Chronicle

Overview

Use the Chronicle integration to retrieve Asset alerts or IOC Domain matches as Incidents. Use it to fetch a list of infected assets based on the indicator accessed. This integration also provides reputation and threat enrichment of indicators observed in the enterprise.

Configure Chronicle on Cortex XSOAR

Navigate to Settings > Integrations > Servers & Services.
Search for Chronicle.
Click Add instance to create and configure a new integration instance.
- Name: a textual name for the integration instance.
- User's Service Account JSON
- Provide comma(',') separated categories (e.g. APT-Activity, Phishing). Indicators belonging to these "categories" would be considered as "malicious" when executing reputation commands.
- Provide comma(',') separated categories (e.g. Unwanted, VirusTotal YARA Rule Match). Indicators belonging to these "categories" would be considered as "suspicious" when executing reputation commands.
- Specify the "severity" of indicator that should be considered as "malicious" irrespective of the category. If you wish to consider all indicators with High severity as Malicious, set this parameter to 'High'. Allowed values are 'High', 'Medium' and 'Low'. This configuration is applicable to reputation commands only.
- Specify the "severity" of indicator that should be considered as "suspicious" irrespective of the category. If you wish to consider all indicators with Medium severity as Suspicious, set this parameter to 'Medium'. Allowed values are 'High', 'Medium' and 'Low'. This configuration is applicable to reputation commands only.
- Specify the numeric value of "confidence score". If the indicator's confidence score is equal or above the configured threshold, it would be considered as "malicious". The value provided should be greater than the suspicious threshold. This configuration is applicable to reputation commands only.
- Specify the numeric value of "confidence score". If the indicator's confidence score is equal or above the configured threshold, it would be considered as "suspicious". The value provided should be smaller than the malicious threshold. This configuration is applicable to reputation commands only.
- Select the confidence score level. If the indicator's confidence score level is equal or above the configured level, it would be considered as "malicious". The confidence level configured should have higher precedence than the suspicious level. This configuration is applicable to reputation commands only. Refer the "confidence score" level precedence UNKNOWN_SEVERITY < INFORMATIONAL < LOW < MEDIUM < HIGH.
- Select the confidence score level. If the indicator's confidence score level is equal or above the configured level, it would be considered as "suspicious". The confidence level configured should have lesser precedence than the malicious level. This configuration is applicable to reputation commands only. Refer the "confidence score" level precedence UNKNOWN_SEVERITY < INFORMATIONAL < LOW < MEDIUM < HIGH.
- Fetches incidents
- First fetch time interval. The time range to consider for initial data fetch.(<number> <unit>, e.g., 1 day, 7 days, 3 months, 1 year).
- How many incidents to fetch each time
- Backstory Alert Type (Select the type of data to consider for fetch incidents).
- Select the severity of asset alerts to be filtered for Fetch Incidents. Available options are 'High', 'Medium', 'Low' and 'Unspecified' (Default-No Selection).
- Trust any certificate (not secure)
- Use system proxy settings
Click Test to validate the URLs, token, and connection.

Fetched Incidents Data

Fetch-incidents feature can pull events from Google Chronicle which can be converted into actionable incidents for further investigation. It is the function that Demisto calls every minute to import new incidents and can be enabled by the "Fetches incidents" parameter in the integration configuration.

The list of alerts (gcb-list-alerts) or IOC domain matches (gcb-list-iocs) are the two choices that can be configured.

Configuration Parameters for Fetch-incidents

First fetch time interval. The time range to consider for initial data fetch.(<number> <unit>, e.g. 1 day, 7 days, 3 months, 1 year): Default 3 days
How many incidents to fetch each time: Default 10
Select the severity of asset alerts to be filtered for Fetch Incidents. Available options are 'High', 'Medium', 'Low' and 'Unspecified' (Default-No Selection). Only applicable for asset alerts.
Backstory Alert Type (Select the type of data to consider for fetch incidents):
- IOC Domain matches Default
- Assets with alerts

Name	Initial Value
First fetch time interval. The time range to consider for initial data fetch.(<number> <unit>, e.g. 1 day, 7 days, 3 months, 1 year).	3 days
How many incidents to fetch each time.	10
Select the severity of asset alerts to be filtered for Fetch Incidents. Available options are 'High', 'Medium', 'Low' and 'Unspecified' (Default-No Selection). Only applicable for asset alerts.	Default No Selection
Backstory Alert Type (Select the type of data to consider for fetch incidents).	IOC Domain matches (Default), Assets with alerts

Incident field mapping - Asset Alerts

Name	Initial Value
name	<AlertName> for <Asset>
rawJSON	Single Raw JSON
details	Single Raw JSON
severity	Severity of Alert

Incident field mapping - IOC Domain matches

Name	Initial Value
name	IOC Domain Match: <Artifact>
rawJSON	Single Raw JSON
details	Single Raw JSON

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. 1. gcb-list-iocs 2. gcb-assets 3. ip 4. domain 5. gcb-ioc-details 6. gcb-list-alerts 7. gcb-list-events

1. gcb-list-iocs

Lists the IOC Domain matches within your enterprise for the specified time interval. The indicator of compromise (IOC) domain matches lists for which the domains that your security infrastructure has flagged as both suspicious and that have been seen recently within your enterprise.

Base Command

gcb-list-iocs

Input

Argument Name	Description	Required
preset_time_range	Fetches IOC Domain matches in the specified time interval. If configured, overrides the start_time argument.	Optional
start_time	The value of the start time for your request, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z). If not supplied, the default is the UTC time corresponding to 3 days earlier than current time.	Optional
page_size	The maximum number of IOCs to return. You can specify between 1 and 10000. The default is 10000.	Optional

Context Output

Path	Type	Description
Domain.Name	String	The domain name of the artifact.
GoogleChronicleBackstory.Iocs.Artifact	String	The Indicator artifact.
GoogleChronicleBackstory.Iocs.IocIngestTime	Date	Time(UTC) the IOC was first seen by Chronicle.
GoogleChronicleBackstory.Iocs.FirstAccessedTime	Date	Time(UTC) the artifact was first seen within your enterprise.
GoogleChronicleBackstory.Iocs.LastAccessedTime	Date	Time(UTC) the artifact was most recently seen within your enterprise.
GoogleChronicleBackstory.Iocs.Sources.Category	String	Source Category represents the behavior of the artifact.
GoogleChronicleBackstory.Iocs.Sources.IntRawConfidenceScore	Number	The numeric confidence score of the IOC reported by the source.
GoogleChronicleBackstory.Iocs.Sources.NormalizedConfidenceScore	String	The normalized confidence score of the IOC reported by the source.
GoogleChronicleBackstory.Iocs.Sources.RawSeverity	String	The severity of the IOC as reported by the source.
GoogleChronicleBackstory.Iocs.Sources.Source	String	The source that reported the IOC.

Command Example

!gcb-list-iocs page_size=1 preset_time_range="Last 1 day"

Context Example

{
    "GoogleChronicleBackstory.Iocs": [
        {
            "FirstAccessedTime": "2018-10-03T02:12:51Z", 
            "Sources": [
                {
                    "Category": "Spyware Reporting Server", 
                    "RawSeverity": "Medium", 
                    "NormalizedConfidenceScore": "Low", 
                    "IntRawConfidenceScore": 0, 
                    "Source": "ET Intelligence Rep List"
                }
            ], 
            "LastAccessedTime": "2020-02-14T05:59:27Z", 
            "Artifact": "anx.tb.ask.com", 
            "IocIngestTime": "2020-02-06T22:00:00Z"
        }
    ], 
    "Domain": [
        {
            "Name": "anx.tb.ask.com"
        }
    ]
}

Human Readable Output

IOC Domain Matches

Domain	Category	Source	Confidence	Severity	IOC ingest time	First seen	Last seen
anx.tb.ask.com	Spyware Reporting Server	ET Intelligence Rep List	Low	Medium	7 days ago	a year ago	3 hours ago

2. gcb-assets

Returns a list of the assets that accessed the input artifact (IP, domain, MD5, SHA1 and SHA256) during the specified time.

Base Command

gcb-assets

Input

Argument Name	Description	Required
artifact_value	The artifact indicator associated with assets. The artifact type can be one of the following: IP, Domain, MD5, SHA1, or SHA256.	Required
preset_time_range	Fetches assets that accessed the artifact during the interval specified. If configured, overrides the start_time and end_time arguments.	Optional
start_time	The value of the start time for your request, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z). If not supplied, the default is the UTC time corresponding to 3 days earlier than current time.	Optional
end_time	The value of the end time for your request, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z). If not supplied, the default is current UTC time.	Optional
page_size	The maximum number of IOCs to return. You can specify between 1 and 10000. The default is 10000.	Optional

Context Output

Path	Type	Description
GoogleChronicleBackstory.Asset.HostName	String	The hostname of the asset that accessed the artifact.
GoogleChronicleBackstory.Asset.IpAddress	String	The IP address of the asset that accessed the artifact.
GoogleChronicleBackstory.Asset.MacAddress	String	The MAC address of the asset that accessed the artifact.
GoogleChronicleBackstory.Asset.ProductId	String	The Product ID of the asset that accessed the artifact.
GoogleChronicleBackstory.Asset.AccessedDomain	String	The domain artifact accessed by the asset.
GoogleChronicleBackstory.Asset.AccessedIP	String	The IP address artifact accessed by the asset.
GoogleChronicleBackstory.Asset.AccessedMD5	String	The MD5 file hash artifact accessed by the asset.
GoogleChronicleBackstory.Asset.AccessedSHA1	String	The SHA1 file hash artifact accessed by the asset.
GoogleChronicleBackstory.Asset.AccessedSHA256	String	The SHA256 file hash artifact accessed by the asset.
GoogleChronicleBackstory.Asset.FirstAccessedTime	Date	The time when the asset first accessed the artifact.
GoogleChronicleBackstory.Asset.LastAccessedTime	Date	The time when the asset last accessed the artifact.
Host.Hostname	String	The hostname of the asset that accessed the artifact.
Host.ID	String	The Product ID of the asset that accessed the artifact.
Host.IP	String	The IP address of the asset that accessed the artifact.
Host.MACAddress	String	The MAC address of the asset that accessed the artifact.

Command Example

!gcb-assets artifact_value=bing.com preset_time_range="Last 1 day"

Context Example

{
    "GoogleChronicleBackstory.Asset": [
        {
            "FirstAccessedTime": "2018-10-18T04:38:44Z", 
            "AccessedDomain": "bing.com", 
            "HostName": "james-anderson-laptop", 
            "LastAccessedTime": "2020-02-14T07:13:33Z"
        }, 
        {
            "FirstAccessedTime": "2018-10-18T02:01:51Z", 
            "AccessedDomain": "bing.com", 
            "HostName": "roger-buchmann-pc", 
            "LastAccessedTime": "2020-02-13T22:25:27Z"
        }
    ], 
    "Host": [
        {
            "Hostname": "james-anderson-laptop"
        }, 
        {
            "Hostname": "roger-buchmann-pc"
        }
    ]
}

Human Readable Output

Assets related to artifact - bing.com

Host Name	Host IP	Host MAC	First Accessed Time	Last Accessed Time
james-anderson-laptop	-	-	2018-10-18T04:38:44Z	2020-02-14T07:13:33Z
roger-buchmann-pc	-	-	2018-10-18T02:01:51Z	2020-02-13T22:25:27Z

View assets in Chronicle

3. ip

Checks the reputation of an IP address.

Base Command

ip

Input

Argument Name	Description	Required
ip	The IP address to check.	Optional

Context Output

Path	Type	Description
DBotScore.Indicator	String	The indicator that was tested.
DBotScore.Type	String	The indicator type.
DBotScore.Vendor	String	The vendor used to calculate the score.
DBotScore.Score	Number	The reputation score (0: Unknown, 1: Good, 2: Suspicious, 3: Bad)
IP.Address	String	The IP address of the artifact.
IP.Malicious.Vendor	String	For malicious IPs, the vendor that made the decision.
IP.Malicious.Description	String	For malicious IPs, the reason that the vendor made the decision.
GoogleChronicleBackstory.IP.IoCQueried	String	The artifact that was queried.
GoogleChronicleBackstory.IP.Sources.Address.IpAddress	String	The IP address of the artifact.
GoogleChronicleBackstory.IP.Sources.Address.Domain	String	The domain name of the artifact.
GoogleChronicleBackstory.IP.Sources.Address.Port	Number	The port number of the artifact.
GoogleChronicleBackstory.IP.Sources.Category	String	The behavior of the artifact.
GoogleChronicleBackstory.IP.Sources.ConfidenceScore	Number	The confidence score indicating the accuracy and appropriateness of the assigned category.
GoogleChronicleBackstory.IP.Sources.FirstAccessedTime	Date	The time the IOC was first accessed within the enterprise.
GoogleChronicleBackstory.IP.Sources.LastAccessedTime	Date	The time the IOC was most recently seen within your enterprise.
GoogleChronicleBackstory.IP.Sources.Severity	String	Impact of the artifact on the enterprise.

Command Example

!ip ip=23.20.239.12

Context Example

{
    "IP": {
        "Address": "23.20.239.12"
    }, 
    "DBotScore": {
        "Vendor": "Google Chronicle Backstory", 
        "Indicator": "23.20.239.12", 
        "Score": 0, 
        "Type": "ip"
    }, 
    "GoogleChronicleBackstory.IP": {
        "Sources": [
            {
                "Category": "Known CnC for Mobile specific Family", 
                "FirstAccessedTime": "2018-12-05T00:00:00Z", 
                "Severity": "High", 
                "ConfidenceScore": 70, 
                "Address": [
                    {
                        "IpAddress": "23.20.239.12", 
                        "Port": [
                            80
                        ]
                    }
                ], 
                "LastAccessedTime": "2019-04-10T00:00:00Z"
            }, 
            {
                "Category": "Blocked", 
                "FirstAccessedTime": "1970-01-01T00:00:00Z", 
                "Severity": "High", 
                "ConfidenceScore": "High", 
                "Address": [
                    {
                        "Domain": "mytemplatewebsite.com", 
                        "Port": ""
                    }, 
                    {
                        "IpAddress": "23.20.239.12", 
                        "Port": ""
                    }
                ], 
                "LastAccessedTime": "2020-02-16T08:56:06Z"
            }
        ], 
        "IoCQueried": "23.20.239.12"
    }
}

Human Readable Output

IP: 23.20.239.12 found with Reputation: Unknown

Reputation Parameters

Domain	IP Address	Category	Confidence Score	Severity	First Accessed Time	Last Accessed Time
-	23.20.239.12	Known CnC for Mobile specific Family	70	High	2018-12-05T00:00:00Z	2019-04-10T00:00:00Z
mytemplatewebsite.com	23.20.239.12	Blocked	High	High	1970-01-01T00:00:00Z	2020-02-16T08:56:06Z

View IoC details in Chronicle

4. domain

Checks the reputation of a domain.

Base Command

domain

Input

Argument Name	Description	Required
domain	The domain name to check.	Optional

Context Output

Path	Type	Description
DBotScore.Indicator	String	The indicator that was tested.
DBotScore.Type	String	The indicator type.
DBotScore.Vendor	String	The vendor used to calculate the score.
DBotScore.Score	Number	The reputation score (0: Unknown, 1: Good, 2: Suspicious, 3: Bad)
Domain.Name	String	The domain name of the artifact.
Domain.Malicious.Vendor	String	For malicious domains, the vendor that made the decision.
Domain.Malicious.Description	String	For malicious domains, the reason that the vendor made the decision.
GoogleChronicleBackstory.Domain.IoCQueried	String	The domain that queried.
GoogleChronicleBackstory.Domain.Sources.Address.IpAddress	String	The IP address of the artifact.
GoogleChronicleBackstory.Domain.Sources.Address.Domain	String	The domain name of the artifact.
GoogleChronicleBackstory.Domain.Sources.Address.Port	Number	The port number of the artifact.
GoogleChronicleBackstory.Domain.Sources.Category	String	The behavior of the artifact.
GoogleChronicleBackstory.Domain.Sources.ConfidenceScore	Number	The confidence score indicating the accuracy and appropriateness of the assigned category.
GoogleChronicleBackstory.Domain.Sources.FirstAccessedTime	Date	The time the IOC was first accessed within the enterprise.
GoogleChronicleBackstory.Domain.Sources.LastAccessedTime	Date	The time the IOC was most recently seen within your enterprise.
GoogleChronicleBackstory.Domain.Sources.Severity	String	Impact of the artifact on the enterprise.

Command Example

!domain domain=bing.com

Context Example

{
    "GoogleChronicleBackstory.Domain": {
        "Sources": [
            {
                "Category": "Observed serving executables", 
                "FirstAccessedTime": "2013-08-06T00:00:00Z", 
                "Severity": "Low", 
                "ConfidenceScore": 67, 
                "Address": [
                    {
                        "Domain": "bing.com", 
                        "Port": [
                            80
                        ]
                    }
                ], 
                "LastAccessedTime": "2020-01-14T00:00:00Z"
            }
        ], 
        "IoCQueried": "bing.com"
    }, 
    "Domain": {
        "Name": "bing.com"
    }, 
    "DBotScore": {
        "Vendor": "Google Chronicle Backstory", 
        "Indicator": "bing.com", 
        "Score": 0, 
        "Type": "domain"
    }
}

Human Readable Output

Domain: bing.com found with Reputation: Unknown

Reputation Parameters

Domain	IP Address	Category	Confidence Score	Severity	First Accessed Time	Last Accessed Time
bing.com	-	Observed serving executables	67	Low	2013-08-06T00:00:00Z	2020-01-14T00:00:00Z

View IoC details in Chronicle

5. gcb-ioc-details

Accepts an artifact indicator and returns any threat intelligence associated with the artifact. The threat intelligence information is drawn from your enterprise security systems and from Chronicle's IoC partners (for example, the DHS threat feed).

Base Command

gcb-ioc-details

Input

Argument Name	Description	Required
artifact_value	The artifact indicator value. The supported artifact types are IP and domain.	Required

Context Output

Path	Type	Description
Domain.Name	String	The domain name of the artifact.
IP.Address	String	The IP address of the of the artifact.
GoogleChronicleBackstory.IocDetails.IoCQueried	String	The artifact entered by the user.
GoogleChronicleBackstory.IocDetails.Sources.Address.IpAddress	String	The IP address of the artifact.
GoogleChronicleBackstory.IocDetails.Sources.Address.Domain	String	The domain name of the artifact.
GoogleChronicleBackstory.IocDetails.Sources.Address.Port	Number	The port number of the artifact.
GoogleChronicleBackstory.IocDetails.Sources.Category	String	The behavior of the artifact.
GoogleChronicleBackstory.IocDetails.Sources.ConfidenceScore	Number	The confidence score indicating the accuracy and appropriateness of the assigned category.
GoogleChronicleBackstory.IocDetails.Sources.FirstAccessedTime	Date	The time the IOC was first accessed within the enterprise.
GoogleChronicleBackstory.IocDetails.Sources.LastAccessedTime	Date	The time the IOC was most recently seen within your enterprise.
GoogleChronicleBackstory.IocDetails.Sources.Severity	String	Impact of the artifact on the enterprise.

Command Example

!gcb-ioc-details artifact_value=23.20.239.12

Context Example

{
    "IP": {
        "Address": "23.20.239.12"
    }, 
    "GoogleChronicleBackstory.IocDetails": {
        "Sources": [
            {
                "Category": "Known CnC for Mobile specific Family", 
                "FirstAccessedTime": "2018-12-05T00:00:00Z", 
                "Severity": "High", 
                "ConfidenceScore": 70, 
                "Address": [
                    {
                        "IpAddress": "23.20.239.12", 
                        "Port": [
                            80
                        ]
                    }
                ], 
                "LastAccessedTime": "2019-04-10T00:00:00Z"
            }, 
            {
                "Category": "Blocked", 
                "FirstAccessedTime": "1970-01-01T00:00:00Z", 
                "Severity": "High", 
                "ConfidenceScore": "High", 
                "Address": [
                    {
                        "Domain": "mytemplatewebsite.com", 
                        "Port": ""
                    }, 
                    {
                        "IpAddress": "23.20.239.12", 
                        "Port": ""
                    }
                ], 
                "LastAccessedTime": "2020-02-16T08:56:06Z"
            }
        ], 
        "IoCQueried": "23.20.239.12"
    }
}

Human Readable Output

IoC Details

Domain	IP Address	Category	Confidence Score	Severity	First Accessed Time	Last Accessed Time
-	23.20.239.12	Known CnC for Mobile specific Family	70	High	2018-12-05T00:00:00Z	2019-04-10T00:00:00Z
mytemplatewebsite.com	23.20.239.12	Blocked	High	High	1970-01-01T00:00:00Z	2020-02-16T08:56:06Z

View IoC details in Chronicle

6. gcb-list-alerts

List all the alerts tracked within your enterprise for the specified time range. Both the parsed alerts and their corresponding raw alert logs are returned.

Base Command

gcb-list-alerts

Input

Argument Name	Description	Required
preset_time_range	Fetch alerts for the specified time range. If preset_time_range is configured, overrides the start_time and end_time arguments.	Optional
start_time	The value of the start time for your request, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z). If not supplied, the default is the UTC time corresponding to 3 days earlier than current time.	Optional
end_time	The value of the end time for your request, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z). If not supplied, the default is current UTC time.	Optional
page_size	The maximum number of IOCs to return. You can specify between 1 and 10000. The default is 10000.	Optional
severity	The severity by which to filter the returned alerts. If not supplied, all alerts are fetched. The possible values are "High", "Medium", "Low", or "Unspecified".	Optional

Context Output

Path	Type	Description
GoogleChronicleBackstory.Alert.AssetName	String	The asset identifier. It can be IP Address, MAC Address, Hostname or Product ID.
GoogleChronicleBackstory.Alert.AlertInfo.Name	String	The name of the alert.
GoogleChronicleBackstory.Alert.AlertInfo.Severity	String	The severity of the alert.
GoogleChronicleBackstory.Alert.AlertInfo.SourceProduct	String	The source of the alert.
GoogleChronicleBackstory.Alert.AlertInfo.Timestamp	String	The time of the alert in Backstory.
GoogleChronicleBackstory.Alert.AlertCounts	Number	The total number of alerts.

Command Example

!gcb-list-alerts page_size=1 preset_time_range="Last 1 day"

Context Example

{
    "GoogleChronicleBackstory.Alert": [
        {
            "AssetName": "rosie-hayes-pc", 
            "AlertInfo": [
                {
                    "Timestamp": "2020-02-14T03:02:36Z", 
                    "SourceProduct": "Internal Alert", 
                    "Name": "Authentication failure [32038]", 
                    "Severity": "Medium"
                }
            ], 
            "AlertCounts": 1
        }
    ]
}

Human Readable Output

Security Alert(s)

Alerts	Asset	Alert Names	First Seen	Last Seen	Severities	Sources
1	rosie-hayes-pc	Authentication failure [32038]	6 hours ago	6 hours ago	Medium	Internal Alert

7. gcb-list-events

List all of the events discovered within your enterprise on a particular device within the specified time range. If you receive the maximum number of events you specified using the page_size parameter (or 100, the default), there might still be more events within your Chronicle account. You can narrow the time range and issue the call again to ensure you have visibility into all possible events. This command returns more than 60 different types of events. Any event would have only specific output context set. Refer the UDM documentation to figure out the output properties specific to the event types.

Base Command

gcb-list-events

Input

Argument Name	Description	Required
asset_identifier_type	Specify the identifier type of the asset you are investigating. The possible values are Host Name, IP Address, MAC Address or Product ID.	Required
asset_identifier	Value of the asset identifier.	Required
preset_time_range	Get events that are discovered during the interval specified. If configured, overrides the start_time and end_time arguments.	Optional
start_time	The value of the start time for your request. The format of Date should comply with RFC 3339 (e.g. 2002-10-02T15:00:00Z). If not supplied, the product considers UTC time corresponding to 2 hours earlier than current time.	Optional
end_time	The value of the end time for your request. The format of Date should comply with RFC 3339 (e.g. 2002-10-02T15:00:00Z). If not supplied, the product considers current UTC time.	Optional
page_size	Specify the maximum number of events to fetch. You can specify between 1 and 1000. The default is 100.	Optional
reference_time	Specify the reference time for the asset you are investigating, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z). If not supplied, the product considers start time as reference time.	Optional

Context Output

Path	Type	Description
GoogleChronicleBackstory.Events.eventType	String	Specifies the type of the event.
GoogleChronicleBackstory.Events.eventTimestamp	Date	The GMT timestamp when the event was generated.
GoogleChronicleBackstory.Events.collectedTimestamp	Date	The GMT timestamp when the event was collected by the vendor's local collection infrastructure.
GoogleChronicleBackstory.Events.description	String	Human-readable description of the event.
GoogleChronicleBackstory.Events.productEventType	String	Short, descriptive, human-readable, and product-specific event name or type.
GoogleChronicleBackstory.Events.productLogId	String	A vendor-specific event identifier to uniquely identify the event (a GUID). Users might use this identifier to search the vendor's proprietary console for the event in question.
GoogleChronicleBackstory.Events.productName	String	Specifies the name of the product.
GoogleChronicleBackstory.Events.productVersion	String	Specifies the version of the product.
GoogleChronicleBackstory.Events.urlBackToProduct	String	URL linking to a relevant website where you can view more information about this specific event or the general event category.
GoogleChronicleBackstory.Events.vendorName	String	Specifies the product vendor's name.
GoogleChronicleBackstory.Events.principal.assetId	String	Vendor-specific unique device identifier.
GoogleChronicleBackstory.Events.principal.email	String	Email address.
GoogleChronicleBackstory.Events.principal.hostname	String	Client hostname or domain name field.
GoogleChronicleBackstory.Events.principal.platform	String	Platform operating system.
GoogleChronicleBackstory.Events.principal.platformPatchLevel	String	Platform operating system patch level.
GoogleChronicleBackstory.Events.principal.platformVersion	String	Platform operating system version.
GoogleChronicleBackstory.Events.principal.ip	String	IP address associated with a network connection.
GoogleChronicleBackstory.Events.principal.port	String	Source or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.principal.mac	String	MAC addresses associated with a device.
GoogleChronicleBackstory.Events.principal.administrativeDomain	String	Domain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.principal.url	String	Standard URL.
GoogleChronicleBackstory.Events.principal.file.fileMetadata	String	Metadata associated with the file.
GoogleChronicleBackstory.Events.principal.file.fullPath	String	Full path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.principal.file.md5	String	MD5 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.mimeType	String	Multipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.principal.file.sha1	String	SHA-1 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.sha256	String	SHA-256 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.size	String	Size of the file.
GoogleChronicleBackstory.Events.principal.process.commandLine	String	Stores the command line string for the process.
GoogleChronicleBackstory.Events.principal.process.productSpecificProcessId	String	Stores the product specific process ID.
GoogleChronicleBackstory.Events.principal.process.productSpecificParentProcessId	String	Stores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.principal.process.file	String	Stores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.principal.process.file.fileMetadata	String	Metadata associated with the file.
GoogleChronicleBackstory.Events.principal.process.file.fullPath	String	Full path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.principal.process.file.md5	String	MD5 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.mimeType	String	Multipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.principal.process.file.sha1	String	SHA-1 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.sha256	String	SHA-256 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.size	String	Size of the file.
GoogleChronicleBackstory.Events.principal.process.parentPid	String	Stores the process ID for the parent process.
GoogleChronicleBackstory.Events.principal.process.pid	String	Stores the process ID.
GoogleChronicleBackstory.Events.principal.registry.registryKey	String	Stores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.principal.registry.registryValueName	String	Stores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.principal.registry.registryValueData	String	Stores the data associated with a registry value.
GoogleChronicleBackstory.Events.principal.user.emailAddresses	String	Stores the email addresses for the user.
GoogleChronicleBackstory.Events.principal.user.employeeId	String	Stores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.principal.user.firstName	String	Stores the first name for the user.
GoogleChronicleBackstory.Events.principal.user.middleName	String	Stores the middle name for the user.
GoogleChronicleBackstory.Events.principal.user.lastName	String	Stores the last name for the user.
GoogleChronicleBackstory.Events.principal.user.groupid	String	Stores the group ID associated with a user.
GoogleChronicleBackstory.Events.principal.user.phoneNumbers	String	Stores the phone numbers for the user.
GoogleChronicleBackstory.Events.principal.user.title	String	Stores the job title for the user.
GoogleChronicleBackstory.Events.principal.user.userDisplayName	String	Stores the display name for the user.
GoogleChronicleBackstory.Events.principal.user.userid	String	Stores the user ID.
GoogleChronicleBackstory.Events.principal.user.windowsSid	String	Stores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.target.assetId	String	Vendor-specific unique device identifier.
GoogleChronicleBackstory.Events.target.email	String	Email address.
GoogleChronicleBackstory.Events.target.hostname	String	Client hostname or domain name field.
GoogleChronicleBackstory.Events.target.platform	String	Platform operating system.
GoogleChronicleBackstory.Events.target.platformPatchLevel	String	Platform operating system patch level.
GoogleChronicleBackstory.Events.target.platformVersion	String	Platform operating system version.
GoogleChronicleBackstory.Events.target.ip	String	IP address associated with a network connection.
GoogleChronicleBackstory.Events.target.port	String	Source or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.target.mac	String	One or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.target.administrativeDomain	String	Domain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.target.url	String	Standard URL.
GoogleChronicleBackstory.Events.target.file.fileMetadata	String	Metadata associated with the file.
GoogleChronicleBackstory.Events.target.file.fullPath	String	Full path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.target.file.md5	String	MD5 hash value of the file.
GoogleChronicleBackstory.Events.target.file.mimeType	String	Multipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.target.file.sha1	String	SHA-1 hash value of the file.
GoogleChronicleBackstory.Events.target.file.sha256	String	SHA-256 hash value of the file.
GoogleChronicleBackstory.Events.target.file.size	String	Size of the file.
GoogleChronicleBackstory.Events.target.process.commandLine	String	Stores the command line string for the process.
GoogleChronicleBackstory.Events.target.process.productSpecificProcessId	String	Stores the product specific process ID.
GoogleChronicleBackstory.Events.target.process.productSpecificParentProcessId	String	Stores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.target.process.file	String	Stores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.target.process.file.fileMetadata	String	Metadata associated with the file.
GoogleChronicleBackstory.Events.target.process.file.fullPath	String	Full path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.target.process.file.md5	String	MD5 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.mimeType	String	Multipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.target.process.file.sha1	String	SHA-1 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.sha256	String	SHA-256 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.size	String	Size of the file.
GoogleChronicleBackstory.Events.target.process.parentPid	String	Stores the process ID for the parent process.
GoogleChronicleBackstory.Events.target.process.pid	String	Stores the process ID.
GoogleChronicleBackstory.Events.target.registry.registryKey	String	Stores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.target.registry.registryValueName	String	Stores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.target.registry.registryValueData	String	Stores the data associated with a registry value.
GoogleChronicleBackstory.Events.target.user.emailAddresses	String	Stores the email addresses for the user.
GoogleChronicleBackstory.Events.target.user.employeeId	String	Stores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.target.user.firstName	String	Stores the first name for the user.
GoogleChronicleBackstory.Events.target.user.middleName	String	Stores the middle name for the user.
GoogleChronicleBackstory.Events.target.user.lastName	String	Stores the last name for the user.
GoogleChronicleBackstory.Events.target.user.groupid	String	Stores the group ID associated with a user.
GoogleChronicleBackstory.Events.target.user.phoneNumbers	String	Stores the phone numbers for the user.
GoogleChronicleBackstory.Events.target.user.title	String	Stores the job title for the user.
GoogleChronicleBackstory.Events.target.user.userDisplayName	String	Stores the display name for the user.
GoogleChronicleBackstory.Events.target.user.userid	String	Stores the user ID.
GoogleChronicleBackstory.Events.target.user.windowsSid	String	Stores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.intermediary.assetId	String	Vendor-specific unique device identifier.
GoogleChronicleBackstory.Events.intermediary.email	String	Email address.
GoogleChronicleBackstory.Events.intermediary.hostname	String	Client hostname or domain name field.
GoogleChronicleBackstory.Events.intermediary.platform	String	Platform operating system.
GoogleChronicleBackstory.Events.intermediary.platformPatchLevel	String	Platform operating system patch level.
GoogleChronicleBackstory.Events.intermediary.platformVersion	String	Platform operating system version.
GoogleChronicleBackstory.Events.intermediary.ip	String	IP address associated with a network connection.
GoogleChronicleBackstory.Events.intermediary.port	String	Source or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.intermediary.mac	String	One or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.intermediary.administrativeDomain	String	Domain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.intermediary.url	String	Standard URL.
GoogleChronicleBackstory.Events.intermediary.file.fileMetadata	String	Metadata associated with the file.
GoogleChronicleBackstory.Events.intermediary.file.fullPath	String	Full path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.intermediary.file.md5	String	MD5 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.mimeType	String	Multipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.intermediary.file.sha1	String	SHA-1 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.sha256	String	SHA-256 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.size	String	Size of the file.
GoogleChronicleBackstory.Events.intermediary.process.commandLine	String	Stores the command line string for the process.
GoogleChronicleBackstory.Events.intermediary.process.productSpecificProcessId	String	Stores the product specific process ID.
GoogleChronicleBackstory.Events.intermediary.process.productSpecificParentProcessId	String	Stores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.intermediary.process.file	String	Stores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.intermediary.process.file.fileMetadata	String	Metadata associated with the file.
GoogleChronicleBackstory.Events.intermediary.process.file.fullPath	String	Full path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.intermediary.process.file.md5	String	MD5 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.mimeType	String	Multipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.sha1	String	SHA-1 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.sha256	String	SHA-256 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.size	String	Size of the file.
GoogleChronicleBackstory.Events.intermediary.process.parentPid	String	Stores the process ID for the parent process.
GoogleChronicleBackstory.Events.intermediary.process.pid	String	Stores the process ID.
GoogleChronicleBackstory.Events.intermediary.registry.registryKey	String	Stores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.intermediary.registry.registryValueName	String	Stores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.intermediary.registry.registryValueData	String	Stores the data associated with a registry value.
GoogleChronicleBackstory.Events.intermediary.user.emailAddresses	String	Stores the email addresses for the user.
GoogleChronicleBackstory.Events.intermediary.user.employeeId	String	Stores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.intermediary.user.firstName	String	Stores the first name for the user.
GoogleChronicleBackstory.Events.intermediary.user.middleName	String	Stores the middle name for the user.
GoogleChronicleBackstory.Events.intermediary.user.lastName	String	Stores the last name for the user.
GoogleChronicleBackstory.Events.intermediary.user.groupid	String	Stores the group ID associated with a user.
GoogleChronicleBackstory.Events.intermediary.user.phoneNumbers	String	Stores the phone numbers for the user.
GoogleChronicleBackstory.Events.intermediary.user.title	String	Stores the job title for the user.
GoogleChronicleBackstory.Events.intermediary.user.userDisplayName	String	Stores the display name for the user.
GoogleChronicleBackstory.Events.intermediary.user.userid	String	Stores the user ID.
GoogleChronicleBackstory.Events.intermediary.user.windowsSid	String	Stores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.src.assetId	String	Vendor-specific unique device identifier.
GoogleChronicleBackstory.Events.src.email	String	Email address.
GoogleChronicleBackstory.Events.src.hostname	String	Client hostname or domain name field.
GoogleChronicleBackstory.Events.src.platform	String	Platform operating system.
GoogleChronicleBackstory.Events.src.platformPatchLevel	String	Platform operating system patch level.
GoogleChronicleBackstory.Events.src.platformVersion	String	Platform operating system version.
GoogleChronicleBackstory.Events.src.ip	String	IP address associated with a network connection.
GoogleChronicleBackstory.Events.src.port	String	Source or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.src.mac	String	One or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.src.administrativeDomain	String	Domain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.src.url	String	Standard URL.
GoogleChronicleBackstory.Events.src.file.fileMetadata	String	Metadata associated with the file.
GoogleChronicleBackstory.Events.src.file.fullPath	String	Full path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.src.file.md5	String	MD5 hash value of the file.
GoogleChronicleBackstory.Events.src.file.mimeType	String	Multipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.src.file.sha1	String	SHA-1 hash value of the file.
GoogleChronicleBackstory.Events.src.file.sha256	String	SHA-256 hash value of the file.
GoogleChronicleBackstory.Events.src.file.size	String	Size of the file.
GoogleChronicleBackstory.Events.src.process.commandLine	String	Stores the command line string for the process.
GoogleChronicleBackstory.Events.src.process.productSpecificProcessId	String	Stores the product specific process ID.
GoogleChronicleBackstory.Events.src.process.productSpecificParentProcessId	String	Stores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.src.process.file	String	Stores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.src.process.file.fileMetadata	String	Metadata associated with the file.
GoogleChronicleBackstory.Events.src.process.file.fullPath	String	Full path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.src.process.file.md5	String	MD5 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.mimeType	String	Multipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.src.process.file.sha1	String	SHA-1 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.sha256	String	SHA-256 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.size	String	Size of the file.
GoogleChronicleBackstory.Events.src.process.parentPid	String	Stores the process ID for the parent process.
GoogleChronicleBackstory.Events.src.process.pid	String	Stores the process ID.
GoogleChronicleBackstory.Events.src.registry.registryKey	String	Stores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.src.registry.registryValueName	String	Stores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.src.registry.registryValueData	String	Stores the data associated with a registry value.
GoogleChronicleBackstory.Events.src.user.emailAddresses	String	Stores the email addresses for the user.
GoogleChronicleBackstory.Events.src.user.employeeId	String	Stores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.src.user.firstName	String	Stores the first name for the user.
GoogleChronicleBackstory.Events.src.user.middleName	String	Stores the middle name for the user.
GoogleChronicleBackstory.Events.src.user.lastName	String	Stores the last name for the user.
GoogleChronicleBackstory.Events.src.user.groupid	String	Stores the group ID associated with a user.
GoogleChronicleBackstory.Events.src.user.phoneNumbers	String	Stores the phone numbers for the user.
GoogleChronicleBackstory.Events.src.user.title	String	Stores the job title for the user.
GoogleChronicleBackstory.Events.src.user.userDisplayName	String	Stores the display name for the user.
GoogleChronicleBackstory.Events.src.user.userid	String	Stores the user ID.
GoogleChronicleBackstory.Events.src.user.windowsSid	String	Stores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.observer.assetId	String	Vendor-specific unique device identifier.
GoogleChronicleBackstory.Events.observer.email	String	Email address.
GoogleChronicleBackstory.Events.observer.hostname	String	Client hostname or domain name field.
GoogleChronicleBackstory.Events.observer.platform	String	Platform operating system.
GoogleChronicleBackstory.Events.observer.platformPatchLevel	String	Platform operating system patch level.
GoogleChronicleBackstory.Events.observer.platformVersion	String	Platform operating system version.
GoogleChronicleBackstory.Events.observer.ip	String	IP address associated with a network connection.
GoogleChronicleBackstory.Events.observer.port	String	Source or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.observer.mac	String	One or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.observer.administrativeDomain	String	Domain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.observer.url	String	Standard URL.
GoogleChronicleBackstory.Events.observer.file.fileMetadata	String	Metadata associated with the file.
GoogleChronicleBackstory.Events.observer.file.fullPath	String	Full path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.observer.file.md5	String	MD5 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.mimeType	String	Multipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.observer.file.sha1	String	SHA-1 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.sha256	String	SHA-256 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.size	String	Size of the file.
GoogleChronicleBackstory.Events.observer.process.commandLine	String	Stores the command line string for the process.
GoogleChronicleBackstory.Events.observer.process.productSpecificProcessId	String	Stores the product specific process ID.
GoogleChronicleBackstory.Events.observer.process.productSpecificParentProcessId	String	Stores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.observer.process.file	String	Stores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.observer.process.file.fileMetadata	String	Metadata associated with the file.
GoogleChronicleBackstory.Events.observer.process.file.fullPath	String	Full path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.observer.process.file.md5	String	MD5 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.mimeType	String	Multipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.observer.process.file.sha1	String	SHA-1 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.sha256	String	SHA-256 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.size	String	Size of the file.
GoogleChronicleBackstory.Events.observer.process.parentPid	String	Stores the process ID for the parent process.
GoogleChronicleBackstory.Events.observer.process.pid	String	Stores the process ID.
GoogleChronicleBackstory.Events.observer.registry.registryKey	String	Stores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.observer.registry.registryValueName	String	Stores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.observer.registry.registryValueData	String	Stores the data associated with a registry value.
GoogleChronicleBackstory.Events.observer.user.emailAddresses	String	Stores the email addresses for the user.
GoogleChronicleBackstory.Events.observer.user.employeeId	String	Stores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.observer.user.firstName	String	Stores the first name for the user.
GoogleChronicleBackstory.Events.observer.user.middleName	String	Stores the middle name for the user.
GoogleChronicleBackstory.Events.observer.user.lastName	String	Stores the last name for the user.
GoogleChronicleBackstory.Events.observer.user.groupid	String	Stores the group ID associated with a user.
GoogleChronicleBackstory.Events.observer.user.phoneNumbers	String	Stores the phone numbers for the user.
GoogleChronicleBackstory.Events.observer.user.title	String	Stores the job title for the user.
GoogleChronicleBackstory.Events.observer.user.userDisplayName	String	Stores the display name for the user.
GoogleChronicleBackstory.Events.observer.user.userid	String	Stores the user ID.
GoogleChronicleBackstory.Events.observer.user.windowsSid	String	Stores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.about.assetId	String	Vendor-specific unique device identifier.
GoogleChronicleBackstory.Events.about.email	String	Email address.
GoogleChronicleBackstory.Events.about.hostname	String	Client hostname or domain name field.
GoogleChronicleBackstory.Events.about.platform	String	Platform operating system.
GoogleChronicleBackstory.Events.about.platformPatchLevel	String	Platform operating system patch level.
GoogleChronicleBackstory.Events.about.platformVersion	String	Platform operating system version.
GoogleChronicleBackstory.Events.about.ip	String	IP address associated with a network connection.
GoogleChronicleBackstory.Events.about.port	String	Source or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.about.mac	String	One or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.about.administrativeDomain	String	Domain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.about.url	String	Standard URL.
GoogleChronicleBackstory.Events.about.file.fileMetadata	String	Metadata associated with the file.
GoogleChronicleBackstory.Events.about.file.fullPath	String	Full path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.about.file.md5	String	MD5 hash value of the file.
GoogleChronicleBackstory.Events.about.file.mimeType	String	Multipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.about.file.sha1	String	SHA-1 hash value of the file.
GoogleChronicleBackstory.Events.about.file.sha256	String	SHA-256 hash value of the file.
GoogleChronicleBackstory.Events.about.file.size	String	Size of the file.
GoogleChronicleBackstory.Events.about.process.commandLine	String	Stores the command line string for the process.
GoogleChronicleBackstory.Events.about.process.productSpecificProcessId	String	Stores the product specific process ID.
GoogleChronicleBackstory.Events.about.process.productSpecificParentProcessId	String	Stores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.about.process.file	String	Stores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.about.process.file.fileMetadata	String	Metadata associated with the file.
GoogleChronicleBackstory.Events.about.process.file.fullPath	String	Full path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.about.process.file.md5	String	MD5 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.mimeType	String	Multipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.about.process.file.sha1	String	SHA-1 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.sha256	String	SHA-256 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.size	String	Size of the file.
GoogleChronicleBackstory.Events.about.process.parentPid	String	Stores the process ID for the parent process.
GoogleChronicleBackstory.Events.about.process.pid	String	Stores the process ID.
GoogleChronicleBackstory.Events.about.registry.registryKey	String	Stores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.about.registry.registryValueName	String	Stores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.about.registry.registryValueData	String	Stores the data associated with a registry value.
GoogleChronicleBackstory.Events.about.user.emailAddresses	String	Stores the email addresses for the user.
GoogleChronicleBackstory.Events.about.user.employeeId	String	Stores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.about.user.firstName	String	Stores the first name for the user.
GoogleChronicleBackstory.Events.about.user.middleName	String	Stores the middle name for the user.
GoogleChronicleBackstory.Events.about.user.lastName	String	Stores the last name for the user.
GoogleChronicleBackstory.Events.about.user.groupid	String	Stores the group ID associated with a user.
GoogleChronicleBackstory.Events.about.user.phoneNumbers	String	Stores the phone numbers for the user.
GoogleChronicleBackstory.Events.about.user.title	String	Stores the job title for the user.
GoogleChronicleBackstory.Events.about.user.userDisplayName	String	Stores the display name for the user.
GoogleChronicleBackstory.Events.about.user.userid	String	Stores the user ID.
GoogleChronicleBackstory.Events.about.user.windowsSid	String	Stores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.network.applicationProtocol	String	Indicates the network application protocol.
GoogleChronicleBackstory.Events.network.direction	String	Indicates the direction of network traffic.
GoogleChronicleBackstory.Events.network.email	String	Specifies the email address for the sender/recipient.
GoogleChronicleBackstory.Events.network.ipProtocol	String	Indicates the IP protocol.
GoogleChronicleBackstory.Events.network.receivedBytes	String	Specifies the number of bytes received.
GoogleChronicleBackstory.Events.network.sentBytes	String	Specifies the number of bytes sent.
GoogleChronicleBackstory.Events.network.dhcp.clientHostname	String	Hostname for the client.
GoogleChronicleBackstory.Events.network.dhcp.clientIdentifier	String	Client identifier.
GoogleChronicleBackstory.Events.network.dhcp.file	String	Filename for the boot image.
GoogleChronicleBackstory.Events.network.dhcp.flags	String	Value for the DHCP flags field.
GoogleChronicleBackstory.Events.network.dhcp.hlen	String	Hardware address length.
GoogleChronicleBackstory.Events.network.dhcp.hops	String	DHCP hop count.
GoogleChronicleBackstory.Events.network.dhcp.htype	String	Hardware address type.
GoogleChronicleBackstory.Events.network.dhcp.leaseTimeSeconds	String	Client-requested lease time for an IP address in seconds.
GoogleChronicleBackstory.Events.network.dhcp.opcode	String	BOOTP op code.
GoogleChronicleBackstory.Events.network.dhcp.requestedAddress	String	Client identifier.
GoogleChronicleBackstory.Events.network.dhcp.seconds	String	Seconds elapsed since the client began the address acquisition/renewal process.
GoogleChronicleBackstory.Events.network.dhcp.sname	String	Name of the server which the client has requested to boot from.
GoogleChronicleBackstory.Events.network.dhcp.transactionId	String	Client transaction ID.
GoogleChronicleBackstory.Events.network.dhcp.type	String	DHCP message type.
GoogleChronicleBackstory.Events.network.dhcp.chaddr	String	IP address for the client hardware.
GoogleChronicleBackstory.Events.network.dhcp.ciaddr	String	IP address for the client.
GoogleChronicleBackstory.Events.network.dhcp.giaddr	String	IP address for the relay agent.
GoogleChronicleBackstory.Events.network.dhcp.siaddr	String	IP address for the next bootstrap server.
GoogleChronicleBackstory.Events.network.dhcp.yiaddr	String	Your IP address.
GoogleChronicleBackstory.Events.network.dns.authoritative	String	Set to true for authoritative DNS servers.
GoogleChronicleBackstory.Events.network.dns.id	String	Stores the DNS query identifier.
GoogleChronicleBackstory.Events.network.dns.response	String	Set to true if the event is a DNS response.
GoogleChronicleBackstory.Events.network.dns.opcode	String	Stores the DNS OpCode used to specify the type of DNS query (standard, inverse, server status, etc.).
GoogleChronicleBackstory.Events.network.dns.recursionAvailable	String	Set to true if a recursive DNS lookup is available.
GoogleChronicleBackstory.Events.network.dns.recursionDesired	String	Set to true if a recursive DNS lookup is requested.
GoogleChronicleBackstory.Events.network.dns.responseCode	String	Stores the DNS response code as defined by RFC 1035, Domain Names - Implementation and Specification.
GoogleChronicleBackstory.Events.network.dns.truncated	String	Set to true if this is a truncated DNS response.
GoogleChronicleBackstory.Events.network.dns.questions.name	String	Stores the domain name.
GoogleChronicleBackstory.Events.network.dns.questions.class	String	Stores the code specifying the class of the query.
GoogleChronicleBackstory.Events.network.dns.questions.type	String	Stores the code specifying the type of the query.
GoogleChronicleBackstory.Events.network.dns.answers.binaryData	String	Stores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.answers.class	String	Stores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.answers.data	String	Stores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.answers.name	String	Stores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.answers.ttl	String	Stores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.answers.type	String	Stores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.binaryData	String	Stores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.authority.class	String	Stores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.data	String	Stores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.authority.name	String	Stores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.ttl	String	Stores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.authority.type	String	Stores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.binaryData	String	Stores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.additional.class	String	Stores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.data	String	Stores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.additional.name	String	Stores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.ttl	String	Stores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.additional.type	String	Stores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.email.from	String	Stores the from email address.
GoogleChronicleBackstory.Events.network.email.replyTo	String	Stores the reply_to email address.
GoogleChronicleBackstory.Events.network.email.to	String	Stores the to email addresses.
GoogleChronicleBackstory.Events.network.email.cc	String	Stores the cc email addresses.
GoogleChronicleBackstory.Events.network.email.bcc	String	Stores the bcc email addresses.
GoogleChronicleBackstory.Events.network.email.mailId	String	Stores the mail (or message) ID.
GoogleChronicleBackstory.Events.network.email.subject	String	Stores the email subject line.
GoogleChronicleBackstory.Events.network.ftp.command	String	Stores the FTP command.
GoogleChronicleBackstory.Events.network.http.method	String	Stores the HTTP request method.
GoogleChronicleBackstory.Events.network.http.referralUrl	String	Stores the URL for the HTTP referer.
GoogleChronicleBackstory.Events.network.http.responseCode	String	Stores the HTTP response status code, which indicates whether a specific HTTP request has been successfully completed.
GoogleChronicleBackstory.Events.network.http.useragent	String	Stores the User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.
GoogleChronicleBackstory.Events.authentication.authType	String	Type of system an authentication event is associated with (Chronicle UDM).
GoogleChronicleBackstory.Events.authentication.mechanism	String	Mechanism(s) used for authentication.
GoogleChronicleBackstory.Events.securityResult.about	String	Provide a description of the security result.
GoogleChronicleBackstory.Events.securityResult.action	String	Specify a security action.
GoogleChronicleBackstory.Events.securityResult.category	String	Specify a security category.
GoogleChronicleBackstory.Events.securityResult.confidence	String	Specify a confidence with regards to a security event as estimated by the product.
GoogleChronicleBackstory.Events.securityResult.confidenceDetails	String	Additional detail with regards to the confidence of a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.priority	String	Specify a priority with regards to a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.priorityDetails	String	Vendor-specific information about the security result priority.
GoogleChronicleBackstory.Events.securityResult.ruleId	String	Identifier for the security rule.
GoogleChronicleBackstory.Events.securityResult.ruleName	String	Name of the security rule.
GoogleChronicleBackstory.Events.securityResult.severity	String	Severity of a security event as estimated by the product vendor using values defined by the Chronicle UDM.
GoogleChronicleBackstory.Events.securityResult.severityDetails	String	Severity for a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.threatName	String	Name of the security threat.
GoogleChronicleBackstory.Events.securityResult.urlBackToProduct	String	URL to direct you to the source product console for this security event.

Command Example

!gcb-list-events asset_identifier_type="Host Name" asset_identifier="ray-xxx-laptop" start_time="2020-01-01T00:00:00Z" page_size="1"

Context Example

{
    "GoogleChronicleBackstory.Events": [
        {
            "principal": {
                "ip": [
                    "10.0.XX.XX"
                ], 
                "mac": [
                    "88:a6:XX:XX:XX:XX"
                ], 
                "hostname": "ray-xxx-laptop"
            }, 
            "target": {
                "ip": [
                    "8.8.8.8"
                ]
            }, 
            "network": {
                "applicationProtocol": "DNS", 
                "dns": {
                    "questions": [
                        {
                            "type": 1, 
                            "name": "is5-ssl.mzstatic.com"
                        }
                    ], 
                    "answers": [
                        {
                            "type": 1, 
                            "data": "104.118.212.43", 
                            "name": "is5-ssl.mzstatic.com", 
                            "ttl": 11111
                        }
                    ], 
                    "response": true
                }
            }, 
            
            "collectedTimestamp": "2020-01-02T00:00:00Z", 
            "productName": "ExtraHop", 
            "eventTimestamp": "2020-01-01T23:59:38Z", 
            "eventType": "NETWORK_DNS"
        
        }
    ]
}

Human Readable Output

Event(s) Details

Event Timestamp	Event Type	Principal Asset Identifier	Target Asset Identifier	Queried Domain
2020-01-01T23:59:38Z	NETWORK_DNS	ray-xxx-laptop	8.8.8.8	ninthdecimal.com

View events in Chronicle

Maximum number of events specified in page_size has been returned. There might still be more events in your Chronicle account. To fetch the next set of events, execute the command with the start time as 2020-01-01T23:59:38Z

PAN-OS

Cortex Data Lake

Cortex XSOAR

PAN-OS

Cortex Data Lake

Cortex XSOAR

#Overview

#Configure Chronicle on Cortex XSOAR

#Fetched Incidents Data

#Configuration Parameters for Fetch-incidents

#Incident field mapping - Asset Alerts

#Incident field mapping - IOC Domain matches

#Commands

#1. gcb-list-iocs

#Base Command

#Input

#Context Output

#Command Example

#Context Example

#Human Readable Output

#IOC Domain Matches

#2. gcb-assets

#Base Command

#Input

#Context Output

#Command Example

#Context Example

#Human Readable Output

#Assets related to artifact - bing.com

#3. ip

#Base Command

#Input

#Context Output

#Command Example

#Context Example

#Human Readable Output

#Reputation Parameters

#4. domain

#Base Command

#Input

#Context Output

#Command Example

#Context Example

#Human Readable Output

#Reputation Parameters

#5. gcb-ioc-details

#Base Command

#Input

#Context Output

#Command Example

#Context Example

#Human Readable Output

#IoC Details

#6. gcb-list-alerts

#Base Command

#Input

#Context Output

#Command Example

#Context Example

#Human Readable Output

#Security Alert(s)

#7. gcb-list-events

#Base Command

#Input

#Context Output

#Command Example

#Context Example

#Human Readable Output

#Event(s) Details

Overview

Configure Chronicle on Cortex XSOAR

Fetched Incidents Data

Configuration Parameters for Fetch-incidents

Incident field mapping - Asset Alerts

Incident field mapping - IOC Domain matches

Commands

1. gcb-list-iocs

Base Command

Input

Context Output

Command Example

Context Example

Human Readable Output

IOC Domain Matches

2. gcb-assets

Base Command

Input

Context Output

Command Example

Context Example

Human Readable Output

Assets related to artifact - bing.com

3. ip

Base Command

Input

Context Output

Command Example

Context Example

Human Readable Output

Reputation Parameters

4. domain

Base Command

Input

Context Output

Command Example

Context Example

Human Readable Output

Reputation Parameters

5. gcb-ioc-details

Base Command

Input

Context Output

Command Example

Context Example

Human Readable Output

IoC Details

6. gcb-list-alerts

Base Command

Input

Context Output

Command Example

Context Example

Human Readable Output

Security Alert(s)

7. gcb-list-events

Base Command

Input

Context Output

Command Example

Context Example

Human Readable Output

Event(s) Details