principal.user.attribute.roles.typeStringAssociated type of the role specified in the principal user.
GoogleChronicleBackstory.Events.principal.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.principal.macStringMAC addresses associated with a device.
GoogleChronicleBackstory.Events.principal.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.principal.urlStringStandard URL.
GoogleChronicleBackstory.Events.principal.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.principal.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.principal.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.principal.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.principal.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.principal.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.principal.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.principal.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.principal.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.principal.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.principal.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.principal.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.principal.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.principal.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.principal.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.principal.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.principal.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.principal.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.principal.user.employeeIdStringStores the product object ID for the user.
GoogleChronicleBackstory.Events.principal.user.productObjectIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.principal.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.principal.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.principal.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.principal.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.principal.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.principal.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.principal.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.principal.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.principal.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.target.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.target.emailStringEmail address.
GoogleChronicleBackstory.Events.target.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.target.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.target.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.target.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.target.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.target.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.target.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.target.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.target.applicationStringApplication of the target related to the event.
GoogleChronicleBackstory.Events.target.cloud.availabilityZoneStringAssociated availability zone specified in the event target.
GoogleChronicleBackstory.Events.target.cloud.environmentStringAssociated environment specified in the event target.
GoogleChronicleBackstory.Events.target.cloud.project.nameStringAssociated name of the project specified in the event target.
GoogleChronicleBackstory.Events.target.cloud.vpcUnknownAssociated VPC specified in the event target.
GoogleChronicleBackstory.Events.target.resource.nameStringAssociated resource name specified in the event target.
GoogleChronicleBackstory.Events.target.resource.productObjectIdStringAssociated product object ID specified in the event target.
GoogleChronicleBackstory.Events.target.resource.resourceTypeStringAssociated resource type specified in the event target.
GoogleChronicleBackstory.Events.target.resource.attribute.labels.keyStringThe key for a field specified in the principal resource labels of the event.
GoogleChronicleBackstory.Events.target.resource.attribute.labels.valueStringThe value for a field specified in the principal resource labels of the event.
GoogleChronicleBackstory.Events.target.urlStringStandard URL.
GoogleChronicleBackstory.Events.target.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.target.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.target.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.target.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.target.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.target.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.target.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.target.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.target.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.target.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.target.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.target.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.target.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.target.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.target.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.target.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.target.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.target.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.target.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.target.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.target.user.attribute.cloud.environmentStringAssociated environment specified in the target user.
GoogleChronicleBackstory.Events.target.user.attribute.cloud.project.idStringAssociated ID of the project specified in the target user.
GoogleChronicleBackstory.Events.target.user.attribute.roles.nameStringAssociated name of the role specified in the target user.
GoogleChronicleBackstory.Events.target.user.attribute.roles.typeStringAssociated type of the role specified in the target user.
GoogleChronicleBackstory.Events.target.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.target.user.productObjectIdStringStores the human resources product object ID for the user.
GoogleChronicleBackstory.Events.target.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.target.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.target.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.target.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.target.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.target.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.target.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.target.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.target.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.target.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.intermediary.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.intermediary.emailStringEmail address.
GoogleChronicleBackstory.Events.intermediary.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.intermediary.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.intermediary.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.intermediary.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.intermediary.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.intermediary.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.intermediary.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.intermediary.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.intermediary.urlStringStandard URL.
GoogleChronicleBackstory.Events.intermediary.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.intermediary.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.intermediary.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.intermediary.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.intermediary.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.intermediary.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.intermediary.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.intermediary.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.intermediary.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.intermediary.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.intermediary.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.intermediary.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.intermediary.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.intermediary.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.intermediary.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.intermediary.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.intermediary.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.intermediary.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.intermediary.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.intermediary.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.intermediary.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.intermediary.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.intermediary.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.intermediary.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.intermediary.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.intermediary.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.intermediary.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.src.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.src.emailStringEmail address.
GoogleChronicleBackstory.Events.src.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.src.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.src.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.src.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.src.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.src.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.src.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.src.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.src.urlStringStandard URL.
GoogleChronicleBackstory.Events.src.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.src.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.src.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.src.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.src.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.src.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.src.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.src.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.src.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.src.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.src.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.src.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.src.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.src.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.src.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.src.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.src.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.src.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.src.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.src.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.src.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.src.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.src.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.src.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.src.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.src.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.src.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.src.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.src.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.src.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.src.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.observer.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.observer.emailStringEmail address.
GoogleChronicleBackstory.Events.observer.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.observer.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.observer.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.observer.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.observer.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.observer.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.observer.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.observer.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.observer.urlStringStandard URL.
GoogleChronicleBackstory.Events.observer.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.observer.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.observer.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.observer.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.observer.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.observer.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.observer.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.observer.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.observer.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.observer.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.observer.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.observer.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.observer.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.observer.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.observer.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.observer.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.observer.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.observer.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.observer.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.observer.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.observer.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.observer.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.observer.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.observer.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.observer.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.observer.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.observer.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.observer.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.about.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.about.emailStringEmail address.
GoogleChronicleBackstory.Events.about.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.about.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.about.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.about.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.about.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.about.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.about.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.about.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.about.urlStringStandard URL.
GoogleChronicleBackstory.Events.about.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.about.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.about.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.about.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.about.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.about.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.about.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.about.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.about.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.about.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.about.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.about.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.about.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.about.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.about.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.about.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.about.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.about.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.about.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.about.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.about.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.about.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.about.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.about.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.about.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.about.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.about.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.about.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.about.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.about.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.about.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.network.applicationProtocolStringIndicates the network application protocol.
GoogleChronicleBackstory.Events.network.directionStringIndicates the direction of network traffic.
GoogleChronicleBackstory.Events.network.emailStringSpecifies the email address for the sender/recipient.
GoogleChronicleBackstory.Events.network.ipProtocolStringIndicates the IP protocol.
GoogleChronicleBackstory.Events.network.receivedBytesStringSpecifies the number of bytes received.
GoogleChronicleBackstory.Events.network.sentBytesStringSpecifies the number of bytes sent.
GoogleChronicleBackstory.Events.network.dhcp.clientHostnameStringHostname for the client.
GoogleChronicleBackstory.Events.network.dhcp.clientIdentifierStringClient identifier.
GoogleChronicleBackstory.Events.network.dhcp.fileStringFilename for the boot image.
GoogleChronicleBackstory.Events.network.dhcp.flagsStringValue for the DHCP flags field.
GoogleChronicleBackstory.Events.network.dhcp.hlenStringHardware address length.
GoogleChronicleBackstory.Events.network.dhcp.hopsStringDHCP hop count.
GoogleChronicleBackstory.Events.network.dhcp.htypeStringHardware address type.
GoogleChronicleBackstory.Events.network.dhcp.leaseTimeSecondsStringClient-requested lease time for an IP address in seconds.
GoogleChronicleBackstory.Events.network.dhcp.opcodeStringBOOTP op code.
GoogleChronicleBackstory.Events.network.dhcp.requestedAddressStringClient identifier.
GoogleChronicleBackstory.Events.network.dhcp.secondsStringSeconds elapsed since the client began the address acquisition/renewal process.
GoogleChronicleBackstory.Events.network.dhcp.snameStringName of the server which the client has requested to boot from.
GoogleChronicleBackstory.Events.network.dhcp.transactionIdStringClient transaction ID.
GoogleChronicleBackstory.Events.network.dhcp.typeStringDHCP message type.
GoogleChronicleBackstory.Events.network.dhcp.chaddrStringIP address for the client hardware.
GoogleChronicleBackstory.Events.network.dhcp.ciaddrStringIP address for the client.
GoogleChronicleBackstory.Events.network.dhcp.giaddrStringIP address for the relay agent.
GoogleChronicleBackstory.Events.network.dhcp.siaddrStringIP address for the next bootstrap server.
GoogleChronicleBackstory.Events.network.dhcp.yiaddrStringYour IP address.
GoogleChronicleBackstory.Events.network.dns.authoritativeStringSet to true for authoritative DNS servers.
GoogleChronicleBackstory.Events.network.dns.idStringStores the DNS query identifier.
GoogleChronicleBackstory.Events.network.dns.responseStringSet to true if the event is a DNS response.
GoogleChronicleBackstory.Events.network.dns.opcodeStringStores the DNS OpCode used to specify the type of DNS query (standard, inverse, server status, etc.).
GoogleChronicleBackstory.Events.network.dns.recursionAvailableStringSet to true if a recursive DNS lookup is available.
GoogleChronicleBackstory.Events.network.dns.recursionDesiredStringSet to true if a recursive DNS lookup is requested.
GoogleChronicleBackstory.Events.network.dns.responseCodeStringStores the DNS response code as defined by RFC 1035, Domain Names - Implementation and Specification.
GoogleChronicleBackstory.Events.network.dns.truncatedStringSet to true if this is a truncated DNS response.
GoogleChronicleBackstory.Events.network.dns.questions.nameStringStores the domain name.
GoogleChronicleBackstory.Events.network.dns.questions.classStringStores the code specifying the class of the query.
GoogleChronicleBackstory.Events.network.dns.questions.typeStringStores the code specifying the type of the query.
GoogleChronicleBackstory.Events.network.dns.answers.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.answers.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.answers.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.answers.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.answers.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.answers.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.authority.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.authority.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.authority.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.additional.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.additional.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.additional.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.email.fromStringStores the from email address.
GoogleChronicleBackstory.Events.network.email.replyToStringStores the reply_to email address.
GoogleChronicleBackstory.Events.network.email.toStringStores the to email addresses.
GoogleChronicleBackstory.Events.network.email.ccStringStores the cc email addresses.
GoogleChronicleBackstory.Events.network.email.bccStringStores the bcc email addresses.
GoogleChronicleBackstory.Events.network.email.mailIdStringStores the mail (or message) ID.
GoogleChronicleBackstory.Events.network.email.subjectStringStores the email subject line.
GoogleChronicleBackstory.Events.network.ftp.commandStringStores the FTP command.
GoogleChronicleBackstory.Events.network.http.methodStringStores the HTTP request method.
GoogleChronicleBackstory.Events.network.http.referralUrlStringStores the URL for the HTTP referer.
GoogleChronicleBackstory.Events.network.http.responseCodeStringStores the HTTP response status code, which indicates whether a specific HTTP request has been successfully completed.
GoogleChronicleBackstory.Events.network.http.useragentStringStores the User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.
GoogleChronicleBackstory.Events.authentication.authTypeStringType of system an authentication event is associated with (Chronicle UDM).
GoogleChronicleBackstory.Events.authentication.mechanismStringMechanism(s) used for authentication.
GoogleChronicleBackstory.Events.securityResult.aboutStringProvide a description of the security result.
GoogleChronicleBackstory.Events.securityResult.actionStringSpecify a security action.
GoogleChronicleBackstory.Events.securityResult.categoryStringSpecify a security category.
GoogleChronicleBackstory.Events.securityResult.categoryDetailsUnknownSpecify a security category details.
GoogleChronicleBackstory.Events.securityResult.detectionFields.keyStringThe key for a field specified in the security result, for MULTI_EVENT rules.
GoogleChronicleBackstory.Events.securityResult.detectionFields.valueStringThe value for a field specified in the security result, for MULTI_EVENT rules.
GoogleChronicleBackstory.Events.securityResult.confidenceStringSpecify a confidence with regards to a security event as estimated by the product.
GoogleChronicleBackstory.Events.securityResult.confidenceDetailsStringAdditional details with regards to the confidence of a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.priorityStringSpecify a priority with regards to a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.priorityDetailsStringVendor-specific information about the security result priority.
GoogleChronicleBackstory.Events.securityResult.ruleIdStringIdentifier for the security rule.
GoogleChronicleBackstory.Events.securityResult.ruleNameStringName of the security rule.
GoogleChronicleBackstory.Events.securityResult.severityStringSeverity of a security event as estimated by the product vendor using values defined by the Chronicle UDM.
GoogleChronicleBackstory.Events.securityResult.severityDetailsStringSeverity for a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.threatNameStringName of the security threat.
GoogleChronicleBackstory.Events.securityResult.urlBackToProductStringURL to direct you to the source product console for this security event.

Command example#

!gcb-udm-search query="ip=\"0.0.0.1\"" limit="2"

Context Example#

{
"GoogleChronicleBackstory": {
"Events": [
{
"metadata": {
"productLogId": "010000",
"eventTimestamp": "2023-01-14T00:59:52.110Z",
"eventType": "REGISTRY_MODIFICATION",
"vendorName": "Microsoft",
"productName": "Microsoft-Windows-Sysmon",
"productEventType": "13",
"ingestedTimestamp": "2023-01-14T13:14:24.377988Z",
"id": "010000=",
"enrichmentState": "ENRICHED"
},
"principal": {
"hostname": "active.stack.local",
"assetId": "ACTIVE",
"user": {
"userid": "LOCAL SERVICE",
"windowsSid": "S-1-1-10"
},
"process": {
"pid": "1000",
"file": {
"fullPath": "C:\\Windows\\host.exe"
},
"productSpecificProcessId": "SYSMON:{00000000-0000-0000-0000-000000000f00}"
},
"ip": [
"0.0.0.1"
],
"administrativeDomain": "AUTHORITY",
"asset": {
"productObjectId": "0000-0000-0000-0000-000000001000",
"hostname": "active.stack.local",
"assetId": "ACTIVE",
"ip": [
"0.0.0.1"
],
"platformSoftware": {
"platform": "WINDOWS",
"platformVersion": "Windows"
},
"location": {
"countryOrRegion": "0"
},
"category": "Computer",
"attribute": {
"labels": [
{
"key": "Bad password count",
"value": "0"
},
{
"key": "Password Expired",
"value": "false"
}
],
"creationTime": "2023-01-14T00:00:10Z",
"lastUpdateTime": "2023-01-14T00:00:10Z"
}
}
},
"target": {
"registry": {
"registryKey": "System\\LastKnownGoodTime",
"registryValueData": "WORD"
},
"ip": [
"0.0.0.1"
]
},
"about": [
{
"labels": [
{
"key": "Category ID",
"value": "RegistryEvent"
}
]
}
],
"securityResult": [
{
"ruleName": "technique_id=T0000,technique_name=Service Creation",
"summary": "Registry value set",
"severity": "INFORMATIONAL"
},
{
"ruleName": "EventID: 10",
"action": [
"ALLOW"
]
}
]
},
{
"name": "0000000020000",
"udm": {
"metadata": {
"productLogId": "0001",
"eventTimestamp": "2023-01-14T00:56:57.372Z",
"eventType": "NETWORK_DNS",
"vendorName": "Microsoft",
"productName": "Microsoft",
"productEventType": "22",
"ingestedTimestamp": "2023-01-14T10:07:42.183563Z",
"id": "0000000020000=",
"enrichmentState": "ENRICHED"
},
"principal": {
"hostname": "DESKTOP",
"user": {
"userid": "SYSTEM",
"windowsSid": "S-1-1-11"
},
"process": {
"pid": "2000",
"file": {
"sha256": "0000000000000000000000000000000000000000000000000000000000000001",
"md5": "00000000000000000000000000000001",
"sha1": "0000000000000000000000000000000000000001",
"fullPath": "C:\\Scripts.exe",
"fileMetadata": {
"pe": {
"importHash": "00000000000000000000000000000001"
}
}
},
"commandLine": "\"C:\\Scripts.exe\" \"shutdown\"",
"productSpecificProcessId": "SYSMON"
},
"administrativeDomain": "AUTHORITY"
},
"target": {
"mac": [
"0.0.0.1"
]
},
"about": [
{
"labels": [
{
"key": "Category ID",
"value": "DnsQuery"
}
]
}
],
"securityResult": [
{
"summary": "Dns query",
"severity": "INFORMATIONAL"
},
{
"ruleName": "EventID: 22",
"summary": "QueryStatus: 0"
}
],
"network": {
"applicationProtocol": "DNS",
"dns": {
"questions": [
{
"name": "logging.googleapis.com"
}
],
"answers": [
{
"type": 5,
"data": "logging.googleapis.com"
}
]
}
}
}
}
]
}
}

Human Readable Output#

Event(s) Details#

Event IDEvent TimestampEvent TypeSecurity ResultsPrincipal Asset IdentifierTarget Asset IdentifierProduct NameVendor NameQueried Domain
010000=2023-01-14T00:59:52.110ZREGISTRY_MODIFICATIONSeverity: INFORMATIONAL
Summary: Registry value set
Rule Name: technique_id=T0000,technique_name=Service Creation

Actions: ALLOW
Rule Name: EventID: 10
active.stack.local0.0.0.1Microsoft-Windows-SysmonMicrosoft
0000000020000=2023-01-14T00:56:57.372ZNETWORK_DNSSeverity: INFORMATIONAL
Summary: Dns query

Summary: QueryStatus: 0
Rule Name: EventID: 22
DESKTOP0.0.0.1MicrosoftMicrosoftlogging.googleapis.com

Maximum number of events specified in limit has been returned. There might still be more events in your Chronicle account. To fetch the next set of events, execute the command with the end time as 2023-01-14T00:56:57.372Z.

31. gcb-verify-value-in-reference-list#


Check if provided values are found in the reference lists in Google Chronicle.

Base Command#

gcb-verify-value-in-reference-list

Input#

Argument NameDescriptionRequired
valuesSpecify the values to search in reference lists.
Format accepted is: "value 1, value 2, value 3".
Required
reference_list_namesSpecify the reference list names to search through. Supports comma separated values.Required
case_insensitive_searchIf set to true, the command performs case insensitive matching. Possible values are: True, False. Default is False.Optional
delimiterDelimiter by which the content of the values list is separated.
Eg: " , " , " : ", " ; ". Default is ",".
Optional
add_not_found_reference_listsIf set to true, the command will add the not found reference list names to the HR and the context. Possible values are: True, False. Default is False.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.VerifyValueInReferenceList.valueStringThe item value to search in the reference list.
GoogleChronicleBackstory.VerifyValueInReferenceList.found_in_listsStringList of Reference list names, where item was found.
GoogleChronicleBackstory.VerifyValueInReferenceList.not_found_in_listsStringList of Reference list names, where item not was found.
GoogleChronicleBackstory.VerifyValueInReferenceList.overall_statusStringWhether value found in any reference list.

Command example#

!gcb-verify-value-in-reference-list reference_list_names="list1,list2" values="value1;value2;value4" delimiter=; case_insensitive_search=True add_not_found_reference_lists=True

Context Example#

{
"GoogleChronicleBackstory": {
"VerifyValueInReferenceList": [
{
"case_insensitive": true,
"value": "value1",
"found_in_lists": [
"list1"
],
"not_found_in_lists": [
"list2"
],
"overall_status": "Found"
},
{
"case_insensitive": true,
"value": "value2",
"found_in_lists": [
"list1"
],
"not_found_in_lists": [
"list2"
],
"overall_status": "Found"
},
{
"case_insensitive": true,
"value": "value4",
"found_in_lists": [],
"not_found_in_lists": [
"list1",
"list2"
],
"overall_status": "Not Found"
}
]
}
}

Human Readable Output#

Successfully searched provided values in the reference lists in Google Chronicle.#

ValueFound In ListsNot Found In ListsOverall Status
value1list1list2Found
value2list1list2Found
value4list1, list2Not Found

32. gcb-verify-rule#


Verifies that a rule is a valid YARA-L 2.0 rule without creating a new rule or evaluating it over data.

Base Command#

gcb-verify-rule

Input#

Argument NameDescriptionRequired
rule_textSpecify the Rule text in YARA-L 2.0 format to verify.Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.VerifyRule.successBooleanWhether rule_text has a valid YARA-L 2.0 format.
GoogleChronicleBackstory.VerifyRule.contextStringContains the success message or the compilation error if the verification fails.
GoogleChronicleBackstory.VerifyRule.command_nameStringThe command name.

Command example#

!gcb-verify-rule rule_text="rule singleEventRule2 { meta: author = \"securityuser\" description = \"single event rule that should generate detections\" events: $e.metadata.event_type = \"NETWORK_DNS\" condition: $e }"

Context Example#

{
"GoogleChronicleBackstory": {
"VerifyRule": {
"command_name": "gcb-verify-rule",
"context": "identified no known errors",
"success": true
}
}
}

Human Readable Output#

Identified no known errors#

33. gcb-get-event#


Get the specific event with the given ID from Chronicle.

Note: This command returns more than 60 different types of events. Any event would have only specific output context set. Refer the UDM documentation to figure out the output properties specific to the event types.

Base Command#

gcb-get-event

Input#

Argument NameDescriptionRequired
event_idSpecify the ID of the event.

Note: The event_id can be retrieved from the output context path (GoogleChronicleBackstory.Events.id) of the gcb-list-events command.
Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.Events.eventTypeStringSpecifies the type of the event.
GoogleChronicleBackstory.Events.eventTimestampDateThe GMT timestamp when the event was generated.
GoogleChronicleBackstory.Events.collectedTimestampDateThe GMT timestamp when the event was collected by the vendor's local collection infrastructure.
GoogleChronicleBackstory.Events.descriptionStringHuman-readable description of the event.
GoogleChronicleBackstory.Events.productEventTypeStringShort, descriptive, human-readable, and product-specific event name or type.
GoogleChronicleBackstory.Events.productLogIdStringA vendor-specific event identifier to uniquely identify the event (a GUID). Users might use this identifier to search the vendor's proprietary console for the event in question.
GoogleChronicleBackstory.Events.productNameStringSpecifies the name of the product.
GoogleChronicleBackstory.Events.productVersionStringSpecifies the version of the product.
GoogleChronicleBackstory.Events.urlBackToProductStringURL linking to a relevant website where you can view more information about this specific event or the general event category.
GoogleChronicleBackstory.Events.vendorNameStringSpecifies the product vendor's name.
GoogleChronicleBackstory.Events.principal.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.principal.emailStringEmail address.
GoogleChronicleBackstory.Events.principal.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.principal.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.principal.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.principal.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.principal.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.principal.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.principal.macStringMAC addresses associated with a device.
GoogleChronicleBackstory.Events.principal.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.principal.urlStringStandard URL.
GoogleChronicleBackstory.Events.principal.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.principal.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.principal.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.principal.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.principal.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.principal.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.principal.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.principal.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.principal.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.principal.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.principal.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.principal.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.principal.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.principal.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.principal.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.principal.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.principal.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.principal.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.principal.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.principal.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.principal.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.principal.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.principal.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.principal.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.principal.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.principal.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.principal.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.principal.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.target.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.target.emailStringEmail address.
GoogleChronicleBackstory.Events.target.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.target.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.target.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.target.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.target.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.target.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.target.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.target.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.target.urlStringStandard URL.
GoogleChronicleBackstory.Events.target.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.target.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.target.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.target.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.target.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.target.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.target.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.target.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.target.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.target.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.target.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.target.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.target.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.target.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.target.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.target.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.target.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.target.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.target.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.target.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.target.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.target.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.target.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.target.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.target.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.target.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.target.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.target.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.target.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.target.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.target.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.intermediary.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.intermediary.emailStringEmail address.
GoogleChronicleBackstory.Events.intermediary.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.intermediary.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.intermediary.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.intermediary.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.intermediary.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.intermediary.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.intermediary.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.intermediary.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.intermediary.urlStringStandard URL.
GoogleChronicleBackstory.Events.intermediary.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.intermediary.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.intermediary.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.intermediary.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.intermediary.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.intermediary.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.intermediary.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.intermediary.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.intermediary.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.intermediary.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.intermediary.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.intermediary.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.intermediary.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.intermediary.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.intermediary.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.intermediary.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.intermediary.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.intermediary.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.intermediary.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.intermediary.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.intermediary.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.intermediary.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.intermediary.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.intermediary.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.intermediary.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.intermediary.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.intermediary.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.src.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.src.emailStringEmail address.
GoogleChronicleBackstory.Events.src.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.src.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.src.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.src.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.src.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.src.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.src.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.src.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.src.urlStringStandard URL.
GoogleChronicleBackstory.Events.src.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.src.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.src.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.src.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.src.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.src.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.src.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.src.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.src.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.src.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.src.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.src.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.src.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.src.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.src.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.src.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.src.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.src.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.src.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.src.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.src.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.src.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.src.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.src.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.src.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.src.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.src.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.src.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.src.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.src.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.src.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.observer.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.observer.emailStringEmail address.
GoogleChronicleBackstory.Events.observer.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.observer.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.observer.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.observer.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.observer.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.observer.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.observer.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.observer.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.observer.urlStringStandard URL.
GoogleChronicleBackstory.Events.observer.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.observer.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.observer.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.observer.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.observer.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.observer.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.observer.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.observer.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.observer.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.observer.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.observer.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.observer.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.observer.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.observer.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.observer.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.observer.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.observer.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.observer.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.observer.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.observer.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.observer.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.observer.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.observer.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.observer.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.observer.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.observer.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.observer.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.observer.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.about.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.about.emailStringEmail address.
GoogleChronicleBackstory.Events.about.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.about.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.about.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.about.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.about.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.about.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.about.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.about.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.about.urlStringStandard URL.
GoogleChronicleBackstory.Events.about.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.about.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.about.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.about.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.about.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.about.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.about.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.about.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.about.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.about.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.about.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.about.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.about.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.about.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.about.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.about.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.about.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.about.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.about.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.about.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.about.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.about.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.about.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.about.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.about.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.about.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.about.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.about.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.about.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.about.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.about.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.network.applicationProtocolStringIndicates the network application protocol.
GoogleChronicleBackstory.Events.network.directionStringIndicates the direction of network traffic.
GoogleChronicleBackstory.Events.network.emailStringSpecifies the email address for the sender/recipient.
GoogleChronicleBackstory.Events.network.ipProtocolStringIndicates the IP protocol.
GoogleChronicleBackstory.Events.network.receivedBytesStringSpecifies the number of bytes received.
GoogleChronicleBackstory.Events.network.sentBytesStringSpecifies the number of bytes sent.
GoogleChronicleBackstory.Events.network.dhcp.clientHostnameStringHostname for the client.
GoogleChronicleBackstory.Events.network.dhcp.clientIdentifierStringClient identifier.
GoogleChronicleBackstory.Events.network.dhcp.fileStringFilename for the boot image.
GoogleChronicleBackstory.Events.network.dhcp.flagsStringValue for the DHCP flags field.
GoogleChronicleBackstory.Events.network.dhcp.hlenStringHardware address length.
GoogleChronicleBackstory.Events.network.dhcp.hopsStringDHCP hop count.
GoogleChronicleBackstory.Events.network.dhcp.htypeStringHardware address type.
GoogleChronicleBackstory.Events.network.dhcp.leaseTimeSecondsStringClient-requested lease time for an IP address in seconds.
GoogleChronicleBackstory.Events.network.dhcp.opcodeStringBOOTP op code.
GoogleChronicleBackstory.Events.network.dhcp.requestedAddressStringClient identifier.
GoogleChronicleBackstory.Events.network.dhcp.secondsStringSeconds elapsed since the client began the address acquisition/renewal process.
GoogleChronicleBackstory.Events.network.dhcp.snameStringName of the server which the client has requested to boot from.
GoogleChronicleBackstory.Events.network.dhcp.transactionIdStringClient transaction ID.
GoogleChronicleBackstory.Events.network.dhcp.typeStringDHCP message type.
GoogleChronicleBackstory.Events.network.dhcp.chaddrStringIP address for the client hardware.
GoogleChronicleBackstory.Events.network.dhcp.ciaddrStringIP address for the client.
GoogleChronicleBackstory.Events.network.dhcp.giaddrStringIP address for the relay agent.
GoogleChronicleBackstory.Events.network.dhcp.siaddrStringIP address for the next bootstrap server.
GoogleChronicleBackstory.Events.network.dhcp.yiaddrStringYour IP address.
GoogleChronicleBackstory.Events.network.dns.authoritativeStringSet to true for authoritative DNS servers.
GoogleChronicleBackstory.Events.network.dns.idStringStores the DNS query identifier.
GoogleChronicleBackstory.Events.network.dns.responseStringSet to true if the event is a DNS response.
GoogleChronicleBackstory.Events.network.dns.opcodeStringStores the DNS OpCode used to specify the type of DNS query (standard, inverse, server status, etc.).
GoogleChronicleBackstory.Events.network.dns.recursionAvailableStringSet to true if a recursive DNS lookup is available.
GoogleChronicleBackstory.Events.network.dns.recursionDesiredStringSet to true if a recursive DNS lookup is requested.
GoogleChronicleBackstory.Events.network.dns.responseCodeStringStores the DNS response code as defined by RFC 1035, Domain Names - Implementation and Specification.
GoogleChronicleBackstory.Events.network.dns.truncatedStringSet to true if this is a truncated DNS response.
GoogleChronicleBackstory.Events.network.dns.questions.nameStringStores the domain name.
GoogleChronicleBackstory.Events.network.dns.questions.classStringStores the code specifying the class of the query.
GoogleChronicleBackstory.Events.network.dns.questions.typeStringStores the code specifying the type of the query.
GoogleChronicleBackstory.Events.network.dns.answers.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.answers.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.answers.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.answers.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.answers.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.answers.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.authority.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.authority.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.authority.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.additional.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.additional.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.additional.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.email.fromStringStores the from email address.
GoogleChronicleBackstory.Events.network.email.replyToStringStores the reply_to email address.
GoogleChronicleBackstory.Events.network.email.toStringStores the to email addresses.
GoogleChronicleBackstory.Events.network.email.ccStringStores the cc email addresses.
GoogleChronicleBackstory.Events.network.email.bccStringStores the bcc email addresses.
GoogleChronicleBackstory.Events.network.email.mailIdStringStores the mail (or message) ID.
GoogleChronicleBackstory.Events.network.email.subjectStringStores the email subject line.
GoogleChronicleBackstory.Events.network.ftp.commandStringStores the FTP command.
GoogleChronicleBackstory.Events.network.http.methodStringStores the HTTP request method.
GoogleChronicleBackstory.Events.network.http.referralUrlStringStores the URL for the HTTP referer.
GoogleChronicleBackstory.Events.network.http.responseCodeStringStores the HTTP response status code, which indicates whether a specific HTTP request has been successfully completed.
GoogleChronicleBackstory.Events.network.http.useragentStringStores the User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.
GoogleChronicleBackstory.Events.authentication.authTypeStringType of system an authentication event is associated with (Chronicle UDM).
GoogleChronicleBackstory.Events.authentication.mechanismStringMechanism(s) used for authentication.
GoogleChronicleBackstory.Events.securityResult.aboutStringProvide a description of the security result.
GoogleChronicleBackstory.Events.securityResult.actionStringSpecify a security action.
GoogleChronicleBackstory.Events.securityResult.categoryStringSpecify a security category.
GoogleChronicleBackstory.Events.securityResult.confidenceStringSpecify a confidence with regards to a security event as estimated by the product.
GoogleChronicleBackstory.Events.securityResult.confidenceDetailsStringAdditional detail with regards to the confidence of a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.priorityStringSpecify a priority with regards to a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.priorityDetailsStringVendor-specific information about the security result priority.
GoogleChronicleBackstory.Events.securityResult.ruleIdStringIdentifier for the security rule.
GoogleChronicleBackstory.Events.securityResult.ruleNameStringName of the security rule.
GoogleChronicleBackstory.Events.securityResult.severityStringSeverity of a security event as estimated by the product vendor using values defined by the Chronicle UDM.
GoogleChronicleBackstory.Events.securityResult.severityDetailsStringSeverity for a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.threatNameStringName of the security threat.
GoogleChronicleBackstory.Events.securityResult.urlBackToProductStringURL to direct you to the source product console for this security event.

Command Example#

!gcb-get-event event_id="dummy_id"

Context Example#

{
"GoogleChronicleBackstory.Events(val.id == obj.id)": [
{
"eventTimestamp": "2024-11-12T12:19:59Z",
"eventType": "GENERIC_EVENT",
"vendorName": "NewClient",
"productName": "Private Access",
"productEventType": "APP_NOT_REACHABLE",
"description": "0",
"ingestedTimestamp": "2024-11-12T12:20:03.217859Z",
"id": "dummy_id",
"logType": "NEW_XYZ",
"baseLabels": {
"logTypes": [
"NEW_XYZ"
],
"allowScopedAccess": true
},
"additional": {
"policy_processing_time": "0",
"idp": "0",
"server_setup_time": "0",
"connector": "0",
"client_to_client": "0",
"app_micro_tenant_id": "0",
"micro_tenant_id": "0",
"pra_capability_policy_id": "0",
"client_zen": "EU-DE-9490",
"customer": "New Demo Center",
"pra_credential_policy_id": "0",
"connector_zen": "0",
"pra_approval_id": "0",
"double_encryption": "Off",
"timestamp_connection_end": "2024-11-12T12:19:59.961Z",
"connection_id": "dummy_connection_id"
},
"principal": {
"user": {
"userDisplayName": "New LSS Client"
},
"port": 11522,
"location": {
"city": "New City",
"countryOrRegion": "US",
"regionCoordinates": {
"latitude": 0,
"longitude": 0
}
},
"natIp": [
"0.0.0.0"
]
},
"target": {
"hostname": "0.0.0.0",
"user": {
"groupIdentifiers": [
"New Enterprise Server - User Status"
]
},
"port": 11522,
"application": "New Enterprise Server - User Status"
},
"intermediary": [
{
"application": "0",
"resource": {
"attribute": {
"labels": [
{
"key": "new_total_bytes_tx_connector",
"value": "0"
}
]
}
}
}
],
"securityResult": [
{
"about": {
"labels": [
{
"key": "connection_status",
"value": "close"
}
]
},
"ruleName": "0",
"description": "None of the App Connectors configured.",
"detectionFields": [
{
"key": "server",
"value": "0"
}
]
}
],
"network": {
"ipProtocol": "TCP",
"sessionId": "dummy"
}
}
]
}

Human Readable Output#

General Information for the given event with ID: dummy_id#

Base LabelsDescriptionEvent TimestampEvent TypeIdIngested TimestampLog TypeProduct Event TypeProduct NameVendor Name
logTypes:
values: NEW_XYZ
allowScopedAccess: True
02024-11-12T12:19:59ZGENERIC_EVENTdummy_id2024-11-12T12:20:03.217859ZNEW_XYZAPP_NOT_REACHABLEPrivate AccessNewClient

Principal Information#

LocationNat IpPortUser
city: New City
countryOrRegion: US
regionCoordinates:
latitude: 0.0
longitude: 0.0
values: 0.0.0.011522userDisplayName: New LSS Client

Target Information#

ApplicationHostnamePortUser
New Enterprise Server - User Status0.0.0.011522groupIdentifiers:
values: New Enterprise Server - User Status

Security Result Information#

AboutDescriptionDetection FieldsRule Name
labels:
- key: connection_status
value: close
None of the App Connectors configured.- key: server
value: 0
0

Network Information#

Ip ProtocolSession Id
TCPdummy