Skip to main content

Google SecOps v1 Alpha

This Integration is part of the Google SecOps Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

Use the Google SecOps integration to retrieve IOC Domain matches as Incidents. This integration also provides reputation and threat enrichment of indicators observed in the enterprise. This integration was integrated and tested with version v1 Alpha of GoogleSecOps.

Note: The commands will do up to 3 internal retries with a gap of 15, 30, and 60 seconds (exponentially) between the retries.

If you are upgrading from a Google Chronicle Backstory integration, please refer to the Migration Guide for guidance.

Configure Google SecOps v1 Alpha on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Google SecOps v1 Alpha.
  3. Click Add instance to create and configure a new integration instance.
  4. To fetch IOC Domain matches, refer to the section "Configuration for fetching IOC Domain Matches as a Cortex XSOAR Incident".
ParameterDescriptionRequired
User's Service Account JSONTrue
Google SecOps Project Instance IDProvide the Project Instance ID of the Google SecOps.

Note: User can retrieve the Customer ID(Project Instance ID) in the Profile section of the Google SecOps page.
True
RegionSelect the region based on the location of the Google SecOps instance. If the region is not listed in the dropdown, choose the "Other" option and specify the region in the "Other Region" text field.True
Other RegionSpecify the region based on the location of the Google SecOps instance. Only applicable if the "Other" option is selected in the Region dropdown.False
Provide comma(',') separated categories (e.g. APT-Activity, Phishing).Indicators belonging to these "categories" would be considered as "malicious" when executing reputation commands.False
Provide comma(',') separated categories (e.g. Unwanted, VirusTotal YARA Rule Match).Indicators belonging to these "categories" would be considered as "suspicious" when executing reputation commands.False
Specify the "severity" of indicator that should be considered as "malicious" irrespective of the category.If you wish to consider all indicators with High severity as Malicious, set this parameter to 'High'. Allowed values are 'High', 'Medium' and 'Low'. This configuration is applicable to reputation commands only.False
Specify the "severity" of indicator that should be considered as "suspicious" irrespective of the category.If you wish to consider all indicators with Medium severity as Suspicious, set this parameter to 'Medium'. Allowed values are 'High', 'Medium' and 'Low'. This configuration is applicable to reputation commands only.False
Specify the numeric value of "confidence score".If the indicator's confidence score is equal or above the configured threshold, it would be considered as "malicious". The value provided should be greater than the suspicious threshold. This configuration is applicable to reputation commands only.False
Specify the numeric value of "confidence score".If the indicator's confidence score is equal or above the configured threshold, it would be considered as "suspicious". The value provided should be smaller than the malicious threshold. This configuration is applicable to reputation commands only.False
Select the confidence score level.If the indicator's confidence score level is equal or above the configured level, it would be considered as "malicious". The confidence level configured should have higher precedence than the suspicious level. This configuration is applicable to reputation commands only. Refer the "confidence score" level precedence UNKNOWN SEVERITY < INFORMATIONAL < LOW < MEDIUM < HIGH.False
Select the confidence score level.If the indicator's confidence score level is equal or above the configured level, it would be considered as "suspicious".
The confidence level configured should have lesser precedence than the malicious level. This configuration is applicable to reputation commands only. Refer the "confidence score" level precedence UNKNOWN SEVERITY < INFORMATIONAL < LOW < MEDIUM < HIGH.
False
Fetch incidentsFalse
Incident typeFalse
First fetch timeThe UTC date or relative timestamp from where to start fetching incidents.

Supported formats: N minutes, N hours, N days, N weeks, N months, N years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ.

For example: 10 minutes, 5 hours, 8 days, 2 weeks, 8 months, 2021-12-31, 01 Mar 2021, 01 Feb 2021 04:45:33, 2022-04-17T14:05:44Z. Default value is 3 days.
False
How many incidents to fetch each timeThe maximum number of incidents to fetch in each time. The maximum value is 10,000. Default value is 100.False
Time window (in minutes)Select the time window to query Google SecOps. While selecting the time window consider the time delay for an event to appear in Google SecOps after generation. Available options are 60(Default), 120, 240, 360, 480, 600, 720, 1440.
Source ReliabilityReliability of the source providing the intelligence data.False
Trust any certificate (not secure)False
Use system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Configuration for fetching IOC Domain Matches as a Cortex XSOAR Incident#

  1. Select Fetches incidents.
  2. Under Classifier, select "Chronicle - Classifier".
  3. Under Incident type, select "N/A".
  4. Under Mapper (incoming), select "Chronicle - Incoming Mapper" for default mapping.
  5. Enter the connection parameters (Service Account JSON, Google SecOps Project Instance ID, Region).
  6. Update "First fetch time" and "Max Fetch Count" based on your requirements.
  7. Update the "Time window" based on the time delay for an event to appear in Google SecOps after generation.
  8. Click Save.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. gcb-list-iocs
  2. ip
  3. domain
  4. gcb-ioc-details
  5. gcb-list-events
  6. gcb-list-detections
  7. gcb-list-rules
  8. gcb-create-rule
  9. gcb-get-rule
  10. gcb-delete-rule
  11. gcb-create-rule-version
  12. gcb-change-rule-alerting-status
  13. gcb-change-live-rule-status
  14. gcb-start-retrohunt
  15. gcb-get-retrohunt
  16. gcb-list-retrohunts
  17. gcb-cancel-retrohunt
  18. gcb-list-reference-list
  19. gcb-get-reference-list
  20. gcb-create-reference-list
  21. gcb-update-reference-list
  22. gcb-verify-reference-list
  23. gcb-test-rule-stream
  24. gcb-list-curatedrules
  25. gcb-list-curatedrule-detections
  26. gcb-udm-search
  27. gcb-verify-value-in-reference-list
  28. gcb-verify-rule
  29. gcb-get-event
  30. gcb-reference-list-append-content
  31. gcb-reference-list-remove-content
  32. gcb-list-data-tables
  33. gcb-create-data-table
  34. gcb-get-data-table
  35. gcb-verify-value-in-data-table
  36. gcb-data-table-add-row
  37. gcb-data-table-remove-row
  38. gcb-get-detection

1. gcb-list-iocs#


Lists the IOC Domain matches within your enterprise for the specified time interval. The indicator of compromise (IOC) domain matches lists for which the domains that your security infrastructure has flagged as both suspicious and that have been seen recently within your enterprise.

Base Command#

gcb-list-iocs

Input#

Argument NameDescriptionRequired
preset_time_rangeFetches IOC Domain matches in the specified time interval. If configured, overrides the start_time argument.Optional
start_timeThe value of the start time for your request, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z) or relative time. If not supplied, the default is the UTC time corresponding to 3 days earlier than current time. Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours. Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun.Optional
page_sizeThe maximum number of IOCs to return. You can specify between 1 and 10000. Default is 10000.Optional

Context Output#

PathTypeDescription
Domain.NameStringThe domain name of the artifact.
GoogleChronicleBackstory.Iocs.ArtifactStringThe Indicator artifact.
GoogleChronicleBackstory.Iocs.IocIngestTimeDateTime(UTC) the IOC was first seen by Chronicle.
GoogleChronicleBackstory.Iocs.FirstAccessedTimeDateTime(UTC) the artifact was first seen within your enterprise.
GoogleChronicleBackstory.Iocs.LastAccessedTimeDateTime(UTC) the artifact was most recently seen within your enterprise.
GoogleChronicleBackstory.Iocs.Sources.CategoryStringSource Category represents the behavior of the artifact.
GoogleChronicleBackstory.Iocs.Sources.IntRawConfidenceScoreNumberThe numeric confidence score of the IOC reported by the source.
GoogleChronicleBackstory.Iocs.Sources.NormalizedConfidenceScoreStringThe normalized confidence score of the IOC reported by the source.
GoogleChronicleBackstory.Iocs.Sources.RawSeverityStringThe severity of the IOC as reported by the source.
GoogleChronicleBackstory.Iocs.Sources.SourceStringThe source that reported the IOC.

Command Example#

!gcb-list-iocs page_size=1 preset_time_range="Last 1 day"

Context Example#

{
"Domain": {
"Name": "test.com"
},
"GoogleChronicleBackstory": {
"Iocs": [
{
"Artifact": "test.com",
"FirstAccessedTime": "2025-06-19T05:48:21Z",
"IocIngestTime": "2025-06-16T04:22:03.276821Z",
"LastAccessedTime": "2025-07-10T14:13:30Z",
"Sources": [
{
"Category": "Unwanted",
"IntRawConfidenceScore": 70,
"NormalizedConfidenceScore": "Medium",
"RawSeverity": "Medium",
"Source": "3rd Party"
}
]
},
{
"Artifact": "0.0.0.1",
"FirstAccessedTime": "2025-06-19T05:48:21Z",
"IocIngestTime": "2025-06-16T04:22:03.276821Z",
"LastAccessedTime": "2025-07-10T14:13:30Z",
"Sources": [
{
"Category": "Unwanted",
"IntRawConfidenceScore": 100,
"NormalizedConfidenceScore": "High",
"RawSeverity": "Medium",
"Source": "3rd Party"
}
]
}
]
}
}

Human Readable Output#

IOC Domain Matches#

ArtifactCategorySourceConfidenceSeverityIOC ingest timeFirst seenLast seen
test.comUnwanted3rd PartyMediumMedium2 months ago2 months agoa month ago
0.0.0.1Unwanted3rd PartyHighMedium2 months ago2 months agoa month ago

2. ip#


Checks the reputation of an IP address.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipThe IP address to check.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
IP.AddressStringThe IP address of the artifact.
IP.Malicious.VendorStringFor malicious IPs, the vendor that made the decision.
IP.Malicious.DescriptionStringFor malicious IPs, the reason that the vendor made the decision.
GoogleChronicleBackstory.IP.IoCQueriedStringThe artifact that was queried.
GoogleChronicleBackstory.IP.Sources.Address.IpAddressStringThe IP address of the artifact.
GoogleChronicleBackstory.IP.Sources.Address.DomainStringThe domain name of the artifact.
GoogleChronicleBackstory.IP.Sources.Address.PortUnknownThe port numbers of the artifact.
GoogleChronicleBackstory.IP.Sources.CategoryStringThe behavior of the artifact.
GoogleChronicleBackstory.IP.Sources.ConfidenceScoreNumberThe confidence score indicating the accuracy and appropriateness of the assigned category.
GoogleChronicleBackstory.IP.Sources.FirstAccessedTimeDateThe time the IOC was first accessed within the enterprise.
GoogleChronicleBackstory.IP.Sources.LastAccessedTimeDateThe time the IOC was most recently seen within your enterprise.
GoogleChronicleBackstory.IP.Sources.SeverityStringImpact of the artifact on the enterprise.

Command example#

!ip ip="0.0.0.1"

Context Example#

{
"DBotScore": {
"Indicator": "0.0.0.1",
"Reliability": "B - Usually reliable",
"Score": 3,
"Type": "ip",
"Vendor": "Google SecOps"
},
"GoogleChronicleBackstory": {
"IP": {
"IoCQueried": "0.0.0.1",
"Sources": [
{
"Address": [
{
"IpAddress": "0.0.0.1"
}
],
"Category": "Indicator was published in publicly available sources",
"ConfidenceScore": 64,
"FirstAccessedTime": "1970-01-01T00:00:01Z",
"LastAccessedTime": "9999-12-31T23:59:59Z",
"Severity": "High"
}
]
}
},
"IP": {
"Address": "0.0.0.1",
"Malicious": {
"Description": "Found in malicious data set",
"Vendor": "Google SecOps"
}
}
}

Human Readable Output#

IP: 0.0.0.1 found with Reputation: Malicious

Reputation Parameters#

DomainIP AddressCategoryConfidence ScoreSeverityFirst Accessed TimeLast Accessed Time
-0.0.0.1Indicator was published in publicly available sources64High1970-01-01T00:00:01Z9999-12-31T23:59:59Z

3. domain#


Checks the reputation of a domain.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainThe domain name to check.Required

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
Domain.NameStringThe domain name of the artifact.
Domain.Malicious.VendorStringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionStringFor malicious domains, the reason that the vendor made the decision.
GoogleChronicleBackstory.Domain.IoCQueriedStringThe domain that queried.
GoogleChronicleBackstory.Domain.Sources.Address.IpAddressStringThe IP address of the artifact.
GoogleChronicleBackstory.Domain.Sources.Address.DomainStringThe domain name of the artifact.
GoogleChronicleBackstory.Domain.Sources.Address.PortUnknownThe port numbers of the artifact.
GoogleChronicleBackstory.Domain.Sources.CategoryStringThe behavior of the artifact.
GoogleChronicleBackstory.Domain.Sources.ConfidenceScoreNumberThe confidence score indicating the accuracy and appropriateness of the assigned category.
GoogleChronicleBackstory.Domain.Sources.FirstAccessedTimeDateThe time the IOC was first accessed within the enterprise.
GoogleChronicleBackstory.Domain.Sources.LastAccessedTimeDateThe time the IOC was most recently seen within your enterprise.
GoogleChronicleBackstory.Domain.Sources.SeverityStringImpact of the artifact on the enterprise.

Command example#

!domain domain="test.com"

Context Example#

{
"DBotScore": {
"Indicator": "test.com",
"Reliability": "B - Usually reliable",
"Score": 0,
"Type": "domain",
"Vendor": "Google SecOps"
},
"Domain": {
"Name": "test.com"
},
"GoogleChronicleBackstory": {
"Domain": {
"IoCQueried": "test.com",
"Sources": [
{
"Address": [
{
"Domain": "test.com"
}
],
"Category": "Indicator was published in publicly available sources",
"ConfidenceScore": 77,
"FirstAccessedTime": "1970-01-01T00:00:01Z",
"LastAccessedTime": "9999-12-31T23:59:59Z",
"Severity": "Medium"
}
]
}
}
}

Human Readable Output#

Domain: test.com found with Reputation: Unknown

Reputation Parameters#

DomainIP AddressCategoryConfidence ScoreSeverityFirst Accessed TimeLast Accessed Time
test.com-Indicator was published in publicly available sources77Medium1970-01-01T00:00:01Z9999-12-31T23:59:59Z

4. gcb-ioc-details#


Accepts an artifact indicator and returns any threat intelligence associated with the artifact. The threat intelligence information is drawn from your enterprise security systems and from Chronicle's IoC partners (for example, the DHS threat feed).

Base Command#

gcb-ioc-details

Input#

Argument NameDescriptionRequired
artifact_valueThe artifact indicator value. The supported artifact types are IP and domain.Required

Context Output#

PathTypeDescription
Domain.NameStringThe domain name of the artifact.
IP.AddressStringThe IP address of the of the artifact.
GoogleChronicleBackstory.IocDetails.IoCQueriedStringThe artifact entered by the user.
GoogleChronicleBackstory.IocDetails.Sources.Address.IpAddressStringThe IP address of the artifact.
GoogleChronicleBackstory.IocDetails.Sources.Address.DomainStringThe domain name of the artifact.
GoogleChronicleBackstory.IocDetails.Sources.Address.PortUnknownThe port numbers of the artifact.
GoogleChronicleBackstory.IocDetails.Sources.CategoryStringThe behavior of the artifact.
GoogleChronicleBackstory.IocDetails.Sources.ConfidenceScoreNumberThe confidence score indicating the accuracy and appropriateness of the assigned category.
GoogleChronicleBackstory.IocDetails.Sources.FirstAccessedTimeDateThe time the IOC was first accessed within the enterprise.
GoogleChronicleBackstory.IocDetails.Sources.LastAccessedTimeDateThe time the IOC was most recently seen within your enterprise.
GoogleChronicleBackstory.IocDetails.Sources.SeverityStringImpact of the artifact on the enterprise.

Command Example#

!gcb-ioc-details artifact_value=0.0.0.1

Context Example#

{
"GoogleChronicleBackstory": {
"IocDetails": {
"IoCQueried": "0.0.0.1",
"Sources": [
{
"Address": [
{
"IpAddress": "0.0.0.1",
"Port": [
80
]
}
],
"Category": "Blocked",
"ConfidenceScore": "High",
"FirstAccessedTime": "1970-01-01T00:00:00Z",
"LastAccessedTime": "9999-12-31T23:59:59Z",
"Severity": "High"
},
{
"Address": [
{
"Domain": "test.com",
"Port": [
44902,
65178
]
},
{
"IpAddress": "0.0.0.1",
"Port": [
80
]
}
],
"Category": "Blocked",
"ConfidenceScore": 70,
"FirstAccessedTime": "1970-01-01T00:00:00Z",
"LastAccessedTime": "2025-02-18T15:35:11Z",
"Severity": "Low"
}
]
}
},
"IP": {
"Address": "0.0.0.1"
}
}

Human Readable Output#

IoC Details#

DomainIP AddressCategoryConfidence ScoreSeverityFirst Accessed TimeLast Accessed Time
-0.0.0.1BlockedHighHigh1970-01-01T00:00:00Z9999-12-31T23:59:59Z
test.com0.0.0.1Blocked70Low1970-01-01T00:00:00Z2025-02-18T15:35:11Z

5. gcb-list-events#


List all of the events discovered within your enterprise on a particular device within the specified time range. If you receive the maximum number of events you specified using the page_size parameter (or 100, the default), there might still be more events within your Google SecOps account. You can narrow the time range and issue the call again to ensure you have visibility into all possible events. This command returns more than 60 different types of events. Any event would have only specific output context set. Refer the UDM documentation to figure out the output properties specific to the event types.

Base Command#

gcb-list-events

Input#

Argument NameDescriptionRequired
asset_identifier_typeSpecify the identifier type of the asset you are investigating. The possible values are Host Name, IP Address, MAC Address or Product ID. Possible values are: Host Name, IP Address, MAC Address, Product ID.Required
asset_identifierValue of the asset identifier.Required
preset_time_rangeGet events that are discovered during the interval specified. If configured, overrides the start_time and end_time arguments. Possible values are: Last 1 day, Last 7 days, Last 15 days, Last 30 days.Optional
start_timeThe value of the start time for your request. The format of Date should comply with RFC 3339 (e.g. 2002-10-02T15:00:00Z) or relative time. If not supplied, the product considers UTC time corresponding to 2 hours earlier than current time. Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours. Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun.Optional
end_timeThe value of the end time for your request. The format of Date should comply with RFC 3339 (e.g. 2002-10-02T15:00:00Z) or relative time. If not supplied, the product considers current UTC time. Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours. Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun.Optional
page_sizeSpecify the maximum number of events to fetch. You can specify between 1 and 10000. Default is 10000.Optional
reference_timeSpecify the reference time for the asset you are investigating, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z) or relative time. If not supplied, the product considers start time as reference time. Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours. Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.Events.eventTypeStringSpecifies the type of the event.
GoogleChronicleBackstory.Events.eventTimestampDateThe GMT timestamp when the event was generated.
GoogleChronicleBackstory.Events.collectedTimestampDateThe GMT timestamp when the event was collected by the vendor's local collection infrastructure.
GoogleChronicleBackstory.Events.descriptionStringHuman-readable description of the event.
GoogleChronicleBackstory.Events.productEventTypeStringShort, descriptive, human-readable, and product-specific event name or type.
GoogleChronicleBackstory.Events.productLogIdStringA vendor-specific event identifier to uniquely identify the event (a GUID). Users might use this identifier to search the vendor's proprietary console for the event in question.
GoogleChronicleBackstory.Events.productNameStringSpecifies the name of the product.
GoogleChronicleBackstory.Events.productVersionStringSpecifies the version of the product.
GoogleChronicleBackstory.Events.urlBackToProductStringURL linking to a relevant website where you can view more information about this specific event or the general event category.
GoogleChronicleBackstory.Events.vendorNameStringSpecifies the product vendor's name.
GoogleChronicleBackstory.Events.principal.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.principal.emailStringEmail address.
GoogleChronicleBackstory.Events.principal.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.principal.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.principal.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.principal.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.principal.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.principal.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.principal.macStringMAC addresses associated with a device.
GoogleChronicleBackstory.Events.principal.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.principal.urlStringStandard URL.
GoogleChronicleBackstory.Events.principal.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.principal.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.principal.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.principal.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.principal.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.principal.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.principal.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.principal.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.principal.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.principal.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.principal.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.principal.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.principal.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.principal.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.principal.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.principal.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.principal.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.principal.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.principal.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.principal.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.principal.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.principal.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.principal.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.principal.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.principal.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.principal.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.principal.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.principal.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.target.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.target.emailStringEmail address.
GoogleChronicleBackstory.Events.target.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.target.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.target.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.target.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.target.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.target.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.target.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.target.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.target.urlStringStandard URL.
GoogleChronicleBackstory.Events.target.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.target.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.target.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.target.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.target.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.target.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.target.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.target.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.target.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.target.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.target.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.target.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.target.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.target.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.target.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.target.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.target.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.target.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.target.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.target.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.target.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.target.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.target.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.target.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.target.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.target.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.target.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.target.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.target.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.target.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.target.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.intermediary.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.intermediary.emailStringEmail address.
GoogleChronicleBackstory.Events.intermediary.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.intermediary.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.intermediary.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.intermediary.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.intermediary.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.intermediary.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.intermediary.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.intermediary.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.intermediary.urlStringStandard URL.
GoogleChronicleBackstory.Events.intermediary.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.intermediary.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.intermediary.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.intermediary.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.intermediary.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.intermediary.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.intermediary.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.intermediary.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.intermediary.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.intermediary.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.intermediary.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.intermediary.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.intermediary.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.intermediary.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.intermediary.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.intermediary.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.intermediary.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.intermediary.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.intermediary.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.intermediary.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.intermediary.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.intermediary.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.intermediary.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.intermediary.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.intermediary.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.intermediary.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.intermediary.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.src.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.src.emailStringEmail address.
GoogleChronicleBackstory.Events.src.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.src.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.src.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.src.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.src.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.src.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.src.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.src.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.src.urlStringStandard URL.
GoogleChronicleBackstory.Events.src.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.src.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.src.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.src.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.src.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.src.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.src.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.src.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.src.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.src.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.src.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.src.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.src.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.src.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.src.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.src.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.src.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.src.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.src.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.src.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.src.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.src.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.src.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.src.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.src.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.src.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.src.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.src.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.src.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.src.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.src.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.observer.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.observer.emailStringEmail address.
GoogleChronicleBackstory.Events.observer.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.observer.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.observer.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.observer.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.observer.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.observer.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.observer.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.observer.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.observer.urlStringStandard URL.
GoogleChronicleBackstory.Events.observer.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.observer.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.observer.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.observer.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.observer.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.observer.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.observer.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.observer.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.observer.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.observer.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.observer.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.observer.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.observer.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.observer.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.observer.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.observer.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.observer.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.observer.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.observer.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.observer.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.observer.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.observer.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.observer.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.observer.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.observer.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.observer.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.observer.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.observer.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.about.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.about.emailStringEmail address.
GoogleChronicleBackstory.Events.about.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.about.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.about.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.about.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.about.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.about.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.about.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.about.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.about.urlStringStandard URL.
GoogleChronicleBackstory.Events.about.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.about.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.about.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.about.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.about.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.about.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.about.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.about.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.about.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.about.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.about.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.about.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.about.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.about.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.about.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.about.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.about.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.about.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.about.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.about.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.about.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.about.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.about.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.about.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.about.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.about.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.about.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.about.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.about.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.about.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.about.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.network.applicationProtocolStringIndicates the network application protocol.
GoogleChronicleBackstory.Events.network.directionStringIndicates the direction of network traffic.
GoogleChronicleBackstory.Events.network.emailStringSpecifies the email address for the sender/recipient.
GoogleChronicleBackstory.Events.network.ipProtocolStringIndicates the IP protocol.
GoogleChronicleBackstory.Events.network.receivedBytesStringSpecifies the number of bytes received.
GoogleChronicleBackstory.Events.network.sentBytesStringSpecifies the number of bytes sent.
GoogleChronicleBackstory.Events.network.dhcp.clientHostnameStringHostname for the client.
GoogleChronicleBackstory.Events.network.dhcp.clientIdentifierStringClient identifier.
GoogleChronicleBackstory.Events.network.dhcp.fileStringFilename for the boot image.
GoogleChronicleBackstory.Events.network.dhcp.flagsStringValue for the DHCP flags field.
GoogleChronicleBackstory.Events.network.dhcp.hlenStringHardware address length.
GoogleChronicleBackstory.Events.network.dhcp.hopsStringDHCP hop count.
GoogleChronicleBackstory.Events.network.dhcp.htypeStringHardware address type.
GoogleChronicleBackstory.Events.network.dhcp.leaseTimeSecondsStringClient-requested lease time for an IP address in seconds.
GoogleChronicleBackstory.Events.network.dhcp.opcodeStringBOOTP op code.
GoogleChronicleBackstory.Events.network.dhcp.requestedAddressStringClient identifier.
GoogleChronicleBackstory.Events.network.dhcp.secondsStringSeconds elapsed since the client began the address acquisition/renewal process.
GoogleChronicleBackstory.Events.network.dhcp.snameStringName of the server which the client has requested to boot from.
GoogleChronicleBackstory.Events.network.dhcp.transactionIdStringClient transaction ID.
GoogleChronicleBackstory.Events.network.dhcp.typeStringDHCP message type.
GoogleChronicleBackstory.Events.network.dhcp.chaddrStringIP address for the client hardware.
GoogleChronicleBackstory.Events.network.dhcp.ciaddrStringIP address for the client.
GoogleChronicleBackstory.Events.network.dhcp.giaddrStringIP address for the relay agent.
GoogleChronicleBackstory.Events.network.dhcp.siaddrStringIP address for the next bootstrap server.
GoogleChronicleBackstory.Events.network.dhcp.yiaddrStringYour IP address.
GoogleChronicleBackstory.Events.network.dns.authoritativeStringSet to true for authoritative DNS servers.
GoogleChronicleBackstory.Events.network.dns.idStringStores the DNS query identifier.
GoogleChronicleBackstory.Events.network.dns.responseStringSet to true if the event is a DNS response.
GoogleChronicleBackstory.Events.network.dns.opcodeStringStores the DNS OpCode used to specify the type of DNS query (standard, inverse, server status, etc.).
GoogleChronicleBackstory.Events.network.dns.recursionAvailableStringSet to true if a recursive DNS lookup is available.
GoogleChronicleBackstory.Events.network.dns.recursionDesiredStringSet to true if a recursive DNS lookup is requested.
GoogleChronicleBackstory.Events.network.dns.responseCodeStringStores the DNS response code as defined by RFC 1035, Domain Names - Implementation and Specification.
GoogleChronicleBackstory.Events.network.dns.truncatedStringSet to true if this is a truncated DNS response.
GoogleChronicleBackstory.Events.network.dns.questions.nameStringStores the domain name.
GoogleChronicleBackstory.Events.network.dns.questions.classStringStores the code specifying the class of the query.
GoogleChronicleBackstory.Events.network.dns.questions.typeStringStores the code specifying the type of the query.
GoogleChronicleBackstory.Events.network.dns.answers.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.answers.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.answers.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.answers.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.answers.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.answers.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.authority.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.authority.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.authority.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.additional.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.additional.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.additional.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.email.fromStringStores the from email address.
GoogleChronicleBackstory.Events.network.email.replyToStringStores the reply_to email address.
GoogleChronicleBackstory.Events.network.email.toStringStores the to email addresses.
GoogleChronicleBackstory.Events.network.email.ccStringStores the cc email addresses.
GoogleChronicleBackstory.Events.network.email.bccStringStores the bcc email addresses.
GoogleChronicleBackstory.Events.network.email.mailIdStringStores the mail (or message) ID.
GoogleChronicleBackstory.Events.network.email.subjectStringStores the email subject line.
GoogleChronicleBackstory.Events.network.ftp.commandStringStores the FTP command.
GoogleChronicleBackstory.Events.network.http.methodStringStores the HTTP request method.
GoogleChronicleBackstory.Events.network.http.referralUrlStringStores the URL for the HTTP referer.
GoogleChronicleBackstory.Events.network.http.responseCodeStringStores the HTTP response status code, which indicates whether a specific HTTP request has been successfully completed.
GoogleChronicleBackstory.Events.network.http.useragentStringStores the User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.
GoogleChronicleBackstory.Events.authentication.authTypeStringType of system an authentication event is associated with (Chronicle UDM).
GoogleChronicleBackstory.Events.authentication.mechanismStringMechanism(s) used for authentication.
GoogleChronicleBackstory.Events.securityResult.aboutStringProvide a description of the security result.
GoogleChronicleBackstory.Events.securityResult.actionStringSpecify a security action.
GoogleChronicleBackstory.Events.securityResult.categoryStringSpecify a security category.
GoogleChronicleBackstory.Events.securityResult.confidenceStringSpecify a confidence with regards to a security event as estimated by the product.
GoogleChronicleBackstory.Events.securityResult.confidenceDetailsStringAdditional detail with regards to the confidence of a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.priorityStringSpecify a priority with regards to a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.priorityDetailsStringVendor-specific information about the security result priority.
GoogleChronicleBackstory.Events.securityResult.ruleIdStringIdentifier for the security rule.
GoogleChronicleBackstory.Events.securityResult.ruleNameStringName of the security rule.
GoogleChronicleBackstory.Events.securityResult.severityStringSeverity of a security event as estimated by the product vendor using values defined by the Chronicle UDM.
GoogleChronicleBackstory.Events.securityResult.severityDetailsStringSeverity for a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.threatNameStringName of the security threat.
GoogleChronicleBackstory.Events.securityResult.urlBackToProductStringURL to direct you to the source product console for this security event.

Command example#

!gcb-list-events asset_identifier=1.2.3.4 asset_identifier_type="IP Address" page_size=1 start_time="10 days"

Context Example#

{
"GoogleChronicleBackstory": {
"Events": {
"eventTimestamp": "2025-07-10T00:01:00Z",
"collectedTimestamp": "2025-07-10T00:01:00Z",
"eventType": "NETWORK_DNS",
"productName": "ExtraHop",
"principal": {
"hostname": "dummy-host",
"ip": [
"1.2.3.4"
]
},
"target": {
"ip": [
"5.6.7.8"
]
},
"network": {
"applicationProtocol": "DNS",
"dns": {
"questions": [
{
"name": "www.test.com",
"type": 1
}
],
"answers": [
{
"name": "www.test.com",
"type": 1,
"ttl": 1111,
"data": "4.3.2.1"
}
]
}
}
}
}
}

Event(s) Details#

Event TimestampEvent TypePrincipal Asset IdentifierTarget Asset IdentifierQueried Domain
2025-07-10T00:01:00ZNETWORK_DNS1.2.3.45.6.7.8www.test.com

Maximum number of events specified in page_size has been returned. There might still be more events in your Google SecOps account. To fetch the next set of events, execute the command with the start time as 2025-07-10T00:01:00Z.

6. gcb-list-detections#


Return the detections for the specified version of a rule, the latest version of a rule, all versions of a rule, or all versions of all rules.

Base Command#

gcb-list-detections

Input#

Argument NameDescriptionRequired
idUnique identifier for a rule or specific version of a rule, defined and returned by the server. You can specify exactly one rule identifier. Use the following format to specify the id: ru{UUID} or {ruleId}@v{int64}_{int64}. If not specified then detections for all versions of all rules are returned.Optional
detection_start_time(Deprecated)Time to begin returning detections, filtering on a detection's detectionTime. If not specified, the start time is treated as open-ended.
Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours.
Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun.
Optional
detection_end_time(Deprecated)Time to stop returning detections, filtering on a detection's detectionTime. If not specified, the end time is treated as open-ended.
Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours.
Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun.
Optional
start_timeTime to begin returning detections, filtering by the detection field specified in the listBasis parameter. If not specified, the start time is treated as open-ended.
Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours.
Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun.
Optional
end_timeTime to stop returning detections, filtering by the detection field specified by the listBasis parameter. If not specified, the end time is treated as open-ended.
Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours.
Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun.
Optional
detection_for_all_versionsWhether the user wants to retrieve detections for all versions of a rule with a given rule identifier.

Note: If this option is set to true, rule id is required.
Optional
list_basisSort detections by "DETECTION_TIME" or by "CREATED_TIME". If not specified, it defaults to "DETECTION_TIME". Detections are returned in descending order of the timestamp.

Note: Requires either "start_time" or "end_time" argument.
Optional
alert_stateFilter detections on if they are ALERTING or NOT_ALERTING.
Avoid specifying to return all detections.
Optional
page_sizeSpecify the limit on the number of detections to display. You can specify between 1 and 1000.Optional
page_tokenA page token received from a previous call. Provide this to retrieve the subsequent page. If the page token is configured, overrides the detection start and end time arguments.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.Detections.idStringIdentifier for the detection.
GoogleChronicleBackstory.Detections.ruleIdStringIdentifier for the rule generating the detection.
GoogleChronicleBackstory.Detections.ruleVersionStringIdentifier for the rule version generating the detection.
GoogleChronicleBackstory.Detections.ruleNameStringName of the rule generating the detection, as parsed from ruleText.
GoogleChronicleBackstory.Detections.timeWindowStartTimeDateThe start time of the window the detection was found in.
GoogleChronicleBackstory.Detections.timeWindowEndTimeDateThe end time of the window the detection was found in.
GoogleChronicleBackstory.Detections.alertStateStringIndicates whether the rule generating this detection currently has alerting enabled or disabled.
GoogleChronicleBackstory.Detections.urlBackToProductStringURL pointing to the Chronicle UI for this detection.
GoogleChronicleBackstory.Detections.typeStringType of detection.
GoogleChronicleBackstory.Detections.createdTimeDateTime the detection was created.
GoogleChronicleBackstory.Detections.detectionTimeDateThe time period the detection was found in.
GoogleChronicleBackstory.Detections.ruleTypeStringWhether the rule generating this detection is a single event or multi-event rule.
GoogleChronicleBackstory.Detections.detectionFields.keyStringThe key for a field specified in the rule, for MULTI_EVENT rules.
GoogleChronicleBackstory.Detections.detectionFields.valueStringThe value for a field specified in the rule, for MULTI_EVENT rules.
GoogleChronicleBackstory.Detections.collectionElements.labelStringThe variable a given set of UDM events belongs to.
GoogleChronicleBackstory.Detections.collectionElements.references.principalAssetIdentifierStringSpecifies the principal asset identifier of the event.
GoogleChronicleBackstory.Detections.collectionElements.references.targetAssetIdentifierStringSpecifies the target asset identifier of the event.
GoogleChronicleBackstory.Detections.collectionElements.references.eventTypeStringSpecifies the type of the event.
GoogleChronicleBackstory.Detections.collectionElements.references.eventTimestampDateThe GMT timestamp when the event was generated.
GoogleChronicleBackstory.Detections.collectionElements.references.ingestedTimestampDateThe GMT timestamp when the event was ingested in the vendor's instance.
GoogleChronicleBackstory.Detections.collectionElements.references.descriptionStringHuman-readable description of the event.
GoogleChronicleBackstory.Detections.collectionElements.references.productEventTypeStringShort, descriptive, human-readable, and product-specific event name or type.
GoogleChronicleBackstory.Detections.collectionElements.references.productLogIdStringA vendor-specific event identifier to uniquely identify the event (a GUID). Users might use this identifier to search the vendor's proprietary console for the event in question.
GoogleChronicleBackstory.Detections.collectionElements.references.productNameStringSpecifies the name of the product.
GoogleChronicleBackstory.Detections.collectionElements.references.productVersionStringSpecifies the version of the product.
GoogleChronicleBackstory.Detections.collectionElements.references.urlBackToProductStringURL linking to a relevant website where you can view more information about this specific event or the general event category.
GoogleChronicleBackstory.Detections.collectionElements.references.vendorNameStringSpecifies the product vendor's name.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.emailStringEmail address.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.platformStringPlatform operating system.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.macStringMAC addresses associated with a device.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Detections.collectionElements.references.principal.urlStringStandard URL.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.pidStringStores the process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.useridStringStores the user ID.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.target.emailStringEmail address.
GoogleChronicleBackstory.Detections.collectionElements.references.target.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Detections.collectionElements.references.target.platformStringPlatform operating system.
GoogleChronicleBackstory.Detections.collectionElements.references.target.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Detections.collectionElements.references.target.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Detections.collectionElements.references.target.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Detections.collectionElements.references.target.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Detections.collectionElements.references.target.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Detections.collectionElements.references.target.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Detections.collectionElements.references.target.urlStringStandard URL.
GoogleChronicleBackstory.Detections.collectionElements.references.target.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.target.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.pidStringStores the process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.target.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.target.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.target.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.useridStringStores the user ID.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.emailStringEmail address.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.platformStringPlatform operating system.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.urlStringStandard URL.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.pidStringStores the process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.useridStringStores the user ID.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.src.emailStringEmail address.
GoogleChronicleBackstory.Detections.collectionElements.references.src.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Detections.collectionElements.references.src.platformStringPlatform operating system.
GoogleChronicleBackstory.Detections.collectionElements.references.src.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Detections.collectionElements.references.src.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Detections.collectionElements.references.src.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Detections.collectionElements.references.src.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Detections.collectionElements.references.src.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Detections.collectionElements.references.src.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Detections.collectionElements.references.src.urlStringStandard URL.
GoogleChronicleBackstory.Detections.collectionElements.references.src.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.src.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.pidStringStores the process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.src.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.src.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.src.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.useridStringStores the user ID.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.emailStringEmail address.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.platformStringPlatform operating system.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Detections.collectionElements.references.observer.urlStringStandard URL.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.pidStringStores the process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.useridStringStores the user ID.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.about.emailStringEmail address.
GoogleChronicleBackstory.Detections.collectionElements.references.about.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Detections.collectionElements.references.about.platformStringPlatform operating system.
GoogleChronicleBackstory.Detections.collectionElements.references.about.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Detections.collectionElements.references.about.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Detections.collectionElements.references.about.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Detections.collectionElements.references.about.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Detections.collectionElements.references.about.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Detections.collectionElements.references.about.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Detections.collectionElements.references.about.urlStringStandard URL.
GoogleChronicleBackstory.Detections.collectionElements.references.about.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.about.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.pidStringStores the process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.about.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.about.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.about.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.useridStringStores the user ID.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.network.applicationProtocolStringIndicates the network application protocol.
GoogleChronicleBackstory.Detections.collectionElements.references.network.directionStringIndicates the direction of network traffic.
GoogleChronicleBackstory.Detections.collectionElements.references.network.emailStringSpecifies the email address for the sender/recipient.
GoogleChronicleBackstory.Detections.collectionElements.references.network.ipProtocolStringIndicates the IP protocol.
GoogleChronicleBackstory.Detections.collectionElements.references.network.receivedBytesStringSpecifies the number of bytes received.
GoogleChronicleBackstory.Detections.collectionElements.references.network.sentBytesStringSpecifies the number of bytes sent.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.clientHostnameStringHostname for the client.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.clientIdentifierStringClient identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.fileStringFilename for the boot image.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.flagsStringValue for the DHCP flags field.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.hlenStringHardware address length.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.hopsStringDHCP hop count.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.htypeStringHardware address type.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.leaseTimeSecondsStringClient-requested lease time for an IP address in seconds.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.opcodeStringBOOTP op code.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.requestedAddressStringClient identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.secondsStringSeconds elapsed since the client began the address acquisition/renewal process.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.snameStringName of the server which the client has requested to boot from.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.transactionIdStringClient transaction ID.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.typeStringDHCP message type.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.chaddrStringIP address for the client hardware.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.ciaddrStringIP address for the client.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.giaddrStringIP address for the relay agent.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.siaddrStringIP address for the next bootstrap server.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.yiaddrStringYour IP address.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.authoritativeStringSet to true for authoritative DNS servers.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.idStringStores the DNS query identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.responseStringSet to true if the event is a DNS response.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.opcodeStringStores the DNS OpCode used to specify the type of DNS query (standard, inverse, server status, etc.).
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.recursionAvailableStringSet to true if a recursive DNS lookup is available.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.recursionDesiredStringSet to true if a recursive DNS lookup is requested.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.responseCodeStringStores the DNS response code as defined by RFC 1035, Domain Names - Implementation and Specification.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.truncatedStringSet to true if this is a truncated DNS response.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.questions.nameStringStores the domain name.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.questions.classStringStores the code specifying the class of the query.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.questions.typeStringStores the code specifying the type of the query.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.answers.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.answers.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.answers.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.answers.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.answers.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.answers.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.authority.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.authority.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.authority.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.authority.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.authority.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.authority.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.additional.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.additional.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.additional.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.additional.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.additional.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.additional.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.email.fromStringStores the from email address.
GoogleChronicleBackstory.Detections.collectionElements.references.network.email.replyToStringStores the reply_to email address.
GoogleChronicleBackstory.Detections.collectionElements.references.network.email.toStringStores the to email addresses.
GoogleChronicleBackstory.Detections.collectionElements.references.network.email.ccStringStores the cc email addresses.
GoogleChronicleBackstory.Detections.collectionElements.references.network.email.bccStringStores the bcc email addresses.
GoogleChronicleBackstory.Detections.collectionElements.references.network.email.mailIdStringStores the mail (or message) ID.
GoogleChronicleBackstory.Detections.collectionElements.references.network.email.subjectStringStores the email subject line.
GoogleChronicleBackstory.Detections.collectionElements.references.network.ftp.commandStringStores the FTP command.
GoogleChronicleBackstory.Detections.collectionElements.references.network.http.methodStringStores the HTTP request method.
GoogleChronicleBackstory.Detections.collectionElements.references.network.http.referralUrlStringStores the URL for the HTTP referer.
GoogleChronicleBackstory.Detections.collectionElements.references.network.http.responseCodeStringStores the HTTP response status code, which indicates whether a specific HTTP request has been successfully completed.
GoogleChronicleBackstory.Detections.collectionElements.references.network.http.useragentStringStores the User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.
GoogleChronicleBackstory.Detections.collectionElements.references.authentication.authTypeStringType of system an authentication event is associated with (Chronicle UDM).
GoogleChronicleBackstory.Detections.collectionElements.references.authentication.mechanismStringMechanism(s) used for authentication.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.aboutStringProvide a description of the security result.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.actionStringSpecify a security action.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.categoryStringSpecify a security category.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.confidenceStringSpecify a confidence with regards to a security event as estimated by the product.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.confidenceDetailsStringAdditional detail with regards to the confidence of a security event as estimated by the product vendor.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.priorityStringSpecify a priority with regards to a security event as estimated by the product vendor.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.priorityDetailsStringVendor-specific information about the security result priority.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.ruleIdStringIdentifier for the security rule.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.ruleNameStringName of the security rule.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.severityStringSeverity of a security event as estimated by the product vendor using values defined by the Chronicle UDM.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.severityDetailsStringSeverity for a security event as estimated by the product vendor.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.threatNameStringName of the security threat.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.urlBackToProductStringURL to direct you to the source product console for this security event.
GoogleChronicleBackstory.Token.nameStringThe name of the command to which the value of the nextPageToken corresponds.
GoogleChronicleBackstory.Token.nextPageTokenStringA page token that can be provided to the next call to view the next page of detections. Absent if this is the last page.
Command Example#

!gcb-list-detections id=ru_dummy_rule_id page_size=1

Context Example#
{
"GoogleChronicleBackstory": {
"Detections": [
{
"alertState": "ALERTING",
"collectionElements": [
{
"label": "event",
"references": [
{
"eventTimestamp": "2020-12-21T02:58:06.804Z",
"eventType": "NETWORK_DNS",
"ingestedTimestamp": "2020-12-21T03:02:46.559472Z",
"network": {
"applicationProtocol": "DNS",
"dns": {
"answers": [
{
"data": "4.3.2.1",
"name": "test1.com",
"ttl": 11111,
"type": 1
}
],
"questions": [
{
"name": "test.com",
"type": 1
}
],
"response": true
}
},
"principal": {
"hostname": "ray-xxx-laptop",
"ip": [
"0.0.0.0"
],
"mac": [
"00:00:00:00:00:00"
]
},
"principalAssetIdentifier": "ray-xxx-laptop",
"productName": "ExtraHop",
"securityResult": [
{
"action": [
"UNKNOWN_ACTION"
]
}
],
"target": {
"ip": [
"0.0.0.1"
]
},
"targetAssetIdentifier": "0.0.0.1"
}
]
}
],
"createdTime": "2020-12-21T03:12:50.128428Z",
"detectionFields": [
{
"key": "client_ip",
"value": "0.0.0.0"
}
],
"detectionTime": "2020-12-21T03:54:00Z",
"id": "de_dummy_detection_id",
"ruleId": "ru_dummy_rule_id",
"ruleName": "SampleRule",
"ruleType": "MULTI_EVENT",
"ruleVersion": "ru_dummy_rule_id@v_version_id",
"timeWindowEndTime": "2020-12-21T03:54:00Z",
"timeWindowStartTime": "2020-12-21T02:54:00Z",
"type": "RULE_DETECTION",
"urlBackToProduct": "https://dummy-chronicle/alert?alertId=de_dummy_detection_id"
}
],
"Token": {
"name": "gcb-list-detections",
"nextPageToken": "foobar_page_token"
}
}
}
Human Readable Output#

Detection(s) Details For Rule: SampleRule#

Detection IDDetection TypeDetection TimeEventsAlert State
de_dummy_detection_idRULE_DETECTION2020-12-21T03:54:00ZEvent Timestamp: 2020-12-21T02:58:06.804Z
Event Type: NETWORK_DNS
Principal Asset Identifier: ray-xxx-laptop
Target Asset Identifier: 0.0.0.1
Queried Domain: test.com
ALERTING

View all detections for this rule in Google SecOps by clicking on SampleRule and to view individual detection in Google SecOps click on its respective Detection ID.

Note: If a specific version of the rule is provided then detections for that specific version will be fetched. Maximum number of detections specified in page_size has been returned. To fetch the next set of detections, execute the command with the page token as foobar_page_token.

7. gcb-list-rules#


List the latest versions of all Rules.

Base Command#

gcb-list-rules

Input#

Argument NameDescriptionRequired
page_sizeSpecify the maximum number of Rules to return. You can specify between 1 and 1000. Default is 100.Optional
page_tokenA page token, received from a previous call. Provide this to retrieve the subsequent page.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.Rules.ruleIdStringUnique identifier for a Rule.
GoogleChronicleBackstory.Rules.versionIdStringUnique identifier for a specific version of a rule.
GoogleChronicleBackstory.Rules.ruleNameStringName of the rule, as parsed from ruleText.
GoogleChronicleBackstory.Rules.ruleTextStringSource code for the rule, as defined by the user.
GoogleChronicleBackstory.Rules.versionCreateTimeStringA string representing the time in ISO-8601 format.
GoogleChronicleBackstory.Rules.compilationStateStringCompilation state of the rule. It can be SUCCEEDED or FAILED.
GoogleChronicleBackstory.Rules.compilationErrorStringA compilation error if compilationState is FAILED, absent if compilationState is SUCCEEDED.
GoogleChronicleBackstory.Rules.Metadata.severityStringSeverity for the rule.
GoogleChronicleBackstory.Rules.Metadata.authorStringName of author for the rule.
GoogleChronicleBackstory.Rules.Metadata.descriptionStringDescription of the rule.
GoogleChronicleBackstory.Rules.Metadata.referenceStringReference link for the rule.
GoogleChronicleBackstory.Rules.Metadata.createdStringTime at which the rule is created.
GoogleChronicleBackstory.Rules.Metadata.updatedStringTime at which the rule is updated.
GoogleChronicleBackstory.Rules.referenceListsStringResource names of the reference lists used in this rule.
GoogleChronicleBackstory.Rules.allowedRunFrequenciesStringThe run frequencies that are allowed for the rule.
GoogleChronicleBackstory.Token.nameStringThe name of the command to which the value of the nextPageToken corresponds.
GoogleChronicleBackstory.Token.nextPageTokenStringA page token that can be provided to the next call to view the next page of Rules. Absent if this is the last page.

Command Example#

!gcb-list-rules page_size=2

Context Example#

{
"GoogleChronicleBackstory": {
"Rules": [
{
"ruleId": "dummy_rule_id",
"versionId": "dummy_rule_id@dummy_revicion_id",
"ruleName": "singleEventRule2",
"ruleText": "rule singleEventRule2 { meta: author = \"securityuser\" description = \"single event rule that should generate detections\" events: $e.metadata.event_type = \"NETWORK_DNS\" condition: $e }\n",
"ruleType": "SINGLE_EVENT",
"versionCreateTime": "2025-01-02T00:00:00.000000z",
"metadata": {
"author": "securityuser",
"created": "2025-01-01T00:00:00.000000z",
"severity": "",
"description": "single event rule that should generate detections"
},
"compilationState": "SUCCEEDED",
"inputsUsed": {
"usesUdm": true
},
"allowedRunFrequencies": [
"LIVE",
"HOURLY",
"DAILY"
]
},
{
"ruleId": "dummy_rule_id_2",
"versionId": "dummy_rule_id_2@dummy_revicion_id_2",
"ruleName": "singleEventRule2",
"ruleText": "rule singleEventRule2 { meta: author = \"securityuser\" description = \"single event rule that should generate detections\" events: $e.metadata.event_type = \"NETWORK_DNS\" condition: $e }\n",
"ruleType": "SINGLE_EVENT",
"versionCreateTime": "2025-01-02T00:00:00.000000z",
"metadata": {
"author": "securityuser",
"created": "2025-01-01T00:00:00.000000z",
"severity": "",
"description": "single event rule that should generate detections on platform"
},
"compilationState": "SUCCEEDED",
"inputsUsed": {
"usesUdm": true
},
"allowedRunFrequencies": [
"LIVE",
"HOURLY",
"DAILY"
]
}
],
},
"GoogleChronicleBackstory": {
"Token": {
"name": "gcb-list-rules",
"nextPageToken": "test_page_token"
}
}
}

Human Readable Output#

Rule(s) Details#

Rule IDRule NameCompilation State
dummy_rule_idsingleEventRule2SUCCEEDED
dummy_rule_id_2singleEventRule2SUCCEEDED

Maximum number of rules specified in page_size has been returned. To fetch the next set of detections, execute the command with the page token as test_page_token.

8. gcb-create-rule#


Creates a new rule. By default the live rule status will be set to disabled.

Base Command#

gcb-create-rule

Input#

Argument NameDescriptionRequired
rule_textRule text in YARA-L 2.0 format for the rule to be created.Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.Rules.ruleIdStringUnique identifier for a Rule.
GoogleChronicleBackstory.Rules.versionIdStringUnique identifier for a specific version of a rule.
GoogleChronicleBackstory.Rules.ruleNameStringName of the rule, as parsed from ruleText.
GoogleChronicleBackstory.Rules.ruleTextStringSource code for the rule, as defined by the user.
GoogleChronicleBackstory.Rules.liveRuleEnabledBooleanWhether the rule is enabled to run as a Live Rule.
GoogleChronicleBackstory.Rules.alertingEnabledBooleanWhether the rule is enabled to generate Alerts.
GoogleChronicleBackstory.Rules.versionCreateTimeStringA string representing the time in ISO-8601 format.
GoogleChronicleBackstory.Rules.compilationStateStringCompilation state of the rule. It can be SUCCEEDED or FAILED.
GoogleChronicleBackstory.Rules.compilationErrorStringA compilation error if compilationState is FAILED, absent if compilationState is SUCCEEDED.
GoogleChronicleBackstory.Rules.ruleTypeStringIndicates the type of event in rule. It can be SINGLE_EVENT or MULTI_EVENT.
GoogleChronicleBackstory.Rules.metadata.severityStringSeverity for the rule.
GoogleChronicleBackstory.Rules.metadata.authorStringName of author for the rule.
GoogleChronicleBackstory.Rules.metadata.descriptionStringDescription of the rule.
GoogleChronicleBackstory.Rules.metadata.referenceStringReference link for the rule.
GoogleChronicleBackstory.Rules.metadata.createdStringTime at which the rule is created.
GoogleChronicleBackstory.Rules.metadata.updatedStringTime at which the rule is updated.
GoogleChronicleBackstory.Rules.referenceListsStringResource names of the reference lists used in this rule.
GoogleChronicleBackstory.Rules.allowedRunFrequenciesStringThe run frequencies that are allowed for the rule.

Command Example#

!gcb-create-rule rule_text="rule demoRuleCreatedFromAPI {meta: author = \"securityuser\" description = \"single event rule that should generate detections\" events: $e.metadata.event_type = \"NETWORK_DNS\" condition: $e}"

Context Example#

{
"GoogleChronicleBackstory": {
"Rules": {
"ruleId": "dummy_rule_id",
"versionId": "dummy_rule_id@dummy_revicion_id",
"ruleName": "singleEventRule2",
"ruleText": "rule singleEventRule2 { meta: author = \"securityuser\" description = \"single event rule that should generate detections\" events: $e.metadata.event_type = \"NETWORK_DNS\" condition: $e }\n",
"ruleType": "SINGLE_EVENT",
"versionCreateTime": "2025-01-02T00:00:00.000000z",
"metadata": {
"author": "securityuser",
"created": "2025-01-01T00:00:00.000000z",
"severity": "Medium",
"description": "single event rule that should generate detections"
},
"compilationState": "SUCCEEDED",
"inputsUsed": {
"usesUdm": true
},
"allowedRunFrequencies": [
"LIVE",
"HOURLY",
"DAILY"
]
}
}
}

Human Readable Output#

Rule Details#

Rule IDVersion IDAuthorRule NameDescriptionVersion Creation TimeCompilation StatusRule TextAllowed Run Frequencies
dummy_rule_iddummy_rule_id@dummy_revicion_idsecurityusersingleEventRule2single event rule that should generate detections2025-01-02T00:00:00.000000zSUCCEEDEDrule singleEventRule2 { meta: author = "securityuser" description = "single event rule that should generate detections" events: $e.metadata.event_type = "NETWORK_DNS" condition: $e }
LIVE,
HOURLY,
DAILY

9. gcb-get-rule#


Retrieves the rule details of specified Rule ID or Version ID.

Base Command#

gcb-get-rule

Input#

Argument NameDescriptionRequired
idRule ID or Version ID of the rule to be retrieved.Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.Rules.ruleIdStringUnique identifier for a Rule.
GoogleChronicleBackstory.Rules.versionIdStringUnique identifier for a specific version of a rule.
GoogleChronicleBackstory.Rules.ruleNameStringName of the rule, as parsed from ruleText.
GoogleChronicleBackstory.Rules.ruleTextStringSource code for the rule, as defined by the user.
GoogleChronicleBackstory.Rules.versionCreateTimeStringA string representing the time in ISO-8601 format.
GoogleChronicleBackstory.Rules.compilationStateStringCompilation state of the rule. It can be SUCCEEDED or FAILED.
GoogleChronicleBackstory.Rules.compilationErrorStringA compilation error if compilationState is FAILED, absent if compilationState is SUCCEEDED.
GoogleChronicleBackstory.Rules.ruleTypeStringIndicates the type of event in rule. It can be SINGLE_EVENT or MULTI_EVENT.
GoogleChronicleBackstory.Rules.metadata.severityStringSeverity for the rule.
GoogleChronicleBackstory.Rules.metadata.authorStringName of author for the rule.
GoogleChronicleBackstory.Rules.metadata.descriptionStringDescription of the rule.
GoogleChronicleBackstory.Rules.metadata.referenceStringReference link for the rule.
GoogleChronicleBackstory.Rules.metadata.createdStringTime at which the rule is created.
GoogleChronicleBackstory.Rules.metadata.updatedStringTime at which the rule is updated.
GoogleChronicleBackstory.Rules.referenceListsStringResource names of the reference lists used in this rule.
GoogleChronicleBackstory.Rules.allowedRunFrequenciesStringThe run frequencies that are allowed for the rule.

Command Example#

!gcb-get-rule id=dummy_rule_id

Context Example#

{
"GoogleChronicleBackstory": {
"Rules": [
{
"ruleId": "dummy_rule_id",
"versionId": "dummy_rule_id@dummy_revision_id",
"ruleName": "singleEventRule2",
"ruleText": "rule singleEventRule2 { meta: author = \"securityuser\" description = \"single event rule that should generate detections\" events: $e.metadata.event_type = \"NETWORK_DNS\" condition: $e }\n",
"ruleType": "SINGLE_EVENT",
"versionCreateTime": "2025-01-02T00:00:00.000000z",
"metadata": {
"description": "single event rule that should generate detections",
"author": "securityuser",
"created": "2025-01-01T00:00:00.000000z",
"severity": "Medium"
},
"compilationState": "SUCCEEDED",
"inputsUsed": {
"usesUdm": true
},
"allowedRunFrequencies": [
"LIVE",
"HOURLY",
"DAILY"
]
}
]
}
}

Human Readable Output#

Rule Details#

Rule IDVersion IDAuthorRule NameDescriptionVersion Creation TimeCompilation StatusRule TextAllowed Run Frequencies
dummy_rule_iddummy_rule_id@dummy_revision_idsecurityusersingleEventRule2single event rule that should generate detections2025-01-02T00:00:00.000000zSUCCEEDEDrule singleEventRule2 { meta: author = "securityuser" description = "single event rule that should generate detections" events: $e.metadata.event_type = "NETWORK_DNS" condition: $e }
LIVE,
HOURLY,
DAILY

10. gcb-delete-rule#


Deletes the rule specified by Rule ID.

Base Command#

gcb-delete-rule

Input#

Argument NameDescriptionRequired
rule_idID of the rule to be deleted.Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.DeleteRule.ruleIdStringUnique identifier for a Rule.
GoogleChronicleBackstory.DeleteRule.actionStatusStringWhether the rule is successfully deleted or not.

Command Example#

!gcb-delete-rule rule_id=dummy_rule_id

Context Example#

{
"GoogleChronicleBackstory": {
"DeleteRule": {
"actionStatus": "SUCCESS",
"ruleId": "dummy_rule_id"
}
}
}

Human Readable Output#

Rule with ID test_rule_id deleted successfully#

Rule IDAction Status
test_rule_idSUCCESS

11. gcb-create-rule-version#


Creates a new version of an existing rule.

Base Command#

gcb-create-rule-version

Input#

Argument NameDescriptionRequired
rule_idRule ID for a Rule for which to create a new version.Required
rule_textRule text in YARA-L 2.0 format for the new version of the rule to be created.Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.Rules.ruleIdStringUnique identifier for a Rule.
GoogleChronicleBackstory.Rules.versionIdStringUnique identifier for a specific version of a rule.
GoogleChronicleBackstory.Rules.ruleNameStringName of the rule, as parsed from ruleText.
GoogleChronicleBackstory.Rules.ruleTextStringSource code for the rule, as defined by the user.
GoogleChronicleBackstory.Rules.liveRuleEnabledBooleanWhether the rule is enabled to run as a Live Rule.
GoogleChronicleBackstory.Rules.alertingEnabledBooleanWhether the rule is enabled to generate Alerts.
GoogleChronicleBackstory.Rules.versionCreateTimeStringA string representing the time in ISO-8601 format.
GoogleChronicleBackstory.Rules.compilationStateStringCompilation state of the rule. It can be SUCCEEDED or FAILED.
GoogleChronicleBackstory.Rules.compilationErrorStringA compilation error if compilationState is FAILED, absent if compilationState is SUCCEEDED.
GoogleChronicleBackstory.Rules.ruleTypeStringIndicates the type of event in rule. It can be SINGLE_EVENT or MULTI_EVENT.
GoogleChronicleBackstory.Rules.metadata.severityStringSeverity for the rule.
GoogleChronicleBackstory.Rules.metadata.authorStringName of author for the rule.
GoogleChronicleBackstory.Rules.metadata.descriptionStringDescription of the rule.
GoogleChronicleBackstory.Rules.metadata.referenceStringReference link for the rule.
GoogleChronicleBackstory.Rules.metadata.createdStringTime at which the rule is created.
GoogleChronicleBackstory.Rules.metadata.updatedStringTime at which the rule is updated.
GoogleChronicleBackstory.Rules.referenceListsStringResource names of the reference lists used in this rule.
GoogleChronicleBackstory.Rules.allowedRunFrequenciesStringThe run frequencies that are allowed for the rule.

Command Example#

!gcb-create-rule-version rule_id="dummy_rule_id" rule_text="rule singleEventRule2 { meta: author = \"securityuser\" description = \"single event rule that should generate detections\" events: $e.metadata.event_type = \"NETWORK_DNS\" condition: $e }\n"

Context Example#

{
"GoogleChronicleBackstory": {
"Rules": {
"ruleId": "dummy_rule_id",
"versionId": "dummy_rule_id@dummy_revicion_id",
"ruleName": "singleEventRule2",
"ruleText": "rule singleEventRule2 { meta: author = \"securityuser\" description = \"single event rule that should generate detections\" events: $e.metadata.event_type = \"NETWORK_DNS\" condition: $e }\n",
"ruleType": "SINGLE_EVENT",
"versionCreateTime": "2025-01-02T00:00:00.000000z",
"metadata": {
"author": "securityuser",
"created": "2025-01-01T00:00:00.000000z",
"severity": "Medium",
"description": "single event rule that should generate detections"
},
"compilationState": "SUCCEEDED",
"inputsUsed": {
"usesUdm": true
},
"allowedRunFrequencies": [
"LIVE",
"HOURLY",
"DAILY"
]
}
}
}

Human Readable Output#

Rule Details#

Rule IDVersion IDAuthorRule NameDescriptionVersion Creation TimeCompilation StatusRule TextAllowed Run Frequencies
dummy_rule_iddummy_rule_id@dummy_revicion_idsecurityusersingleEventRule2single event rule that should generate detections2025-01-02T00:00:00.000000zSUCCEEDEDrule singleEventRule2 { meta: author = "securityuser" description = "single event rule that should generate detections" events: $e.metadata.event_type = "NETWORK_DNS" condition: $e }
LIVE,
HOURLY,
DAILY

12. gcb-change-rule-alerting-status#


Updates the alerting status for a rule specified by Rule ID.

Base Command#

gcb-change-rule-alerting-status

Input#

Argument NameDescriptionRequired
rule_idID of the rule.Required
alerting_statusNew alerting status for the Rule.

Possible values are: "enable" or "disable".
Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.RuleAlertingChange.ruleIdStringUnique identifier for a Rule.
GoogleChronicleBackstory.RuleAlertingChange.actionStatusStringWhether the alerting status for the rule is successfully updated or not.
GoogleChronicleBackstory.RuleAlertingChange.alertingStatusStringNew alerting status for the rule.

Command Example#

!gcb-change-rule-alerting-status alerting_status=enable rule_id=dummy_rule_id

Context Example#

{
"GoogleChronicleBackstory": {
"RuleAlertingChange": {
"actionStatus": "SUCCESS",
"alertingStatus": "enable",
"ruleId": "dummy_rule_id"
}
}
}

Human Readable Output#

Alerting Status#

Alerting status for the rule with ID dummy_rule_id has been successfully enabled.

Rule IDAction Status
dummy_rule_idSUCCESS

13. gcb-change-live-rule-status#


Updates the live rule status for a rule specified by Rule ID.

Base Command#

gcb-change-live-rule-status

Input#

Argument NameDescriptionRequired
rule_idID of the rule.Required
live_rule_statusNew live rule status for the Rule.

Possible values are: "enable" or "disable".
Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.LiveRuleStatusChange.ruleIdStringUnique identifier for a Rule.
GoogleChronicleBackstory.LiveRuleStatusChange.actionStatusStringWhether the live rule status for the rule is successfully updated or not.
GoogleChronicleBackstory.LiveRuleStatusChange.liveRuleStatusStringNew live rule status for the rule.

Command Example#

!gcb-change-live-rule-status live_rule_status=enable rule_id=ru_abcd

Context Example#

{
"GoogleChronicleBackstory": {
"LiveRuleStatusChange": {
"actionStatus": "SUCCESS",
"liveRuleStatus": "enable",
"ruleId": "ru_abcd"
}
}
}

Human Readable Output#

Live Rule Status#

Live rule status for the rule with ID ru_abcd has been successfully enabled.

Rule IDAction Status
ru_abcdSUCCESS

14. gcb-start-retrohunt#


Initiate a retrohunt for the specified rule.

Base Command#

gcb-start-retrohunt

Input#

Argument NameDescriptionRequired
rule_idRule ID or Version ID of the rule whose retrohunt is to be started.Required
start_timeStart time for the time range of logs being processed. The format of Date should comply with RFC 3339 (e.g. 2002-10-02T15:00:00Z) or relative time. If not supplied, the product considers UTC time corresponding to 1 week earlier than current time. Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours. Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun.Optional
end_timeEnd time for the time range of logs being processed. The format of Date should comply with RFC 3339 (e.g. 2002-10-02T15:00:00Z) or relative time. If not supplied, the product considers UTC time corresponding to 10 minutes earlier than current time. Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours. Example: 2020-05-01T00:00:00Z, 2020-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2021 04:45:33, 15 Jun.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.RetroHunt.retrohuntIdStringUnique identifier for a retrohunt, defined and returned by the server.
GoogleChronicleBackstory.RetroHunt.ruleIdStringUnique identifier for a Rule.
GoogleChronicleBackstory.RetroHunt.versionIdStringUnique identifier for a specific version of a rule.
GoogleChronicleBackstory.RetroHunt.eventStartTimeDateStart time for the time range of logs being processed.
GoogleChronicleBackstory.RetroHunt.eventEndTimeDateEnd time for the time range of logs being processed.
GoogleChronicleBackstory.RetroHunt.retrohuntStartTimeDateStart time for the retrohunt.
GoogleChronicleBackstory.RetroHunt.stateStringCurrent state of the retrohunt. It can be STATE_UNSPECIFIED, RUNNING, DONE, or CANCELLED.

Command Example#

!gcb-start-retrohunt rule_id=ru_dummy_rule_id start_time="1 day"

Context Example#

{
"GoogleChronicleBackstory": {
"RetroHunt": {
"retrohuntId": "oh_dummy_retrohunt_id",
"ruleId": "ru_dummy_rule_id",
"versionId": "ru_dummy_rule_id@v_dummy_revision_id",
"eventStartTime": "2025-07-01T10:00:00Z",
"eventEndTime": "2025-07-08T10:00:00Z",
"retrohuntStartTime": "2025-07-08T12:00:00.000000Z",
"state": "RUNNING",
"progressPercentage": 0
}
}
}

Human Readable Output#

Retrohunt Details#

Retrohunt IDRule IDVersion IDEvent Start TimeEvent End TimeRetrohunt Start TimeStateProgress Percentage
oh_dummy_retrohunt_idru_dummy_rule_idru_dummy_rule_id@v_dummy_revision_id2025-07-01T10:00:00Z2025-07-08T10:00:00Z2025-07-08T12:00:00.000000ZRUNNING0

15. gcb-get-retrohunt#


Get retrohunt for a specific version of rule.

Base Command#

gcb-get-retrohunt

Input#

Argument NameDescriptionRequired
idRule ID or Version ID of the rule whose retrohunt is to be retrieved.Required
retrohunt_idUnique identifier for a retrohunt, defined and returned by the server. You must specify exactly one retrohunt identifier.Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.RetroHunt.retrohuntIdStringUnique identifier for a retrohunt, defined and returned by the server.
GoogleChronicleBackstory.RetroHunt.ruleIdStringUnique identifier for a Rule.
GoogleChronicleBackstory.RetroHunt.versionIdStringUnique identifier for a specific version of a rule.
GoogleChronicleBackstory.RetroHunt.eventStartTimeDateStart time for the time range of logs being processed.
GoogleChronicleBackstory.RetroHunt.eventEndTimeDateEnd time for the time range of logs being processed.
GoogleChronicleBackstory.RetroHunt.retrohuntStartTimeDateStart time for the retrohunt.
GoogleChronicleBackstory.RetroHunt.retrohuntEndTimeDateEnd time for the retrohunt.
GoogleChronicleBackstory.RetroHunt.stateStringCurrent state of the retrohunt. It can be STATE_UNSPECIFIED, RUNNING, DONE or CANCELLED.
GoogleChronicleBackstory.RetroHunt.progressPercentageNumberPercentage progress towards retrohunt completion (0.00 to 100.00).

Command Example#

!gcb-get-retrohunt id=ru_dummy_rule_id retrohunt_id=oh_dummy_retrohunt_id

Context Example#

{
"GoogleChronicleBackstory": {
"RetroHunt": {
"retrohuntId": "oh_dummy_retrohunt_id",
"ruleId": "ru_dummy_rule_id",
"versionId": "ru_dummy_rule_id@v_dummy_revision_id",
"eventStartTime": "2025-07-01T10:00:00Z",
"eventEndTime": "2025-07-08T10:00:00Z",
"retrohuntStartTime": "2025-07-08T12:00:00.000000Z",
"retrohuntEndTime": "2025-07-08T12:15:00.000000Z",
"state": "DONE",
"progressPercentage": 100
}
}
}

Human Readable Output#

Retrohunt Details#

Retrohunt IDRule IDVersion IDEvent Start TimeEvent End TimeRetrohunt Start TimeRetrohunt End TimeStateProgress Percentage
oh_dummy_retrohunt_idru_dummy_rule_idru_dummy_rule_id@v_dummy_revision_id2025-07-01T10:00:00Z2025-07-08T10:00:00Z2025-07-08T12:00:00.000000Z2025-07-08T12:15:00.000000ZDONE100

16. gcb-list-retrohunts#


List retrohunts for a rule.

Base Command#

gcb-list-retrohunts

Input#

Argument NameDescriptionRequired
idRule ID or Version ID of the rule whose retrohunts are to be listed. If not supplied, retohunts for all versions of all rules will be listed.Optional
retrohunts_for_all_versionsWhether to retrieve retrohunts for all versions of a rule with a given rule identifier.
Note: If this option is set to true, rule id is required. Possible values are: True, False. Default is False.
Optional
stateFilter retrohunts based on their status. Possible values are: RUNNING, DONE, CANCELLED.Optional
page_sizeSpecify the maximum number of retohunts to return. You can specify between 1 and 1000. Default is 100.Optional
page_tokenA page token, received from a previous call. Provide this to retrieve the subsequent page.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.RetroHunt.retrohuntIdStringUnique identifier for a retrohunt, defined and returned by the server.
GoogleChronicleBackstory.RetroHunt.ruleIdStringUnique identifier for a Rule.
GoogleChronicleBackstory.RetroHunt.versionIdStringUnique identifier for a specific version of a rule.
GoogleChronicleBackstory.RetroHunt.eventStartTimeDateStart time for the time range of logs being processed.
GoogleChronicleBackstory.RetroHunt.eventEndTimeDateEnd time for the time range of logs being processed.
GoogleChronicleBackstory.RetroHunt.retrohuntStartTimeDateStart time for the retrohunt.
GoogleChronicleBackstory.RetroHunt.retrohuntEndTimeDateEnd time for the retrohunt.
GoogleChronicleBackstory.RetroHunt.stateStringCurrent state of the retrohunt. It can be STATE_UNSPECIFIED, RUNNING, DONE or CANCELLED.
GoogleChronicleBackstory.RetroHunt.progressPercentageNumberPercentage progress towards retrohunt completion (0.00 to 100.00).

Command example#

!gcb-list-retrohunts id=ru_dummy_rule_id retrohunts_for_all_versions=true

Context Example#

{
"GoogleChronicleBackstory": {
"RetroHunt": [
{
"retrohuntId": "oh_dummy_retrohunt_id",
"ruleId": "ru_dummy_rule_id",
"versionId": "ru_dummy_rule_id@v_dummy_revision_id",
"eventStartTime": "2025-07-01T10:00:00Z",
"eventEndTime": "2025-07-08T10:00:00Z",
"retrohuntStartTime": "2025-07-08T12:00:00.000000Z",
"retrohuntEndTime": "2025-07-08T12:15:00.000000Z",
"state": "DONE",
"progressPercentage": 100
}
]
}
}

Human Readable Output#

Retrohunt Details#

Retrohunt IDRule IDVersion IDEvent Start TimeEvent End TimeRetrohunt Start TimeRetrohunt End TimeStateProgress Percentage
oh_dummy_retrohunt_idru_dummy_rule_idru_dummy_rule_id@v_dummy_revision_id2025-07-01T10:00:00Z2025-07-08T10:00:00Z2025-07-08T12:00:00.000000Z2025-07-08T12:15:00.000000ZDONE100

Maximum number of retrohunts specified in page_size has been returned. To fetch the next set of retrohunts, execute the command with the page token as dummy_page_token

17. gcb-cancel-retrohunt#


Cancel a retrohunt for a specified rule.

Base Command#

gcb-cancel-retrohunt

Input#

Argument NameDescriptionRequired
idRule ID or Version ID of the rule whose retrohunt is to be cancelled.Required
retrohunt_idUnique identifier for a retrohunt, defined and returned by the server. You must specify exactly one retrohunt identifier.Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.RetroHunt.idStringUnique identifier for a Rule.
GoogleChronicleBackstory.RetroHunt.retrohuntIdStringUnique identifier for a retrohunt, defined and returned by the server.
GoogleChronicleBackstory.RetroHunt.cancelledBooleanWhether the retrohunt is cancelled or not.

Command Example#

!gcb-cancel-retrohunt id=dummy_rule_or_version_id retrohunt_id=dummy_retrohunt_id

Context Example#

{
"GoogleChronicleBackstory": {
"RetroHunt": {
"cancelled": true,
"id": "dummy_rule_or_version_id",
"retrohuntId": "dummy_retrohunt_id"
}
}
}

Human Readable Output#

Cancelled Retrohunt#

Retrohunt for the rule with ID dummy_rule_or_version_id has been successfully cancelled.

IDRetrohunt IDAction Status
dummy_rule_or_version_iddummy_retrohunt_idSUCCESS

18. gcb-list-reference-list#


Retrieve all the reference lists.

Base Command#

gcb-list-reference-list

Input#

Argument NameDescriptionRequired
page_sizeNumber of results to retrieve in the response. Maximum size allowed is 1000. Default is 100.Optional
page_tokenThe next page token to retrieve the next set of results.Optional
viewSelect option to control the returned response. BASIC will return the metadata for the list, but not the full contents. FULL will return everything. Possible values are: BASIC, FULL. Default is BASIC.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.ReferenceLists.nameStringUnique name of the list.
GoogleChronicleBackstory.ReferenceLists.descriptionStringDescription of the list.
GoogleChronicleBackstory.ReferenceLists.createTimeDateTime when the list was created.
GoogleChronicleBackstory.ReferenceLists.linesStringList of line items.
GoogleChronicleBackstory.ReferenceLists.contentTypeStringContent type of the reference list.

Command Example#

!gcb-list-reference-list page_size=3

Context Example#

{
"GoogleChronicleBackstory": {
"ReferenceLists": [
{
"contentType": "PLAIN_TEXT",
"createTime": "2025-08-08T06:41:45.744591Z",
"description": "monitoring domain",
"lines": [
"lines2"
],
"name": "reference_list_1"
},
{
"contentType": "CIDR",
"createTime": "2025-07-22T07:22:19.247551Z",
"description": "Description",
"lines": [
"0.0.0.1/24"
],
"name": "reference_list_2"
}
]
}
}

Human Readable Output#

Reference List Details#

NameContent TypeCreation TimeDescriptionContent
reference_list_1PLAIN_TEXT2025-07-14T07:50:45.350943Zmonitoring domainlines2
reference_list_2CIDR2025-07-22T07:22:19.247551ZDescription0.0.0.1/24

Maximum number of reference lists specified in page_size has been returned. To fetch the next set of lists, execute the command with the page token as dummy_token

19. gcb-get-reference-list#


Returns the specified list.

Base Command#

gcb-get-reference-list

Input#

Argument NameDescriptionRequired
nameProvide the name of the list to retrieve the result.Required
viewSelect option to control the returned response. BASIC will return the metadata for the list, but not the full contents. FULL will return everything. Possible values are: FULL, BASIC. Default is FULL.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.ReferenceList.nameStringUnique name of the list.
GoogleChronicleBackstory.ReferenceList.descriptionStringDescription of the list.
GoogleChronicleBackstory.ReferenceList.createTimeDateTime when the list was created.
GoogleChronicleBackstory.ReferenceList.linesStringList of line items.
GoogleChronicleBackstory.ReferenceList.contentTypeStringContent type of the reference list.

Command Example#

!gcb-get-reference-list name=test1

Context Example#

{
"GoogleChronicleBackstory": {
"ReferenceList": {
"createTime": "2022-06-10T08:59:34.885679Z",
"description": "update",
"contentType": "PLAIN_TEXT",
"lines": [
"line_item_1",
"line_item_2"
],
"name": "test1"
}
}
}

Human Readable Output#

Reference List Details#

NameContent TypeDescriptionCreation TimeContent
test1PLAIN_TEXTupdate2022-06-10T08:59:34.885679Zline_item_1,
line_item_2

20. gcb-create-reference-list#


Create a new reference list.

Base Command#

gcb-create-reference-list

Input#

Argument NameDescriptionRequired
nameProvide a unique name of the list to create a reference list.Required
descriptionDescription of the list.Required
linesEnter the content to be added into the reference list.
Format accepted is: "Line 1, Line 2, Line 3".
Optional
entry_idProvide a unique file id consisting of lines to add.

Note: Please provide either one of "lines" or "entry_id". You can get the entry_id from the context path(File.EntryID).
Optional
delimiterDelimiter by which the content of the list is separated.
Eg: " , " , " : ", " ; ". Default is " , ".
Optional
content_typeSelect the content type for reference list. Possible values are: PLAIN_TEXT, CIDR, REGEX. Default is PLAIN_TEXT.Optional
use_delimiter_for_fileFlag to control how the file content is split. If set to True, it uses the provided delimiter; otherwise it splits by new lines (\n). Possible values are: True, False. Default is False.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.ReferenceList.nameStringUnique name of the list.
GoogleChronicleBackstory.ReferenceList.descriptionStringDescription of the list.
GoogleChronicleBackstory.ReferenceList.linesStringList of line items.
GoogleChronicleBackstory.ReferenceList.createTimeDateTime when the list was created.
GoogleChronicleBackstory.ReferenceList.contentTypeStringContent type of the reference list.

Command Example#

!gcb-create-reference-list description="List created for readme" lines=L1,L2,L3 name=reference_list_name

Context Example#

{
"GoogleChronicleBackstory": {
"ReferenceList": {
"createTime": "2022-06-16T07:45:37.285791Z",
"description": "List created for readme",
"contentType": "PLAIN_TEXT",
"lines": [
"L1",
"L2",
"L3"
],
"name": "reference_list_name"
}
}
}

Human Readable Output#

Reference List Details#

NameContent TypeDescriptionCreation TimeContent
reference_list_namePLAIN_TEXTList created for readme2022-06-16T07:45:37.285791ZL1,
L2,
L3

21. gcb-update-reference-list#


Updates an existing reference list.

Base Command#

gcb-update-reference-list

Input#

Argument NameDescriptionRequired
nameProvide the name of the list to update.Required
linesEnter the content to be updated into the reference list.
Format accepted is: "Line 1, Line 2, Line 3".

Note: Use gcb-get-reference-list to retrieve the content and description of the list.
Optional
entry_idProvide a unique file id consisting of lines to update.

Note: Please provide either one of "lines" or "entry_id". You can get the entry_id from the context path(File.EntryID).
Optional
descriptionDescription to be updated of the list.Optional
delimiterDelimiter by which the content of the list is separated.
Eg: " , " , " : ", " ; ". Default is " , ".
Optional
content_typeSelect the content type for reference list. Possible values are: PLAIN_TEXT, CIDR, REGEX.Optional
use_delimiter_for_fileFlag to control how the file content is split. If set to True, it uses the provided delimiter; otherwise it splits by new lines (\n). Possible values are: True, False. Default is False.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.ReferenceList.nameStringUnique name of the list.
GoogleChronicleBackstory.ReferenceList.descriptionStringDescription of the list.
GoogleChronicleBackstory.ReferenceList.linesStringList of line items.
GoogleChronicleBackstory.ReferenceList.createTimeDateTime when the list was created.
GoogleChronicleBackstory.ReferenceList.contentTypeStringContent type of the reference list.

Command Example#

!gcb-update-reference-list lines=Line1,Line2,Line3 name=reference_list_name

Context Example#

{
"GoogleChronicleBackstory": {
"ReferenceList": {
"createTime": "2022-06-16T07:11:11.380991Z",
"description": "list created for readme",
"contentType": "PLAIN_TEXT",
"lines": [
"Line1",
"Line2",
"Line3"
],
"name": "reference_list_name"
}
}
}

Human Readable Output#

Updated Reference List Details#

NameContent TypeDescriptionCreation TimeContent
reference_list_namePLAIN_TEXTlist created for readme2022-06-16T07:11:11.380991ZLine1,
Line2,
Line3

22. gcb-verify-reference-list#


Validates list content and returns any errors found for each line.

Base Command#

gcb-verify-reference-list

Input#

Argument NameDescriptionRequired
linesEnter the content to be validated in the reference list.
Format accepted is: 'Line 1, Line 2, Line 3'.
Required
content_typeSelect the content type for reference list. Possible values are: PLAIN_TEXT, CIDR, REGEX. Default is PLAIN_TEXT.Optional
delimiterDelimiter by which the content of the list is separated.
Eg: " , " , " : ", " ; ". Default is " , ".
Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.VerifyReferenceList.successBooleanWhether lines content are valid or not.
GoogleChronicleBackstory.VerifyReferenceList.errors.linenumberNumberThe line number where the error occurred.
GoogleChronicleBackstory.VerifyReferenceList.errors.errorMessageStringThe error message describing the invalid pattern.
GoogleChronicleBackstory.VerifyReferenceList.command_nameStringThe name of the command.

Command example#

!gcb-verify-reference-list lines="0.0.0.1" content_type="CIDR" delimiter=","

Context Example#

{
"GoogleChronicleBackstory": {
"VerifyReferenceList": {
"command_name": "gcb-verify-reference-list",
"errors": [
{
"errorMessage": "invalid cidr pattern 0.0.0.1",
"lineNumber": 1
}
],
"success": false
}
}
}

Human Readable Output#

The following lines contain invalid CIDR pattern#

Line NumberMessage
1invalid cidr pattern 0.0.0.1

23. gcb-test-rule-stream#


Test a rule over a specified time range. Return any errors and any detections up to the specified maximum.

Base Command#

gcb-test-rule-stream

Input#

Argument NameDescriptionRequired
rule_textRule text in YARA-L 2.0 format for the rule to stream.Required
start_timeStart time for the time range of the rule being tested. The format of Date should comply with RFC 3339 (e.g. 2022-10-02T15:00:00Z) or relative time.

Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours.
Example: 2022-05-01T00:00:00Z, 2022-05-01, 2 days, 5 hours, 01 Mar 2022, 01 Feb 2022 04:45:33, 15 Jun.


Note: The time window between start_time and end_time cannot be greater than 2 weeks.
Required
end_timeEnd time for the time range of the rule being tested. The format of Date should comply with RFC 3339 (e.g. 2022-10-02T15:00:00Z) or relative time.

Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours.
Example: 2022-05-01T00:00:00Z, 2022-05-01, 2 days, 5 hours, 01 Mar 2022, 01 Feb 2022 04:45:33, 15 Jun.

Note: The time window between start_time and end_time cannot be greater than 2 weeks.
Required
max_resultsMaximum number of results to return. Specify a value between 1 and 10,000. Default is 1000.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.StreamRules.list.detection.typeStringType of detection.
GoogleChronicleBackstory.StreamRules.list.detection.detection.ruleNameStringName of the rule generating the detection, as parsed from ruleText.
GoogleChronicleBackstory.StreamRules.list.detection.detection.ruleTypeStringWhether the rule generating this detection is a single event or multi-event rule.
GoogleChronicleBackstory.StreamRules.list.detection.detection.ruleLabelsUnknownInformation about the rule.
GoogleChronicleBackstory.StreamRules.list.detection.idStringIdentifier for the detection.
GoogleChronicleBackstory.StreamRules.list.detection.timeWindow.startTimeDateThe start time of the window the detection was found in.
GoogleChronicleBackstory.StreamRules.list.detection.timeWindow.endTimeDateThe end time of the window the detection was found in.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.metadata.productLogIdStringA vendor-specific event identifier to uniquely identify the event (a GUID). Users might use this identifier to search the vendor's proprietary console for the event in question.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.metadata.eventTimestampDateThe GMT timestamp when the event was generated.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.metadata.eventTypeStringSpecifies the type of the event.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.metadata.vendorNameStringSpecifies the product vendor's name.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.metadata.productNameStringSpecifies the name of the product.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.metadata.productEventTypeStringShort, descriptive, human-readable, and product-specific event name or type.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.metadata.ingestedTimestampDateThe GMT timestamp when the event was ingested in the vendor's instance.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.metadata.idStringStores the ID of metadata.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.useridStringStores the user ID.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.emailAddressesUnknownStores the email addresses for the user.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.productObjectIdStringStores the products object ID.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.attribute.labelsUnknownStores users session metrics.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.phoneNumbersUnknownStores the phone numbers for the user.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.personalAddress.cityStringStores city of user.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.personalAddress.stateStringStores state of user.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.personalAddress.nameStringStores address name of user.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.companyNameStringStores users company name.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.departmentUnknownStores users departments.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.user.officeAddress.nameStringStores company official address name.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.process.pidStringStores the process ID.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.principal.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.aboutUnknownStores event labels.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.securityResultUnknownProvide a description of the security result.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.network.applicationProtocolStringIndicates the network application protocol.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.network.dns.questionsUnknownStores the domain name.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.references.event.network.dns.answersUnknownStores dns associated data.
GoogleChronicleBackstory.StreamRules.list.detection.collectionElements.labelStringThe variable a given set of UDM events belongs to.
GoogleChronicleBackstory.StreamRules.list.detection.detectionTimeDateThe time period the detection was found in.

Command example#

!gcb-test-rule-stream rule_text="rule singleEventRule2 { meta: author = \"securityuser\" description = \"single event rule that should generate detections\" events: $e.metadata.event_type = \"NETWORK_DNS\" condition: $e }" start_time="3 days" end_time="1 hour" max_results="2"

Context Example#

{
"GoogleChronicleBackstory": {
"StreamRules": {
"list": [
{
"detection": {
"type": "RULE_DETECTION",
"detection": [
{
"ruleName": "singleEventRule1",
"description": "single event rule that should generate detections",
"ruleType": "SINGLE_EVENT",
"ruleLabels": [
{
"key": "author",
"value": "securityuser"
},
{
"key": "description",
"value": "single event rule that should generate detections"
}
]
}
],
"id": "de_dummy_detection_id_1",
"timeWindow": {
"startTime": "2025-07-28T19:31:37Z",
"endTime": "2025-07-28T19:31:37Z"
},
"collectionElements": [
{
"references": [
{
"event": {
"metadata": {
"eventTimestamp": "2025-07-28T19:31:37Z",
"eventType": "dummy_event_type",
"vendorName": "dummy_vendor_name",
"productName": "dummy_product_name",
"ingestedTimestamp": "2025-07-28T08:05:40.391043Z",
"id": "dummy_event_id",
"logType": "WINDOWS_DNS",
"baseLabels": {
"logTypes": [
"WINDOWS_DNS"
],
"allowScopedAccess": true
},
"enrichmentLabels": {
"allowScopedAccess": true
}
},
"additional": {
"Internal Packet Identifier": "0000000000000001",
"dns_record_type": "A"
},
"principal": {
"ip": [
"0.0.0.1"
],
"location": {
"state": "state",
"countryOrRegion": "country",
"regionLatitude": 0,
"regionLongitude": 0,
"regionCoordinates": {
"latitude": 0,
"longitude": 0
}
},
"asset": {
"ip": [
"0.0.0.1"
]
},
"ipGeoArtifact": [
{
"ip": "0.0.0.1",
"location": {
"state": "state",
"countryOrRegion": "country",
"regionLatitude": 0,
"regionLongitude": 0,
"regionCoordinates": {
"latitude": 0,
"longitude": 0
}
},
"network": {
"carrierName": "carrier",
"organizationName": "organization"
}
}
]
},
"target": {
"hostname": "test.com",
"asset": {
"hostname": "test.com"
}
},
"intermediary": [
{
"hostname": "AAAA-AA-AA01",
"asset": {
"platformSoftware": {
"platform": "WINDOWS"
}
}
}
],
"about": [
{
"labels": [
{
"key": "Internal Packet Identifier",
"value": "0000000000000001"
}
]
}
],
"network": {
"ipProtocol": "UDP",
"applicationProtocol": "DNS",
"dns": {
"questions": [
{
"name": "test.com",
"type": 1
}
],
"id": 64395,
"recursionDesired": true
},
"direction": "OUTBOUND"
},
"extracted": {
"resource_attributes.host.name": "AAAA-AA-AA01",
"resource_attributes.os.type": "windows",
"attributes.log.file.name": "test.txt",
"attributes.log_type": "WINDOWS_DNS",
"body": "7/28/2025 7:31:37 PM PACKET"
}
}
}
],
"label": "e"
}
],
"detectionTime": "2025-07-28T19:31:37Z"
}
}
]
}
}
}

Human Readable Output#

Detection(s)#

Detection IDDetection TypeDetection TimeEvents
de_dummy_detection_id_1RULE_DETECTION2025-07-28T19:31:37ZEvent Timestamp: 2025-07-28T19:31:37Z
Event Type: dummy_event_type
Principal Asset Identifier: 0.0.0.1
Target Asset Identifier: test.com

24. gcb-list-curatedrules#


List curated rules.

Base Command#

gcb-list-curatedrules

Input#

Argument NameDescriptionRequired
page_tokenPage token received from a previous call. Use to retrieve the next page.Optional
page_sizeSpecify the maximum number of rules to return. You can specify between 1 and 1000. Default is 100.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.CuratedRules.ruleIdStringUnique identifier for a rule, defined and returned by the server.
GoogleChronicleBackstory.CuratedRules.ruleNameStringName of the rule.
GoogleChronicleBackstory.CuratedRules.severityStringSeverity of the rule ("Info", "Low", or "High").
GoogleChronicleBackstory.CuratedRules.ruleTypeStringType of the rule ("SINGLE_EVENT" or "MULTI_EVENT").
GoogleChronicleBackstory.CuratedRules.precisionStringPrecision of the rule ("BROAD" or "PRECISE").
GoogleChronicleBackstory.CuratedRules.tacticsStringList of MITRE tactic IDs covered by the rule.
GoogleChronicleBackstory.CuratedRules.techniquesStringList of MITRE technique IDs covered by the rule.
GoogleChronicleBackstory.CuratedRules.updateTimeDateString representing the time the rule was last updated, in RFC 3339 format.
GoogleChronicleBackstory.CuratedRules.ruleSetStringUnique identifier of the Chronicle rule set containing the rule.
GoogleChronicleBackstory.CuratedRules.descriptionStringDescription of the rule.
GoogleChronicleBackstory.CuratedRules.metadata.false_positivesStringMetadata for the rule.
GoogleChronicleBackstory.CuratedRules.metadata.referenceStringReference for the rule.
GoogleChronicleBackstory.Token.nameStringThe name of the command to which the value of the nextPageToken corresponds.
GoogleChronicleBackstory.Token.nextPageTokenStringA page token that can be provided to the next call to view the next page of rules. Absent if this is the last page.

Command example#

!gcb-list-curatedrules page_size=1

Context Example#

{
"GoogleChronicleBackstory": {
"CuratedRules": {
"description": "Detects mass deletion of firewall rules by non-service accounts.",
"metadata": {
"false_positives": "Deleting many firewall rules is not necessarily malicious, but could be used to disrupt operations."
},
"precision": "BROAD",
"ruleId": "ur_dummy_curated_rule_id",
"ruleName": "Test Rule 1",
"ruleSet": "dummy_curated_rule_set_id",
"ruleType": "SINGLE_EVENT",
"severity": "High",
"tactics": [
"TA0040"
],
"techniques": [
"T1489"
],
"updateTime": "2025-05-29T18:36:10.155175Z"
},
"Token": {
"name": "gcb-list-curatedrules",
"nextPageToken": "next_page_token"
}
}
}

Human Readable Output#

Curated Rules#

Rule IDRule NameSeverityRule TypeRule SetDescription
ur_dummy_curated_rule_idTest Rule 1HighSINGLE_EVENTdummy_curated_rule_set_idDetects mass deletion of firewall rules by non-service accounts.

Maximum number of curated rules specified in page_size has been returned. To fetch the next set of curated rules, execute the command with the page token as next_page_token.

25. gcb-list-curatedrule-detections#


Return the detections for the specified curated rule identifier.

Base Command#

gcb-list-curatedrule-detections

Input#

Argument NameDescriptionRequired
idUnique identifier for a curated rule, defined and returned by the server. You can specify exactly one curated rule identifier.Required
alert_stateFilter detections based on whether the alert state is ALERTING or NOT_ALERTING.
Do not specify to return all detections. Possible values are: ALERTING, NOT_ALERTING.
Optional
page_sizeSpecify the limit on the number of detections to display. You can specify between 1 and 1000. Default is 100.Optional
page_tokenA page token received from a previous call. Provide this to retrieve the subsequent page. If the page token is configured, overrides the detection start and end time arguments.Optional
list_basisSort detections by "DETECTION_TIME" or by "CREATED_TIME". If not specified, it defaults to "DETECTION_TIME". Detections are returned in descending order of the timestamp. Possible values are: DETECTION_TIME, CREATED_TIME.Optional
start_timeStart time of the time range to return detections for, filtered by the detection field specified in the list_basis parameter. If not specified, the start time is treated as open-ended.
Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours.
Example: 2023-05-01T00:00:00Z, 2023-05-01, 2 days, 5 hours, 01 Mar 2021, 01 Feb 2023 04:45:33, 15 Jun.
Optional
end_timeEnd time of the time range to return detections for, filtered by the detection field specified by the list_basis parameter. If not specified, the end time is treated as open-ended.
Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours.
Example: 2023-05-01T00:00:00Z, 2023-05-01, 2 days, 5 hours, 01 Mar 2023, 01 Feb 2021 04:45:33, 15 Jun.
Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.CuratedRuleDetections.idStringIdentifier for the detection.
GoogleChronicleBackstory.CuratedRuleDetections.ruleIdStringIdentifier for the rule generating the detection.
GoogleChronicleBackstory.CuratedRuleDetections.ruleNameStringName of the rule generating the detection, as parsed from ruleText.
GoogleChronicleBackstory.CuratedRuleDetections.ruleSetStringThe identifier of the Chronicle rule set that generated this detection.
GoogleChronicleBackstory.CuratedRuleDetections.ruleSetDisplayNameStringThe display name of the Chronicle rule set that generated this detection.
GoogleChronicleBackstory.CuratedRuleDetections.tagsUnknownA list of MITRE tactic and technique IDs covered by the Chronicle rule.
GoogleChronicleBackstory.CuratedRuleDetections.timeWindowStartTimeDateThe start time of the window the detection was found in.
GoogleChronicleBackstory.CuratedRuleDetections.timeWindowEndTimeDateThe end time of the window the detection was found in.
GoogleChronicleBackstory.CuratedRuleDetections.alertStateStringIndicates whether the rule generating this detection currently has alerting enabled or disabled.
GoogleChronicleBackstory.CuratedRuleDetections.descriptionStringDescription of the Chronicle rule that generated the detection.
GoogleChronicleBackstory.CuratedRuleDetections.urlBackToProductStringURL pointing to the Chronicle UI for this detection.
GoogleChronicleBackstory.CuratedRuleDetections.typeStringType of detection.
GoogleChronicleBackstory.CuratedRuleDetections.createdTimeDateTime the detection was created.
GoogleChronicleBackstory.CuratedRuleDetections.detectionTimeDateThe time period the detection was found in.
GoogleChronicleBackstory.CuratedRuleDetections.lastUpdatedTimeDateThe time period of when the detection was last updated.
GoogleChronicleBackstory.CuratedRuleDetections.riskScoreNumberRisk score of the detection.
GoogleChronicleBackstory.CuratedRuleDetections.severityStringSeverity of the detection ("INFORMATIONAL" or "LOW" or "HIGH").
GoogleChronicleBackstory.CuratedRuleDetections.summaryStringSummary for the generated detection.
GoogleChronicleBackstory.CuratedRuleDetections.ruleTypeStringWhether the rule generating this detection is a single event or multi-event rule.
GoogleChronicleBackstory.CuratedRuleDetections.detectionFields.keyStringThe key for a field specified in the rule, for MULTI_EVENT rules.
GoogleChronicleBackstory.CuratedRuleDetections.detectionFields.sourceStringThe source for a field specified in the rule, for MULTI_EVENT rules.
GoogleChronicleBackstory.CuratedRuleDetections.detectionFields.valueStringThe value for a field specified in the rule, for MULTI_EVENT rules.
GoogleChronicleBackstory.CuratedRuleDetections.outcomes.keyStringThe key for a field specified in the outcomes of the detection, for "MULTI_EVENT" rules.
GoogleChronicleBackstory.CuratedRuleDetections.outcomes.sourceStringThe source for a field specified in the outcomes of the detection, for "MULTI_EVENT" rules.
GoogleChronicleBackstory.CuratedRuleDetections.outcomes.valueStringThe value for a field specified in the outcomes of the detection, for "MULTI_EVENT" rules.
GoogleChronicleBackstory.CuratedRuleDetections.ruleLabels.keyStringThe key for a field specified in the Chronicle rule metadata.
GoogleChronicleBackstory.CuratedRuleDetections.ruleLabels.valueStringThe value for a field specified in the Chronicle rule metadata.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.labelStringThe variable a given set of UDM events belongs to.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principalAssetIdentifierStringSpecifies the principal asset identifier of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.targetAssetIdentifierStringSpecifies the target asset identifier of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.collectedTimestampDateThe GMT timestamp when the event was collected.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.eventTypeStringSpecifies the type of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.eventTimestampDateThe GMT timestamp when the event was generated.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.idStringThe event ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.ingestedTimestampDateThe GMT timestamp when the event was ingested in the vendor's instance.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.ingestionLabels.keyStringThe key for a field specified in the ingestion labels of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.ingestionLabels.valueStringThe value for a field specified in the ingestion labels of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.logTypeStringType of log.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.descriptionStringHuman-readable description of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.productEventTypeStringShort, descriptive, human-readable, and product-specific event name or type.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.productLogIdStringA vendor-specific event identifier to uniquely identify the event (a GUID). Users might use this identifier to search the vendor's proprietary console for the event in question.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.productNameStringSpecifies the name of the product.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.productVersionStringSpecifies the version of the product.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.urlBackToProductStringURL linking to a relevant website where you can view more information about this specific event or the general event category.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.vendorNameStringSpecifies the product vendor's name.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.emailStringEmail address.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.platformStringPlatform operating system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipGeoArtifact.ipStringIP address associated with a network connection for IP Geolocation.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipGeoArtifact.location.countryOrRegionStringAssociated country or region for IP Geolocation.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipGeoArtifact.location.regionCoordinates.latitudeNumberLatitude coordinates of the region for IP Geolocation.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipGeoArtifact.location.regionCoordinates.longitudeNumberLongitude coordinates of the region for IP Geolocation.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipGeoArtifact.location.regionLatitudeNumberLatitude of the region for IP Geolocation.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipGeoArtifact.location.regionLongitudeNumberLongitude of the region for IP Geolocation.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipGeoArtifact.location.stateStringAssociated state of IP Geolocation.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipGeoArtifact.network.asnStringAssociated ASN with a network connection for IP Geolocation.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipGeoArtifact.network.carrierNameStringAssociated carrier name with a network connection for IP Geolocation.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipGeoArtifact.network.dnsDomainStringAssociated DNS domain with a network connection for IP Geolocation.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipGeoArtifact.network.organizationNameStringAssociated organization name with a network connection for IP Geolocation.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipLocation.countryOrRegionStringAssociated country or region for the IP location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipLocation.regionCoordinates.latitudeNumberLatitude coordinates of the region for the IP location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipLocation.regionCoordinates.longitudeNumberLongitude coordinates of the region for IP location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipLocation.regionLatitudeNumberLatitude of the region for the IP location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipLocation.regionLongitudeNumberLongitude of the region for the IP location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.ipLocation.stateStringAssociated state of the IP location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.labels.keyStringThe key for a field specified in the principal labels of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.labels.valueStringThe value for a field specified in the principal labels of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.location.countryOrRegionStringAssociated country or region for the principal location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.location.regionCoordinates.latitudeNumberLatitude coordinates of the region for the principal location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.location.regionCoordinates.longitudeNumberLongitude coordinates of the region for the principal location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.location.regionLatitudeNumberLatitude of the region for the principal location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.location.regionLongitudeNumberLongitude of the region for the principal location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.location.stateStringAssociated state of the principal location.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.resource.attribute.cloud.project.nameStringAssociated name of the project specified in the principal resource.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.resource.attribute.cloud.project.resourceSubtypeStringAssociated resource sub-type of the project specified in the principal resource.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.resource.attribute.labels.keyStringThe key for a field specified in the principal resource labels of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.resource.attribute.labels.valueStringThe value for a field specified in the principal resource labels of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.attribute.cloud.environmentStringAssociated environment specified in the principal user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.attribute.cloud.project.idStringAssociated ID of the project specified in the principal user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.attribute.permissions.nameStringAssociated name of the permission specified in the principal user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.attribute.permissions.typeStringAssociated type of the permission specified in the principal user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.attribute.roles.descriptionStringAssociated description of the role specified in the principal user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.attribute.roles.nameStringAssociated name of the role specified in the principal user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.attribute.roles.typeStringAssociated type of the role specified in the principal user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.macStringMAC addresses associated with a device.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.administrativeDomainStringDomain that the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.urlStringStandard URL.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.process.pidStringStores the process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.productObjectIdStringStores the product object ID for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.useridStringStores the user ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.principal.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.emailStringEmail address.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.platformStringPlatform operating system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.administrativeDomainStringDomain for which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.applicationStringApplication of the target related to the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.cloud.availabilityZoneStringAssociated availability zone specified in the event target.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.cloud.environmentStringAssociated environment specified in the event target.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.cloud.project.nameStringAssociated name of the project specified in the event target.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.cloud.vpcUnknownAssociated VPC specified in the event target.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.resource.nameStringAssociated resource name specified in the event target.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.resource.productObjectIdStringAssociated product object ID specified in the event target.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.resource.resourceTypeStringAssociated resource type specified in the event target.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.resource.attribute.labels.keyStringThe key for a field specified in the principal resource labels of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.resource.attribute.labels.valueStringThe value for a field specified in the principal resource labels of the event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.urlStringStandard URL.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.process.pidStringStores the process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.attribute.cloud.environmentStringAssociated environment specified in the target user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.attribute.cloud.project.idStringAssociated ID of the project specified in the target user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.attribute.roles.nameStringAssociated name of the role specified in the target user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.attribute.roles.typeStringAssociated type of the role specified in the target user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.emailAddressesUnknownStores the email addresses for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.productObjectIdStringStores the human resources product object ID for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.useridStringStores the user ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.target.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.emailStringEmail address.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.platformStringPlatform operating system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.administrativeDomainStringDomain that the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.urlStringStandard URL.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.process.pidStringStores the process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.user.useridStringStores the user ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.intermediary.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.emailStringEmail address.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.platformStringPlatform operating system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.administrativeDomainStringDomain that the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.urlStringStandard URL.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.process.pidStringStores the process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.user.useridStringStores the user ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.src.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.emailStringEmail address.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.platformStringPlatform operating system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.administrativeDomainStringDomain that the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.urlStringStandard URL.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.process.pidStringStores the process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.user.useridStringStores the user ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.observer.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.emailStringEmail address.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.platformStringPlatform operating system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.administrativeDomainStringDomain that the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.urlStringStandard URL.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.process.pidStringStores the process ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.user.useridStringStores the user ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.about.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.applicationProtocolStringIndicates the network application protocol.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.directionStringIndicates the direction of network traffic.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.emailStringSpecifies the email address for the sender/recipient.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.ipProtocolStringIndicates the IP protocol.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.receivedBytesStringSpecifies the number of bytes received.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.sentBytesStringSpecifies the number of bytes sent.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.clientHostnameStringHostname for the client.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.clientIdentifierStringClient identifier.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.fileStringFilename for the boot image.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.flagsStringValue for the DHCP flags field.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.hlenStringHardware address length.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.hopsStringDHCP hop count.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.htypeStringHardware address type.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.leaseTimeSecondsStringClient-requested lease time for an IP address in seconds.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.opcodeStringBOOTP op code.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.requestedAddressStringClient identifier.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.secondsStringSeconds elapsed since the client began the address acquisition/renewal process.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.snameStringName of the server that the client has requested to boot from.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.transactionIdStringClient transaction ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.typeStringDHCP message type.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.chaddrStringIP address for the client hardware.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.ciaddrStringIP address for the client.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.giaddrStringIP address for the relay agent.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.siaddrStringIP address for the next bootstrap server.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dhcp.yiaddrStringYour IP address.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.authoritativeStringSet to true for authoritative DNS servers.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.idStringStores the DNS query identifier.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.responseStringSet to true if the event is a DNS response.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.opcodeStringStores the DNS OpCode used to specify the type of DNS query (standard, inverse, server status, etc.).
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.recursionAvailableStringSet to true if a recursive DNS lookup is available.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.recursionDesiredStringSet to true if a recursive DNS lookup is requested.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.responseCodeStringStores the DNS response code as defined by RFC 1035, Domain Names - Implementation and Specification.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.truncatedStringSet to true if this is a truncated DNS response.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.questions.nameStringStores the domain name.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.questions.classStringStores the code specifying the class of the query.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.questions.typeStringStores the code specifying the type of the query.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.answers.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.answers.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.answers.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.answers.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.answers.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.answers.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.authority.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.authority.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.authority.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.authority.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.authority.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.authority.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.additional.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.additional.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.additional.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.additional.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.additional.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.dns.additional.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.email.fromStringStores the from email address.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.email.replyToStringStores the reply_to email address.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.email.toStringStores the to email addresses.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.email.ccStringStores the cc email addresses.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.email.bccStringStores the bcc email addresses.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.email.mailIdStringStores the mail (or message) ID.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.email.subjectStringStores the email subject line.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.ftp.commandStringStores the FTP command.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.http.methodStringStores the HTTP request method.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.http.referralUrlStringStores the URL for the HTTP referer.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.http.responseCodeStringStores the HTTP response status code, which indicates whether a specific HTTP request has been successfully completed.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.network.http.useragentStringStores the User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.authentication.authTypeStringType of system an authentication event is associated with (Chronicle UDM).
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.authentication.mechanismStringMechanism(s) used for authentication.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.aboutStringProvide a description of the security result.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.actionUnknownSpecify a security action.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.categoryStringSpecify a security category.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.categoryDetailsUnknownSpecify the security category details.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.detectionFields.keyStringThe key for a field specified in the security result, for MULTI_EVENT rules.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.detectionFields.valueStringThe value for a field specified in the security result, for MULTI_EVENT rules.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.confidenceStringSpecify a confidence with regards to a security event as estimated by the product.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.confidenceDetailsStringAdditional details with regards to the confidence of a security event as estimated by the product vendor.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.priorityStringSpecify a priority with regards to a security event as estimated by the product vendor.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.priorityDetailsStringVendor-specific information about the security result priority.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.ruleIdStringIdentifier for the security rule.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.ruleNameStringName of the security rule.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.severityStringSeverity of a security event as estimated by the product vendor using values defined by the Chronicle UDM.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.severityDetailsStringSeverity for a security event as estimated by the product vendor.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.threatNameStringName of the security threat.
GoogleChronicleBackstory.CuratedRuleDetections.collectionElements.references.securityResult.urlBackToProductStringURL to direct you to the source product console for this security event.
GoogleChronicleBackstory.Token.nameStringThe name of the command to which the value of the nextPageToken corresponds.
GoogleChronicleBackstory.Token.nextPageTokenStringA page token that can be provided to the next call to view the next page of detections. Absent if this is the last page.

Command example#

!gcb-list-curatedrule-detections id="ur_dummy_curatedrule_id" page_size="2"

Context Example#

{
"GoogleChronicleBackstory": {
"CuratedRuleDetections": [
{
"alertState": "ALERTING",
"createdTime": "2023-06-14T18:38:30.569526Z",
"description": "Identifies mass deletion of secrets in GCP Secret Manager.",
"detectionFields": [
{
"key": "field1",
"value": "value1"
}
],
"detectionTime": "2023-06-14T17:28:00Z",
"id": "de_dummy_detection_id_1",
"lastUpdatedTime": "2023-06-14T18:38:30.569526Z",
"outcomes": [
{
"key": "risk_score",
"value": "35"
},
{
"key": "resource_name",
"value": "dummy_secret_1, dummy_secret_2"
},
{
"key": "ip",
"value": "0.0.0.0"
}
],
"riskScore": 35,
"ruleId": "ur_dummy_rule_id",
"ruleLabels": [
{
"key": "rule_name",
"value": "GCP Secret Manager Mass Deletion"
},
{
"key": "false_positives",
"value": "This may be common behavior in dev, testing, or deprecated projects."
}
],
"ruleName": "GCP Secret Manager Mass Deletion",
"ruleSet": "dummy_ruleset_id",
"ruleSetDisplayName": "Service Disruption",
"ruleType": "MULTI_EVENT",
"severity": "LOW",
"summary": "Rule Detection",
"timeWindowEndTime": "2023-06-14T17:28:00Z",
"timeWindowStartTime": "2023-06-14T17:18:00Z",
"type": "GCTI_FINDING",
"urlBackToProduct": "https://dummy-chronicle/alert?alertId=de_dummy_detection_id_1"
},
{
"alertState": "ALERTING",
"createdTime": "2023-06-14T18:38:30.569526Z",
"description": "Identifies mass deletion of secrets in GCP Secret Manager.",
"detectionFields": [
{
"key": "field1",
"value": "value1"
},
{
"key": "field2",
"value": "value2"
}
],
"detectionTime": "2023-06-14T17:28:00Z",
"id": "de_dummy_detection_id_2",
"lastUpdatedTime": "2023-06-14T18:38:30.569526Z",
"outcomes": [
{
"key": "risk_score",
"value": "35"
},
{
"key": "resource_name",
"value": "dummy_secret_1, dummy_secret_2"
},
{
"key": "ip",
"value": "0.0.0.0"
}
],
"riskScore": 35,
"ruleId": "ur_dummy_rule_id",
"ruleLabels": [
{
"key": "rule_name",
"value": "GCP Secret Manager Mass Deletion"
},
{
"key": "false_positives",
"value": "This may be common behavior in dev, testing, or deprecated projects."
}
],
"ruleName": "GCP Secret Manager Mass Deletion",
"ruleSet": "dummy_ruleset_id",
"ruleSetDisplayName": "Service Disruption",
"ruleType": "MULTI_EVENT",
"severity": "LOW",
"summary": "Rule Detection",
"timeWindowEndTime": "2023-06-14T17:28:00Z",
"timeWindowStartTime": "2023-06-14T17:18:00Z",
"type": "GCTI_FINDING",
"urlBackToProduct": "https://dummy-chronicle/alert?alertId=de_dummy_detection_id_2"
}
],
"Token": {
"name": "gcb-list-curatedrule-detections",
"nextPageToken": "next_page_token"
}
}
}

Human Readable Output#

Curated Detection(s) Details For Rule: GCP Secret Manager Mass Deletion#

Detection IDDescriptionDetection TypeDetection TimeAlert StateDetection SeverityDetection Risk-Score
de_dummy_detection_id_1Identifies mass deletion of secrets in GCP Secret Manager.GCTI_FINDING2023-06-14T17:28:00ZALERTINGLOW35
de_dummy_detection_id_2Identifies mass deletion of secrets in GCP Secret Manager.GCTI_FINDING2023-06-14T17:28:00ZALERTINGLOW35

View all Curated Detections for this rule in Google SecOps by clicking on GCP Secret Manager Mass Deletion and to view individual detection in Google SecOps click on its respective Detection ID. Maximum number of detections specified in page_size has been returned. To fetch the next set of detections, execute the command with the page token as next_page_token.

26. gcb-udm-search#


Lists the events for the specified UDM Search query. Note: The underlying API has the rate limit of 360 queries per hour.

Base Command#

gcb-udm-search

Input#

Argument NameDescriptionRequired
start_timeThe value of the start time for your request. The date format should comply with RFC 3339 (e.g., 2023-01-02T15:00:00Z) or relative time. If not supplied, the product considers UTC time corresponding to 3 days earlier than the current time. Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours. If the date is supplied in duration, it will be calculated as time.now() - duration. Example: 2023-04-25T00:00:00Z, 2023-04-25, 2 days, 5 hours, 01 Mar 2023, 01 Feb 2023 04:45:33, 15 Jun.Optional
end_timeThe value of the end time for your request. The date format should comply with RFC 3339 (e.g., 2023-01-02T15:00:00Z) or relative time. If not supplied, the product considers current UTC time. Formats: YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-dd, N days, N hours. If the date is supplied in duration, it will be calculated as time.now() - duration. Example: 2023-04-25T00:00:00Z, 2023-04-25, 2 days, 5 hours, 01 Mar 2023, 01 Feb 2023 04:45:33, 15 Jun.Optional
limitSpecify the maximum number of matched events to return. You can specify between 1 and 1000. Default is 200.Optional
queryUDM search query.Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.Events.eventTypeStringSpecifies the type of the event.
GoogleChronicleBackstory.Events.eventTimestampDateThe GMT timestamp when the event was generated.
GoogleChronicleBackstory.Events.idStringThe event ID.
GoogleChronicleBackstory.Events.ingestedTimestampDateThe GMT timestamp when the event was ingested in the vendor's instance.
GoogleChronicleBackstory.Events.ingestionLabels.keyStringThe key for a field specified in the ingestion labels of the event.
GoogleChronicleBackstory.Events.ingestionLabels.valueStringThe value for a field specified in the ingestion labels of the event.
GoogleChronicleBackstory.Events.collectedTimestampDateThe GMT timestamp when the event was collected by the vendor's local collection infrastructure.
GoogleChronicleBackstory.Events.logTypeStringType of log.
GoogleChronicleBackstory.Events.descriptionStringHuman-readable description of the event.
GoogleChronicleBackstory.Events.productEventTypeStringShort, descriptive, human-readable, and product-specific event name or type.
GoogleChronicleBackstory.Events.productLogIdStringA vendor-specific event identifier to uniquely identify the event (a GUID). Users might use this identifier to search the vendor's proprietary console for the event in question.
GoogleChronicleBackstory.Events.productNameStringSpecifies the name of the product.
GoogleChronicleBackstory.Events.productVersionStringSpecifies the version of the product.
GoogleChronicleBackstory.Events.urlBackToProductStringURL linking to a relevant website where you can view more information about this specific event or the general event category.
GoogleChronicleBackstory.Events.vendorNameStringSpecifies the product vendor's name.
GoogleChronicleBackstory.Events.principal.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.principal.emailStringEmail address.
GoogleChronicleBackstory.Events.principal.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.principal.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.principal.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.principal.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.principal.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.principal.ipGeoArtifact.ipStringIP address associated with a network connection for IP Geolocation.
GoogleChronicleBackstory.Events.principal.ipGeoArtifact.location.countryOrRegionStringAssociated country or region for IP Geolocation.
GoogleChronicleBackstory.Events.principal.ipGeoArtifact.location.regionCoordinates.latitudeNumberLatitude coordinates of the region for IP Geolocation.
GoogleChronicleBackstory.Events.principal.ipGeoArtifact.location.regionCoordinates.longitudeNumberLongitude coordinates of the region for IP Geolocation.
GoogleChronicleBackstory.Events.principal.ipGeoArtifact.location.regionLatitudeNumberLatitude of the region for IP Geolocation.
GoogleChronicleBackstory.Events.principal.ipGeoArtifact.location.regionLongitudeNumberLongitude of the region for IP Geolocation.
GoogleChronicleBackstory.Events.principal.ipGeoArtifact.location.stateStringAssociated state of IP Geolocation.
GoogleChronicleBackstory.Events.principal.ipGeoArtifact.network.asnStringAssociated ASN with a network connection for IP Geolocation.
GoogleChronicleBackstory.Events.principal.ipGeoArtifact.network.carrierNameStringAssociated carrier name with a network connection for IP Geolocation.
GoogleChronicleBackstory.Events.principal.ipGeoArtifact.network.dnsDomainStringAssociated DNS domain with a network connection for IP Geolocation.
GoogleChronicleBackstory.Events.principal.ipGeoArtifact.network.organizationNameStringAssociated organization name with a network connection for IP Geolocation.
GoogleChronicleBackstory.Events.principal.ipLocation.countryOrRegionStringAssociated country or region for the IP location.
GoogleChronicleBackstory.Events.principal.ipLocation.regionCoordinates.latitudeNumberLatitude coordinates of the region for the IP location.
GoogleChronicleBackstory.Events.principal.ipLocation.regionCoordinates.longitudeNumberLongitude coordinates of the region for the IP location.
GoogleChronicleBackstory.Events.principal.ipLocation.regionLatitudeNumberLatitude of the region for the IP location.
GoogleChronicleBackstory.Events.principal.ipLocation.regionLongitudeNumberLongitude of the region for the IP location.
GoogleChronicleBackstory.Events.principal.ipLocation.stateStringAssociated state of the IP location.
GoogleChronicleBackstory.Events.principal.labels.keyStringThe key for a field specified in the principal labels of the event.
GoogleChronicleBackstory.Events.principal.labels.valueStringThe value for a field specified in the principal labels of the event.
GoogleChronicleBackstory.Events.principal.location.countryOrRegionStringAssociated country or region for the principal location.
GoogleChronicleBackstory.Events.principal.location.regionCoordinates.latitudeNumberLatitude coordinates of the region for the principal location.
GoogleChronicleBackstory.Events.principal.location.regionCoordinates.longitudeNumberLongitude coordinates of the region for the principal location.
GoogleChronicleBackstory.Events.principal.location.regionLatitudeNumberLatitude of the region for the principal location.
GoogleChronicleBackstory.Events.principal.location.regionLongitudeNumberLongitude of the region for the principal location.
GoogleChronicleBackstory.Events.principal.location.stateStringAssociated state of the principal location.
GoogleChronicleBackstory.Events.principal.resource.attribute.cloud.project.nameStringAssociated name of the project specified in the principal resource.
GoogleChronicleBackstory.Events.principal.resource.attribute.cloud.project.resourceSubtypeStringAssociated resource sub-type of the project specified in the principal resource.
GoogleChronicleBackstory.Events.principal.resource.attribute.labels.keyStringThe key for a field specified in the principal resource labels of the event.
GoogleChronicleBackstory.Events.principal.resource.attribute.labels.valueStringThe value for a field specified in the principal resource labels of the event.
GoogleChronicleBackstory.Events.principal.user.attribute.cloud.environmentStringAssociated environment specified in the principal user.
GoogleChronicleBackstory.Events.principal.user.attribute.cloud.project.idStringAssociated ID of the project specified in the principal user.
GoogleChronicleBackstory.Events.principal.user.attribute.permissions.nameStringAssociated name of the permission specified in the principal user.
GoogleChronicleBackstory.Events.principal.user.attribute.permissions.typeStringAssociated type of the permission specified in the principal user.
GoogleChronicleBackstory.Events.principal.user.attribute.roles.descriptionStringAssociated description of the role specified in the principal user.
GoogleChronicleBackstory.Events.principal.user.attribute.roles.nameStringAssociated name of the role specified in the principal user.
GoogleChronicleBackstory.Events.principal.user.attribute.roles.typeStringAssociated type of the role specified in the principal user.
GoogleChronicleBackstory.Events.principal.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.principal.macStringMAC addresses associated with a device.
GoogleChronicleBackstory.Events.principal.administrativeDomainStringDomain that the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.principal.urlStringStandard URL.
GoogleChronicleBackstory.Events.principal.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.principal.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.principal.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.principal.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.principal.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.principal.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.principal.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.principal.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.principal.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.principal.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.principal.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.principal.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.principal.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.principal.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.principal.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.principal.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.principal.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.principal.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.principal.user.employeeIdStringStores the product object ID for the user.
GoogleChronicleBackstory.Events.principal.user.productObjectIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.principal.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.principal.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.principal.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.principal.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.principal.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.principal.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.principal.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.principal.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.principal.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.target.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.target.emailStringEmail address.
GoogleChronicleBackstory.Events.target.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.target.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.target.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.target.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.target.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.target.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.target.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.target.administrativeDomainStringDomain that the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.target.applicationStringApplication of the target related to the event.
GoogleChronicleBackstory.Events.target.cloud.availabilityZoneStringAssociated availability zone specified in the event target.
GoogleChronicleBackstory.Events.target.cloud.environmentStringAssociated environment specified in the event target.
GoogleChronicleBackstory.Events.target.cloud.project.nameStringAssociated name of the project specified in the event target.
GoogleChronicleBackstory.Events.target.cloud.vpcUnknownAssociated VPC specified in the event target.
GoogleChronicleBackstory.Events.target.resource.nameStringAssociated resource name specified in the event target.
GoogleChronicleBackstory.Events.target.resource.productObjectIdStringAssociated product object ID specified in the event target.
GoogleChronicleBackstory.Events.target.resource.resourceTypeStringAssociated resource type specified in the event target.
GoogleChronicleBackstory.Events.target.resource.attribute.labels.keyStringThe key for a field specified in the principal resource labels of the event.
GoogleChronicleBackstory.Events.target.resource.attribute.labels.valueStringThe value for a field specified in the principal resource labels of the event.
GoogleChronicleBackstory.Events.target.urlStringStandard URL.
GoogleChronicleBackstory.Events.target.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.target.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.target.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.target.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.target.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.target.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.target.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.target.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.target.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.target.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.target.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.target.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.target.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.target.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.target.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.target.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.target.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.target.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.target.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.target.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.target.user.attribute.cloud.environmentStringAssociated environment specified in the target user.
GoogleChronicleBackstory.Events.target.user.attribute.cloud.project.idStringAssociated ID of the project specified in the target user.
GoogleChronicleBackstory.Events.target.user.attribute.roles.nameStringAssociated name of the role specified in the target user.
GoogleChronicleBackstory.Events.target.user.attribute.roles.typeStringAssociated type of the role specified in the target user.
GoogleChronicleBackstory.Events.target.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.target.user.productObjectIdStringStores the human resources product object ID for the user.
GoogleChronicleBackstory.Events.target.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.target.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.target.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.target.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.target.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.target.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.target.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.target.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.target.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.target.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.intermediary.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.intermediary.emailStringEmail address.
GoogleChronicleBackstory.Events.intermediary.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.intermediary.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.intermediary.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.intermediary.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.intermediary.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.intermediary.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.intermediary.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.intermediary.administrativeDomainStringDomain that the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.intermediary.urlStringStandard URL.
GoogleChronicleBackstory.Events.intermediary.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.intermediary.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.intermediary.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.intermediary.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.intermediary.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.intermediary.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.intermediary.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.intermediary.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.intermediary.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.intermediary.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.intermediary.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.intermediary.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.intermediary.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.intermediary.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.intermediary.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.intermediary.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.intermediary.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.intermediary.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.intermediary.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.intermediary.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.intermediary.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.intermediary.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.intermediary.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.intermediary.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.intermediary.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.intermediary.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.intermediary.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.src.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.src.emailStringEmail address.
GoogleChronicleBackstory.Events.src.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.src.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.src.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.src.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.src.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.src.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.src.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.src.administrativeDomainStringDomain that the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.src.urlStringStandard URL.
GoogleChronicleBackstory.Events.src.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.src.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.src.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.src.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.src.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.src.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.src.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.src.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.src.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.src.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.src.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.src.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.src.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.src.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.src.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.src.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.src.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.src.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.src.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.src.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.src.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.src.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.src.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.src.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.src.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.src.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.src.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.src.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.src.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.src.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.src.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.observer.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.observer.emailStringEmail address.
GoogleChronicleBackstory.Events.observer.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.observer.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.observer.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.observer.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.observer.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.observer.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.observer.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.observer.administrativeDomainStringDomain that the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.observer.urlStringStandard URL.
GoogleChronicleBackstory.Events.observer.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.observer.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.observer.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.observer.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.observer.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.observer.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.observer.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.observer.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.observer.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.observer.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.observer.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.observer.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.observer.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.observer.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.observer.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.observer.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.observer.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.observer.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.observer.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.observer.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.observer.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.observer.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.observer.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.observer.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.observer.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.observer.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.observer.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.observer.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.about.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.about.emailStringEmail address.
GoogleChronicleBackstory.Events.about.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.about.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.about.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.about.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.about.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.about.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.about.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.about.administrativeDomainStringDomain that the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.about.urlStringStandard URL.
GoogleChronicleBackstory.Events.about.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.about.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.about.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.about.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.about.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.about.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.about.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.about.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.about.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.about.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.about.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.about.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.about.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.about.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.about.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.about.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.about.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.about.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.about.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.about.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.about.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.about.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.about.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.about.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.about.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.about.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.about.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.about.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.about.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.about.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.about.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.network.applicationProtocolStringIndicates the network application protocol.
GoogleChronicleBackstory.Events.network.directionStringIndicates the direction of network traffic.
GoogleChronicleBackstory.Events.network.emailStringSpecifies the email address for the sender/recipient.
GoogleChronicleBackstory.Events.network.ipProtocolStringIndicates the IP protocol.
GoogleChronicleBackstory.Events.network.receivedBytesStringSpecifies the number of bytes received.
GoogleChronicleBackstory.Events.network.sentBytesStringSpecifies the number of bytes sent.
GoogleChronicleBackstory.Events.network.dhcp.clientHostnameStringHostname for the client.
GoogleChronicleBackstory.Events.network.dhcp.clientIdentifierStringClient identifier.
GoogleChronicleBackstory.Events.network.dhcp.fileStringFilename for the boot image.
GoogleChronicleBackstory.Events.network.dhcp.flagsStringValue for the DHCP flags field.
GoogleChronicleBackstory.Events.network.dhcp.hlenStringHardware address length.
GoogleChronicleBackstory.Events.network.dhcp.hopsStringDHCP hop count.
GoogleChronicleBackstory.Events.network.dhcp.htypeStringHardware address type.
GoogleChronicleBackstory.Events.network.dhcp.leaseTimeSecondsStringClient-requested lease time for an IP address in seconds.
GoogleChronicleBackstory.Events.network.dhcp.opcodeStringBOOTP op code.
GoogleChronicleBackstory.Events.network.dhcp.requestedAddressStringClient identifier.
GoogleChronicleBackstory.Events.network.dhcp.secondsStringSeconds elapsed since the client began the address acquisition/renewal process.
GoogleChronicleBackstory.Events.network.dhcp.snameStringName of the server that the client has requested to boot from.
GoogleChronicleBackstory.Events.network.dhcp.transactionIdStringClient transaction ID.
GoogleChronicleBackstory.Events.network.dhcp.typeStringDHCP message type.
GoogleChronicleBackstory.Events.network.dhcp.chaddrStringIP address for the client hardware.
GoogleChronicleBackstory.Events.network.dhcp.ciaddrStringIP address for the client.
GoogleChronicleBackstory.Events.network.dhcp.giaddrStringIP address for the relay agent.
GoogleChronicleBackstory.Events.network.dhcp.siaddrStringIP address for the next bootstrap server.
GoogleChronicleBackstory.Events.network.dhcp.yiaddrStringYour IP address.
GoogleChronicleBackstory.Events.network.dns.authoritativeStringSet to true for authoritative DNS servers.
GoogleChronicleBackstory.Events.network.dns.idStringStores the DNS query identifier.
GoogleChronicleBackstory.Events.network.dns.responseStringSet to true if the event is a DNS response.
GoogleChronicleBackstory.Events.network.dns.opcodeStringStores the DNS OpCode used to specify the type of DNS query (standard, inverse, server status, etc.).
GoogleChronicleBackstory.Events.network.dns.recursionAvailableStringSet to true if a recursive DNS lookup is available.
GoogleChronicleBackstory.Events.network.dns.recursionDesiredStringSet to true if a recursive DNS lookup is requested.
GoogleChronicleBackstory.Events.network.dns.responseCodeStringStores the DNS response code as defined by RFC 1035, Domain Names - Implementation and Specification.
GoogleChronicleBackstory.Events.network.dns.truncatedStringSet to true if this is a truncated DNS response.
GoogleChronicleBackstory.Events.network.dns.questions.nameStringStores the domain name.
GoogleChronicleBackstory.Events.network.dns.questions.classStringStores the code specifying the class of the query.
GoogleChronicleBackstory.Events.network.dns.questions.typeStringStores the code specifying the type of the query.
GoogleChronicleBackstory.Events.network.dns.answers.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.answers.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.answers.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.answers.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.answers.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.answers.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.authority.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.authority.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.authority.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.additional.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.additional.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.additional.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.email.fromStringStores the from email address.
GoogleChronicleBackstory.Events.network.email.replyToStringStores the reply_to email address.
GoogleChronicleBackstory.Events.network.email.toStringStores the to email addresses.
GoogleChronicleBackstory.Events.network.email.ccStringStores the cc email addresses.
GoogleChronicleBackstory.Events.network.email.bccStringStores the bcc email addresses.
GoogleChronicleBackstory.Events.network.email.mailIdStringStores the mail (or message) ID.
GoogleChronicleBackstory.Events.network.email.subjectStringStores the email subject line.
GoogleChronicleBackstory.Events.network.ftp.commandStringStores the FTP command.
GoogleChronicleBackstory.Events.network.http.methodStringStores the HTTP request method.
GoogleChronicleBackstory.Events.network.http.referralUrlStringStores the URL for the HTTP referer.
GoogleChronicleBackstory.Events.network.http.responseCodeStringStores the HTTP response status code, which indicates whether a specific HTTP request has been successfully completed.
GoogleChronicleBackstory.Events.network.http.useragentStringStores the User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.
GoogleChronicleBackstory.Events.authentication.authTypeStringType of system an authentication event is associated with (Chronicle UDM).
GoogleChronicleBackstory.Events.authentication.mechanismStringMechanism(s) used for authentication.
GoogleChronicleBackstory.Events.securityResult.aboutStringProvide a description of the security result.
GoogleChronicleBackstory.Events.securityResult.actionStringSpecify a security action.
GoogleChronicleBackstory.Events.securityResult.categoryStringSpecify a security category.
GoogleChronicleBackstory.Events.securityResult.categoryDetailsUnknownSpecify the security category details.
GoogleChronicleBackstory.Events.securityResult.detectionFields.keyStringThe key for a field specified in the security result, for MULTI_EVENT rules.
GoogleChronicleBackstory.Events.securityResult.detectionFields.valueStringThe value for a field specified in the security result, for MULTI_EVENT rules.
GoogleChronicleBackstory.Events.securityResult.confidenceStringSpecify a confidence with regards to a security event as estimated by the product.
GoogleChronicleBackstory.Events.securityResult.confidenceDetailsStringAdditional details with regards to the confidence of a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.priorityStringSpecify a priority with regards to a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.priorityDetailsStringVendor-specific information about the security result priority.
GoogleChronicleBackstory.Events.securityResult.ruleIdStringIdentifier for the security rule.
GoogleChronicleBackstory.Events.securityResult.ruleNameStringName of the security rule.
GoogleChronicleBackstory.Events.securityResult.severityStringSeverity of a security event as estimated by the product vendor using values defined by the Chronicle UDM.
GoogleChronicleBackstory.Events.securityResult.severityDetailsStringSeverity for a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.threatNameStringName of the security threat.
GoogleChronicleBackstory.Events.securityResult.urlBackToProductStringURL to direct you to the source product console for this security event.

Command example#

!gcb-udm-search query="ip=\"0.0.0.1\"" limit="2"

Context Example#

{
"GoogleChronicleBackstory": {
"Events": [
{
"metadata": {
"productLogId": "010000",
"eventTimestamp": "2025-07-14T00:59:52.110Z",
"eventType": "REGISTRY_MODIFICATION",
"vendorName": "Microsoft",
"productName": "Microsoft-Windows-Sysmon",
"productEventType": "13",
"ingestedTimestamp": "2025-07-14T13:14:24.377988Z",
"id": "010000=",
"enrichmentState": "ENRICHED"
},
"principal": {
"hostname": "active.stack.local",
"assetId": "ACTIVE",
"user": {
"userid": "LOCAL SERVICE",
"windowsSid": "S-1-1-10"
},
"process": {
"pid": "1000",
"file": {
"fullPath": "C:\\Windows\\host.exe"
},
"productSpecificProcessId": "SYSMON:{00000000-0000-0000-0000-000000000f00}"
},
"ip": [
"0.0.0.1"
],
"administrativeDomain": "AUTHORITY",
"asset": {
"productObjectId": "0000-0000-0000-0000-000000001000",
"hostname": "active.stack.local",
"assetId": "ACTIVE",
"ip": [
"0.0.0.1"
],
"platformSoftware": {
"platform": "WINDOWS",
"platformVersion": "Windows"
},
"location": {
"countryOrRegion": "0"
},
"category": "Computer",
"attribute": {
"labels": [
{
"key": "Bad password count",
"value": "0"
},
{
"key": "Password Expired",
"value": "false"
}
],
"creationTime": "2025-07-14T00:00:10Z",
"lastUpdateTime": "2025-07-14T00:00:10Z"
}
}
},
"target": {
"registry": {
"registryKey": "System\\LastKnownGoodTime",
"registryValueData": "WORD"
},
"ip": [
"0.0.0.1"
]
},
"about": [
{
"labels": [
{
"key": "Category ID",
"value": "RegistryEvent"
}
]
}
],
"securityResult": [
{
"ruleName": "technique_id=T0000,technique_name=Service Creation",
"summary": "Registry value set",
"severity": "INFORMATIONAL"
},
{
"ruleName": "EventID: 10",
"action": [
"ALLOW"
]
}
]
},
{
"name": "0000000020000",
"udm": {
"metadata": {
"productLogId": "0001",
"eventTimestamp": "2025-07-14T00:56:57.372Z",
"eventType": "NETWORK_DNS",
"vendorName": "Microsoft",
"productName": "Microsoft",
"productEventType": "22",
"ingestedTimestamp": "2025-07-14T10:07:42.183563Z",
"id": "0000000020000=",
"enrichmentState": "ENRICHED"
},
"principal": {
"hostname": "DESKTOP",
"user": {
"userid": "SYSTEM",
"windowsSid": "S-1-1-11"
},
"process": {
"pid": "2000",
"file": {
"sha256": "0000000000000000000000000000000000000000000000000000000000000001",
"md5": "00000000000000000000000000000001",
"sha1": "0000000000000000000000000000000000000001",
"fullPath": "C:\\Scripts.exe",
"fileMetadata": {
"pe": {
"importHash": "00000000000000000000000000000001"
}
}
},
"commandLine": "\"C:\\Scripts.exe\" \"shutdown\"",
"productSpecificProcessId": "SYSMON"
},
"administrativeDomain": "AUTHORITY"
},
"target": {
"mac": [
"0.0.0.1"
]
},
"about": [
{
"labels": [
{
"key": "Category ID",
"value": "DnsQuery"
}
]
}
],
"securityResult": [
{
"summary": "Dns query",
"severity": "INFORMATIONAL"
},
{
"ruleName": "EventID: 22",
"summary": "QueryStatus: 0"
}
],
"network": {
"applicationProtocol": "DNS",
"dns": {
"questions": [
{
"name": "logging.googleapis.com"
}
],
"answers": [
{
"type": 5,
"data": "logging.googleapis.com"
}
]
}
}
}
}
]
}
}

Human Readable Output#

Event(s) Details#

Event IDEvent TimestampEvent TypeSecurity ResultsPrincipal Asset IdentifierTarget Asset IdentifierProduct NameVendor NameQueried Domain
010000=2025-07-14T00:59:52.110ZREGISTRY_MODIFICATIONSeverity: INFORMATIONAL
Summary: Registry value set
Rule Name: technique_id=T0000,technique_name=Service Creation

Actions: ALLOW
Rule Name: EventID: 10
active.stack.local0.0.0.1Microsoft-Windows-SysmonMicrosoft
0000000020000=2025-07-14T00:56:57.372ZNETWORK_DNSSeverity: INFORMATIONAL
Summary: Dns query

Summary: QueryStatus: 0
Rule Name: EventID: 22
DESKTOP0.0.0.1MicrosoftMicrosoftlogging.googleapis.com

Maximum number of events specified in limit has been returned. There might still be more events in your Google SecOps account. To fetch the next set of events, execute the command with the start time as 2025-07-14T00:59:52.110Z.

27. gcb-verify-value-in-reference-list#


Check if provided values are found in the reference lists in Google SecOps.

Base Command#

gcb-verify-value-in-reference-list

Input#

Argument NameDescriptionRequired
valuesSpecify the values to search in reference lists.
Format accepted is: "value 1, value 2, value 3".
Required
reference_list_namesSpecify the reference list names to search through. Supports comma separated values.Required
case_insensitive_searchIf set to true, the command performs case insensitive matching. Possible values are: True, False. Default is False.Optional
delimiterDelimiter by which the content of the values list is separated.
Eg: " , " , " : ", " ; ". Default is ",".
Optional
add_not_found_reference_listsIf set to true, the command will add the not found reference list names to the HR and the context. Possible values are: True, False. Default is False.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.VerifyValueInReferenceList.valueStringThe item value to search in the reference list.
GoogleChronicleBackstory.VerifyValueInReferenceList.found_in_listsStringList of Reference list names, where item was found.
GoogleChronicleBackstory.VerifyValueInReferenceList.not_found_in_listsStringList of Reference list names, where item not was found.
GoogleChronicleBackstory.VerifyValueInReferenceList.overall_statusStringWhether value found in any reference list.

Command example#

!gcb-verify-value-in-reference-list reference_list_names="list1,list2" values="value1;value2;value4" delimiter=; case_insensitive_search=True add_not_found_reference_lists=True

Context Example#

{
"GoogleChronicleBackstory": {
"VerifyValueInReferenceList": [
{
"case_insensitive": true,
"value": "value1",
"found_in_lists": [
"list1"
],
"not_found_in_lists": [
"list2"
],
"overall_status": "Found"
},
{
"case_insensitive": true,
"value": "value2",
"found_in_lists": [
"list1"
],
"not_found_in_lists": [
"list2"
],
"overall_status": "Found"
},
{
"case_insensitive": true,
"value": "value4",
"found_in_lists": [],
"not_found_in_lists": [
"list1",
"list2"
],
"overall_status": "Not Found"
}
]
}
}

Human Readable Output#

Successfully searched provided values in the reference lists in Google SecOps#

ValueFound In ListsNot Found In ListsOverall Status
value1list1list2Found
value2list1list2Found
value4list1, list2Not Found

28. gcb-verify-rule#


Verifies that a rule is a valid YARA-L 2.0 rule without creating a new rule or evaluating it over data.

Base Command#

gcb-verify-rule

Input#

Argument NameDescriptionRequired
rule_textSpecify the Rule text in YARA-L 2.0 format to verify.Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.VerifyRule.successBooleanWhether rule_text has a valid YARA-L 2.0 format.
GoogleChronicleBackstory.VerifyRule.contextStringContains the success message or the compilation error if the verification fails.
GoogleChronicleBackstory.VerifyRule.command_nameStringThe command name.

Command example#

!gcb-verify-rule rule_text="rule singleEventRule2 { meta: author = \"securityuser\" description = \"single event rule that should generate detections\" events: $e.metadata.event_type = \"NETWORK_DNS\" condition: $e }"

Context Example#

{
"GoogleChronicleBackstory": {
"VerifyRule": {
"command_name": "gcb-verify-rule",
"context": "identified no known errors",
"success": true
}
}
}

Human Readable Output#

Identified no known errors#

29. gcb-get-event#


Get the specific event with the given ID from Google SecOps.

Note: This command returns more than 60 different types of events. Any event would have only specific output context set. Refer the UDM documentation to figure out the output properties specific to the event types.

Base Command#

gcb-get-event

Input#

Argument NameDescriptionRequired
event_idSpecify the ID of the event.

Note: The event_id can be retrieved from the output context path (GoogleChronicleBackstory.Events.id) of the gcb-list-events command.
Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.Events.eventTypeStringSpecifies the type of the event.
GoogleChronicleBackstory.Events.eventTimestampDateThe GMT timestamp when the event was generated.
GoogleChronicleBackstory.Events.collectedTimestampDateThe GMT timestamp when the event was collected by the vendor's local collection infrastructure.
GoogleChronicleBackstory.Events.descriptionStringHuman-readable description of the event.
GoogleChronicleBackstory.Events.productEventTypeStringShort, descriptive, human-readable, and product-specific event name or type.
GoogleChronicleBackstory.Events.productLogIdStringA vendor-specific event identifier to uniquely identify the event (a GUID). Users might use this identifier to search the vendor's proprietary console for the event in question.
GoogleChronicleBackstory.Events.productNameStringSpecifies the name of the product.
GoogleChronicleBackstory.Events.productVersionStringSpecifies the version of the product.
GoogleChronicleBackstory.Events.urlBackToProductStringURL linking to a relevant website where you can view more information about this specific event or the general event category.
GoogleChronicleBackstory.Events.vendorNameStringSpecifies the product vendor's name.
GoogleChronicleBackstory.Events.principal.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.principal.emailStringEmail address.
GoogleChronicleBackstory.Events.principal.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.principal.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.principal.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.principal.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.principal.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.principal.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.principal.macStringMAC addresses associated with a device.
GoogleChronicleBackstory.Events.principal.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.principal.urlStringStandard URL.
GoogleChronicleBackstory.Events.principal.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.principal.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.principal.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.principal.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.principal.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.principal.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.principal.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.principal.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.principal.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.principal.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.principal.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.principal.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.principal.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.principal.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.principal.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.principal.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.principal.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.principal.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.principal.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.principal.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.principal.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.principal.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.principal.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.principal.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.principal.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.principal.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.principal.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.principal.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.target.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.target.emailStringEmail address.
GoogleChronicleBackstory.Events.target.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.target.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.target.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.target.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.target.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.target.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.target.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.target.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.target.urlStringStandard URL.
GoogleChronicleBackstory.Events.target.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.target.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.target.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.target.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.target.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.target.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.target.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.target.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.target.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.target.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.target.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.target.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.target.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.target.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.target.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.target.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.target.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.target.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.target.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.target.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.target.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.target.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.target.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.target.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.target.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.target.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.target.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.target.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.target.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.target.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.target.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.intermediary.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.intermediary.emailStringEmail address.
GoogleChronicleBackstory.Events.intermediary.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.intermediary.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.intermediary.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.intermediary.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.intermediary.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.intermediary.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.intermediary.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.intermediary.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.intermediary.urlStringStandard URL.
GoogleChronicleBackstory.Events.intermediary.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.intermediary.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.intermediary.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.intermediary.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.intermediary.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.intermediary.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.intermediary.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.intermediary.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.intermediary.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.intermediary.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.intermediary.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.intermediary.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.intermediary.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.intermediary.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.intermediary.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.intermediary.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.intermediary.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.intermediary.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.intermediary.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.intermediary.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.intermediary.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.intermediary.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.intermediary.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.intermediary.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.intermediary.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.intermediary.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.intermediary.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.src.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.src.emailStringEmail address.
GoogleChronicleBackstory.Events.src.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.src.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.src.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.src.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.src.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.src.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.src.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.src.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.src.urlStringStandard URL.
GoogleChronicleBackstory.Events.src.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.src.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.src.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.src.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.src.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.src.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.src.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.src.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.src.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.src.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.src.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.src.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.src.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.src.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.src.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.src.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.src.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.src.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.src.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.src.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.src.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.src.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.src.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.src.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.src.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.src.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.src.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.src.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.src.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.src.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.src.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.observer.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.observer.emailStringEmail address.
GoogleChronicleBackstory.Events.observer.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.observer.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.observer.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.observer.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.observer.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.observer.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.observer.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.observer.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.observer.urlStringStandard URL.
GoogleChronicleBackstory.Events.observer.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.observer.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.observer.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.observer.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.observer.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.observer.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.observer.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.observer.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.observer.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.observer.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.observer.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.observer.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.observer.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.observer.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.observer.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.observer.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.observer.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.observer.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.observer.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.observer.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.observer.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.observer.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.observer.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.observer.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.observer.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.observer.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.observer.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.observer.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.about.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.about.emailStringEmail address.
GoogleChronicleBackstory.Events.about.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.about.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.about.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.about.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.about.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.about.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.about.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.about.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.about.urlStringStandard URL.
GoogleChronicleBackstory.Events.about.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.about.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.about.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.about.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.about.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.about.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.about.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.about.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.about.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.about.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.about.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.about.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.about.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.about.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.about.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.about.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.about.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.about.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.about.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.about.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.about.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.about.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.about.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.about.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.about.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.about.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.about.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.about.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.about.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.about.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.about.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.network.applicationProtocolStringIndicates the network application protocol.
GoogleChronicleBackstory.Events.network.directionStringIndicates the direction of network traffic.
GoogleChronicleBackstory.Events.network.emailStringSpecifies the email address for the sender/recipient.
GoogleChronicleBackstory.Events.network.ipProtocolStringIndicates the IP protocol.
GoogleChronicleBackstory.Events.network.receivedBytesStringSpecifies the number of bytes received.
GoogleChronicleBackstory.Events.network.sentBytesStringSpecifies the number of bytes sent.
GoogleChronicleBackstory.Events.network.dhcp.clientHostnameStringHostname for the client.
GoogleChronicleBackstory.Events.network.dhcp.clientIdentifierStringClient identifier.
GoogleChronicleBackstory.Events.network.dhcp.fileStringFilename for the boot image.
GoogleChronicleBackstory.Events.network.dhcp.flagsStringValue for the DHCP flags field.
GoogleChronicleBackstory.Events.network.dhcp.hlenStringHardware address length.
GoogleChronicleBackstory.Events.network.dhcp.hopsStringDHCP hop count.
GoogleChronicleBackstory.Events.network.dhcp.htypeStringHardware address type.
GoogleChronicleBackstory.Events.network.dhcp.leaseTimeSecondsStringClient-requested lease time for an IP address in seconds.
GoogleChronicleBackstory.Events.network.dhcp.opcodeStringBOOTP op code.
GoogleChronicleBackstory.Events.network.dhcp.requestedAddressStringClient identifier.
GoogleChronicleBackstory.Events.network.dhcp.secondsStringSeconds elapsed since the client began the address acquisition/renewal process.
GoogleChronicleBackstory.Events.network.dhcp.snameStringName of the server which the client has requested to boot from.
GoogleChronicleBackstory.Events.network.dhcp.transactionIdStringClient transaction ID.
GoogleChronicleBackstory.Events.network.dhcp.typeStringDHCP message type.
GoogleChronicleBackstory.Events.network.dhcp.chaddrStringIP address for the client hardware.
GoogleChronicleBackstory.Events.network.dhcp.ciaddrStringIP address for the client.
GoogleChronicleBackstory.Events.network.dhcp.giaddrStringIP address for the relay agent.
GoogleChronicleBackstory.Events.network.dhcp.siaddrStringIP address for the next bootstrap server.
GoogleChronicleBackstory.Events.network.dhcp.yiaddrStringYour IP address.
GoogleChronicleBackstory.Events.network.dns.authoritativeStringSet to true for authoritative DNS servers.
GoogleChronicleBackstory.Events.network.dns.idStringStores the DNS query identifier.
GoogleChronicleBackstory.Events.network.dns.responseStringSet to true if the event is a DNS response.
GoogleChronicleBackstory.Events.network.dns.opcodeStringStores the DNS OpCode used to specify the type of DNS query (standard, inverse, server status, etc.).
GoogleChronicleBackstory.Events.network.dns.recursionAvailableStringSet to true if a recursive DNS lookup is available.
GoogleChronicleBackstory.Events.network.dns.recursionDesiredStringSet to true if a recursive DNS lookup is requested.
GoogleChronicleBackstory.Events.network.dns.responseCodeStringStores the DNS response code as defined by RFC 1035, Domain Names - Implementation and Specification.
GoogleChronicleBackstory.Events.network.dns.truncatedStringSet to true if this is a truncated DNS response.
GoogleChronicleBackstory.Events.network.dns.questions.nameStringStores the domain name.
GoogleChronicleBackstory.Events.network.dns.questions.classStringStores the code specifying the class of the query.
GoogleChronicleBackstory.Events.network.dns.questions.typeStringStores the code specifying the type of the query.
GoogleChronicleBackstory.Events.network.dns.answers.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.answers.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.answers.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.answers.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.answers.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.answers.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.authority.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.authority.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.authority.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.additional.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.additional.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.additional.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.email.fromStringStores the from email address.
GoogleChronicleBackstory.Events.network.email.replyToStringStores the reply_to email address.
GoogleChronicleBackstory.Events.network.email.toStringStores the to email addresses.
GoogleChronicleBackstory.Events.network.email.ccStringStores the cc email addresses.
GoogleChronicleBackstory.Events.network.email.bccStringStores the bcc email addresses.
GoogleChronicleBackstory.Events.network.email.mailIdStringStores the mail (or message) ID.
GoogleChronicleBackstory.Events.network.email.subjectStringStores the email subject line.
GoogleChronicleBackstory.Events.network.ftp.commandStringStores the FTP command.
GoogleChronicleBackstory.Events.network.http.methodStringStores the HTTP request method.
GoogleChronicleBackstory.Events.network.http.referralUrlStringStores the URL for the HTTP referer.
GoogleChronicleBackstory.Events.network.http.responseCodeStringStores the HTTP response status code, which indicates whether a specific HTTP request has been successfully completed.
GoogleChronicleBackstory.Events.network.http.useragentStringStores the User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.
GoogleChronicleBackstory.Events.authentication.authTypeStringType of system an authentication event is associated with (Chronicle UDM).
GoogleChronicleBackstory.Events.authentication.mechanismStringMechanism(s) used for authentication.
GoogleChronicleBackstory.Events.securityResult.aboutStringProvide a description of the security result.
GoogleChronicleBackstory.Events.securityResult.actionStringSpecify a security action.
GoogleChronicleBackstory.Events.securityResult.categoryStringSpecify a security category.
GoogleChronicleBackstory.Events.securityResult.confidenceStringSpecify a confidence with regards to a security event as estimated by the product.
GoogleChronicleBackstory.Events.securityResult.confidenceDetailsStringAdditional detail with regards to the confidence of a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.priorityStringSpecify a priority with regards to a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.priorityDetailsStringVendor-specific information about the security result priority.
GoogleChronicleBackstory.Events.securityResult.ruleIdStringIdentifier for the security rule.
GoogleChronicleBackstory.Events.securityResult.ruleNameStringName of the security rule.
GoogleChronicleBackstory.Events.securityResult.severityStringSeverity of a security event as estimated by the product vendor using values defined by the Chronicle UDM.
GoogleChronicleBackstory.Events.securityResult.severityDetailsStringSeverity for a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.threatNameStringName of the security threat.
GoogleChronicleBackstory.Events.securityResult.urlBackToProductStringURL to direct you to the source product console for this security event.

Command example#

!gcb-get-event event_id="dummy_id"

Context Example#

{
"GoogleChronicleBackstory": {
"Events": {
"additional": {
"app_micro_tenant_id": "0",
"client_to_client": "0",
"client_zen": "EU-DE-9490",
"connection_id": "dummy_connection_id",
"connector": "0",
"connector_zen": "0",
"customer": "New Demo Center",
"double_encryption": "Off",
"idp": "0",
"micro_tenant_id": "0",
"policy_processing_time": "0",
"pra_approval_id": "0",
"pra_capability_policy_id": "0",
"pra_credential_policy_id": "0",
"server_setup_time": "0",
"timestamp_connection_end": "2024-11-12T12:19:59.961Z"
},
"baseLabels": {
"allowScopedAccess": true,
"logTypes": [
"NEW_XYZ"
]
},
"description": "0",
"eventTimestamp": "2024-11-12T12:19:59Z",
"eventType": "GENERIC_EVENT",
"id": "dummy_id",
"ingestedTimestamp": "2024-11-12T12:20:03.217859Z",
"intermediary": [
{
"application": "0",
"resource": {
"attribute": {
"labels": [
{
"key": "new_total_bytes_tx_connector",
"value": "0"
}
]
}
}
}
],
"logType": "NEW_XYZ",
"network": {
"ipProtocol": "TCP",
"sessionId": "dummy"
},
"principal": {
"location": {
"city": "New City",
"countryOrRegion": "US",
"regionCoordinates": {
"latitude": 0,
"longitude": 0
}
},
"natIp": [
"0.0.0.0"
],
"port": 11522,
"user": {
"userDisplayName": "New LSS Client"
}
},
"productEventType": "APP_NOT_REACHABLE",
"productName": "Private Access",
"securityResult": [
{
"about": {
"labels": [
{
"key": "connection_status",
"value": "close"
}
]
},
"description": "None of the App Connectors configured.",
"detectionFields": [
{
"key": "server",
"value": "0"
}
],
"ruleName": "0"
}
],
"target": {
"application": "New Enterprise Server - User Status",
"hostname": "0.0.0.0",
"port": 11522,
"user": {
"groupIdentifiers": [
"New Enterprise Server - User Status"
]
}
},
"vendorName": "NewClient"
}
}
}

Human Readable Output#

General Information for the given event with ID: dummy_id#

Base LabelsDescriptionEvent TimestampEvent TypeIdIngested TimestampLog TypeProduct Event TypeProduct NameVendor Name
logTypes:
values: NEW_XYZ
allowScopedAccess: True
02024-11-12T12:19:59ZGENERIC_EVENTdummy_id2024-11-12T12:20:03.217859ZNEW_XYZAPP_NOT_REACHABLEPrivate AccessNewClient

Principal Information#

LocationNat IpPortUser
city: New City
countryOrRegion: US
regionCoordinates:
latitude: 0.0
longitude: 0.0
values: 0.0.0.011522userDisplayName: New LSS Client

Target Information#

ApplicationHostnamePortUser
New Enterprise Server - User Status0.0.0.011522groupIdentifiers:
values: New Enterprise Server - User Status

Security Result Information#

AboutDescriptionDetection FieldsRule Name
labels:
- key: connection_status
value: close
None of the App Connectors configured.- key: server
value: 0
0

Network Information#

Ip ProtocolSession Id
TCPdummy

30. gcb-reference-list-append-content#


Appends lines into an existing reference list.

Base Command#

gcb-reference-list-append-content

Input#

Argument NameDescriptionRequired
nameProvide the name of the list to append content.Required
linesEnter the content to be appended into the reference list.
Format accepted is: "Line 1, Line 2, Line 3".

Note: Use "gcb-get-reference-list" to retrieve the content of the list.
Optional
entry_idProvide a unique file id consisting of lines to append.

Note: Please provide either one of "lines" or "entry_id". You can get the entry_id from the context path(File.EntryID).
Optional
delimiterDelimiter by which the content of the list is separated.
Eg: " , " , " : ", " ; ". Default is " , ".
Optional
use_delimiter_for_fileFlag to control how the file content is split. If set to True, it uses the provided delimiter; otherwise it splits by new lines (\n). Possible values are: True, False. Default is False.Optional
append_uniqueA flag to determine whether to apply deduplication logic over new lines. Possible values are: True, False. Default is False.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.ReferenceList.nameStringThe unique name of the list.
GoogleChronicleBackstory.ReferenceList.descriptionStringThe description of the list.
GoogleChronicleBackstory.ReferenceList.linesStringThe list of line items.
GoogleChronicleBackstory.ReferenceList.createTimeDateThe time when the list was created.
GoogleChronicleBackstory.ReferenceList.contentTypeStringThe content type of the reference list.

Command Example#

!gcb-reference-list-append-content name="readme_list_name" lines="Line3"

Context Example#

{
"GoogleChronicleBackstory": {
"ReferenceList": {
"createTime": "2025-06-16T07:11:11.380991Z",
"description": "list created for readme",
"contentType": "PLAIN_TEXT",
"lines": [
"Line1",
"Line2",
"Line3"
],
"name": "readme_list_name"
}
}
}

Human Readable Output#

Updated Reference List Details#

NameContent TypeDescriptionCreation TimeContent
readme_list_namePLAIN_TEXTlist created for readme2025-06-16T07:11:11.380991ZLine1,
Line2,
Line3

31. gcb-reference-list-remove-content#


Removes lines from an existing reference list.

Base Command#

gcb-reference-list-remove-content

Input#

Argument NameDescriptionRequired
nameProvide the name of the list to remove content.Required
linesEnter the content to be removed from the reference list.
Format accepted is: "Line 1, Line 2, Line 3".

Note: Use "gcb-get-reference-list" to retrieve the content of the list.
Optional
entry_idProvide a unique file id consisting of lines to remove.

Note: Please provide either one of "lines" or "entry_id". You can get the entry_id from the context path(File.EntryID).
Optional
delimiterDelimiter by which the content of the list is separated.
Eg: " , " , " : ", " ; ". Default is " , ".
Optional
use_delimiter_for_fileFlag to control how the file content is split. If set to True, it uses the provided delimiter; otherwise it splits by new lines (\n). Possible values are: True, False. Default is False.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.ReferenceList.nameStringThe unique name of the list.
GoogleChronicleBackstory.ReferenceList.descriptionStringThe description of the list.
GoogleChronicleBackstory.ReferenceList.linesStringThe list of line items.
GoogleChronicleBackstory.ReferenceList.createTimeDateThe time when the list was created.
GoogleChronicleBackstory.ReferenceList.contentTypeStringThe content type of the reference list.

Command Example#

!gcb-reference-list-remove-content name="reference_list_name" lines="Line3"

Context Example#

{
"GoogleChronicleBackstory": {
"ReferenceList": {
"createTime": "2025-06-16T07:11:11.380991Z",
"description": "list created for readme",
"contentType": "PLAIN_TEXT",
"lines": [
"Line1",
"Line2",
],
"name": "reference_list_name"
}
}
}

Human Readable Output#

Updated Reference List Details#

NameContent TypeDescriptionCreation TimeContent
reference_list_namePLAIN_TEXTlist created for readme2025-06-16T07:11:11.380991ZLine1,
Line2

32. gcb-list-data-tables#


Returns a list of data tables.

Base Command#

gcb-list-data-tables

Input#

Argument NameDescriptionRequired
page_sizeSpecify the maximum number of data tables to return. You can specify between 1 and 1000. The maximum value is 1000, values above 1000 will be corrected to 1000. Default is 100.Optional
page_tokenSpecify the page token to use for pagination.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.DataTable.nameStringThe identifier of the data table.
GoogleChronicleBackstory.DataTable.displayNameStringThe name of the data table.
GoogleChronicleBackstory.DataTable.descriptionStringThe description of the data table.
GoogleChronicleBackstory.DataTable.createTimeDateThe time when the data table was created.
GoogleChronicleBackstory.DataTable.updateTimeDateThe time when the data table was updated.
GoogleChronicleBackstory.DataTable.columnInfo.originalColumnStringThe original column name.
GoogleChronicleBackstory.DataTable.columnInfo.columnTypeStringThe type of the column.
GoogleChronicleBackstory.DataTable.columnInfo.columnIndexNumberThe index of the column.
GoogleChronicleBackstory.DataTable.dataTableUuidStringThe UUID of the data table.
GoogleChronicleBackstory.DataTable.approximateRowCountNumberThe approximate count of rows of the data table.

Command example#

!gcb-list-data-tables

Context Example#

{
"GoogleChronicleBackstory": {
"DataTable": [
{
"columnInfo": [
{
"columnType": "REGEX",
"originalColumn": "column_1"
},
{
"columnIndex": 1,
"columnType": "STRING",
"originalColumn": "column_2"
}
],
"createTime": "2025-08-18T05:45:04.624866Z",
"dataTableUuid": "00000000000000000000000000000001",
"description": "test description",
"displayName": "test_1",
"name": "projects/sample-001/locations/us/instances/00000000-0000-0000-0000-000000000001/dataTables/test_1",
"updateTime": "2025-08-18T05:45:04.624866Z"
},
{
"approximateRowCount": "1055",
"columnInfo": [
{
"columnType": "STRING",
"originalColumn": "A"
},
{
"columnIndex": 1,
"columnType": "REGEX",
"originalColumn": "B"
}
],
"createTime": "2025-08-13T05:01:47.031912Z",
"dataTableUuid": "00000000000000000000000000000000",
"description": "test description",
"displayName": "test",
"name": "projects/sample-001/locations/us/instances/00000000-0000-0000-0000-000000000001/dataTables/test",
"updateTime": "2025-08-22T08:03:03.395766Z"
}
]
}
}

Human Readable Output#

Data Tables#

Display NameDescriptionColumn InfoCreate TimeUpdate TimeApproximate Row Count
test_1test description- Column Name: column_1
Column Type: REGEX
- Column Name: column_2
Column Type: STRING
2025-08-18T05:45:04.624866Z2025-08-18T05:45:04.624866Z
testtest description- Column Name: A
Column Type: STRING
- Column Name: B
Column Type: REGEX
2025-08-13T05:01:47.031912Z2025-08-22T08:03:03.395766Z1055

Maximum number of data tables specified in page_size has been returned. To fetch the next set of data tables, execute the command with the page token as dummy_page_token.

33. gcb-create-data-table#


Creates a new data table schema.

Base Command#

gcb-create-data-table

Input#

Argument NameDescriptionRequired
nameProvide a unique name for the data table.Required
descriptionProvide a description for the data table.Optional
columnsProvide the columns of the data table.
Format accepted is:
{"column_name_1": "column_1_type", "column_name_2": "column_2_type"}.

Expected values for column_type are: String, REGEX, CIDR, Number and Entity key field map path.

Note: If the same column name is provided multiple times, only the last value will be considered.
Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.DataTable.nameStringThe identifier of the data table.
GoogleChronicleBackstory.DataTable.displayNameStringThe name of the data table.
GoogleChronicleBackstory.DataTable.descriptionStringThe description of the data table.
GoogleChronicleBackstory.DataTable.createTimeDateThe time when the data table was created.
GoogleChronicleBackstory.DataTable.updateTimeDateThe time when the data table was updated.
GoogleChronicleBackstory.DataTable.columnInfo.originalColumnStringThe original column name.
GoogleChronicleBackstory.DataTable.columnInfo.columnTypeStringThe type of the column.
GoogleChronicleBackstory.DataTable.columnInfo.columnIndexNumberThe index of the column.
GoogleChronicleBackstory.DataTable.dataTableUuidStringThe UUID of the data table.

Command Example#

!gcb-create-data-table name=data_table_name description=data_table_description columns={"column_1":"regex", "column_2":"String","column_3":"CIDR"}

Context Example#

{
"GoogleChronicleBackstory": {
"DataTable": {
"columnInfo": [
{
"columnType": "REGEX",
"originalColumn": "column_1"
},
{
"columnIndex": 1,
"columnType": "STRING",
"originalColumn": "column_2"
},
{
"columnIndex": 2,
"columnType": "CIDR",
"originalColumn": "column_3"
}
],
"createTime": "2025-08-18T09:54:50.841579275Z",
"dataTableUuid": "00000000000000000000000000000001",
"description": "data_table_description",
"displayName": "data_table_name",
"name": "projects/dummy_project_id/locations/dummy_location/instances/dummy_instance_id/dataTables/data_table_name",
"updateTime": "1970-01-01T00:00:00Z"
}
}
}

Human Readable Output#

Data Table Details#

Display NameDescriptionColumns InfoCreate TimeUpdate Time
data_table_namedata_table_description- Column Name: column_1
Column Type: REGEX
- Column Name: column_2
Column Type: STRING
- Column Name: column_3
Column Type: CIDR
2025-08-18T09:54:50.841579275Z1970-01-01T00:00:00Z

34. gcb-get-data-table#


Retrieves the data table details of specified data table name.

Base Command#

gcb-get-data-table

Input#

Argument NameDescriptionRequired
nameProvide the name of the data table.Required
viewSelect option to control the returned response. BASIC will return the metadata for the data table, but not the data table rows contents. FULL will return everything. Possible values are: FULL, BASIC. Default is BASIC.Optional
max_rows_to_returnSpecify how many data table rows to return.

Note: this parameter is only applied if “view” is FULL. The maximum value is 1000; values above 1000 will be coerced to 1000. Default is 100.
Optional
page_tokenThe page token to retrieve the next set of data table rows.

Note: this parameter is only applied if “view” is FULL.
Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.DataTable.nameStringThe identifier of the data table.
GoogleChronicleBackstory.DataTable.displayNameStringThe name of the data table.
GoogleChronicleBackstory.DataTable.descriptionStringThe description of the data table.
GoogleChronicleBackstory.DataTable.createTimeDateThe time when the data table was created.
GoogleChronicleBackstory.DataTable.updateTimeDateThe time when the data table was updated.
GoogleChronicleBackstory.DataTable.columnInfo.originalColumnStringThe original column name.
GoogleChronicleBackstory.DataTable.columnInfo.columnTypeStringThe type of the column.
GoogleChronicleBackstory.DataTable.columnInfo.columnIndexNumberThe index of the column.
GoogleChronicleBackstory.DataTable.dataTableUuidStringThe UUID of the data table.
GoogleChronicleBackstory.DataTable.rows.nameStringThe identifier of the row.
GoogleChronicleBackstory.DataTable.rows.valuesStringThe values of the row.
GoogleChronicleBackstory.DataTable.rows.createTimeDateThe time when the row was created.
GoogleChronicleBackstory.DataTable.rows.updateTimeDateThe time when the row was updated.

Command Example#

!gcb-get-data-table name=data_table_name view=FULL max_rows_to_return=1

Context Example#

{
"GoogleChronicleBackstory": {
"DataTable": {
"approximateRowCount": "1",
"columnInfo": [
{
"columnType": "STRING",
"originalColumn": "column_1"
},
{
"columnIndex": 1,
"columnType": "STRING",
"originalColumn": "column_2"
},
{
"columnIndex": 2,
"columnType": "CIDR",
"originalColumn": "column_3"
}
],
"createTime": "2025-08-13T05:01:47.031912Z",
"dataTableUuid": "665c88d4a5bc4a6faa006152e1adeccd",
"description": "data_table_description",
"displayName": "data_table_name",
"name": "projects/project_id/locations/dummy_location/instances/dummy_instance_id/dataTables/data_table_name",
"rows": [
{
"createTime": "2025-08-13T05:04:11.212111Z",
"name": "projects/project_id/locations/dummy_location/instances/dummy_instance_id/dataTables/data_table_name/dataTableRows/data_table_row_id",
"updateTime": "2025-08-13T05:04:11.212111Z",
"values": {
"column_1": "value_1",
"column_2": "value_2",
"column_3": "0.0.0.1/24"
}
}
],
"updateTime": "2025-08-13T05:09:11.288412Z"
}
}
}

Human Readable Output#

Data Table Details#

Display NameDescriptionColumns InfoCreate TimeUpdate TimeApproximate Row Count
data_table_namedata_table_description- Column Name: column_1
Column Type: STRING
- Column Name: column_2
Column Type: STRING
- Column Name: column_3
Column Type: CIDR
2025-08-13T05:01:47.031912Z2025-08-13T05:09:11.288412Z1

Data Table Rows Content#

column_1column_2column_3
value_1value_20.0.0.1/24

Maximum number of data table rows specified in max_rows_to_return has been returned. To fetch the next set of data table rows, execute the command with the page token as dummy_page_token.

35. gcb-verify-value-in-data-table#


Check if provided values are found in the data table.

Note: This command only searches in the first 1000 data table rows. To search next set of rows, use the page_token argument.

Base Command#

gcb-verify-value-in-data-table

Input#

Argument NameDescriptionRequired
valuesProvide the values to search in the data table.
Format accepted is: "value 1, value 2, value 3".
Required
nameProvide a data table name to search through.Required
columnsProvide the columns that need to be searched within the data table.
Format accepted is: "column 1, column 2, column 3".

Note: Use "gcb-get-data-table" to retrieve the column names of the data table. If nothing is provided, the command will search within all columns.
Optional
case_insensitive_searchIf set to true, the command performs case insensitive matching. Possible values are: True, False. Default is False.Optional
delimiterDelimiter by which the content of the values list is separated.
Eg: " , " , " : ", " ; ". Default is ",".
Optional
add_not_found_columnsIf set to true, the command will add the not found column names to the HR and the context. Possible values are: True, False. Default is False.Optional
page_tokenThe page token to search the next set of data table rows.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.VerifyValueInDataTable.valueStringThe value that was searched.
GoogleChronicleBackstory.VerifyValueInDataTable.found_in_columnsStringThe columns in which the value was found.
GoogleChronicleBackstory.VerifyValueInDataTable.not_found_in_columnsStringThe columns in which the value was not found.
GoogleChronicleBackstory.VerifyValueInDataTable.overall_statusStringThe overall status of the search.

Command example#

!gcb-verify-value-in-data-table column_names="column_name_1,column_name_2" data_table_name=data_table_name values="value1,value2,value3" case_insensitive_search=True add_not_found_columns=True

Context Example#

{
"GoogleChronicleBackstory": {
"VerifyValueInDataTable": [
{
"case_insensitive": true,
"found_in_columns": [
"column_name_1"
],
"not_found_in_columns": [
"column_name_2"
],
"overall_status": "Found",
"value": "value1"
},
{
"case_insensitive": true,
"found_in_columns": [
"column_name_1",
"column_name_2"
],
"overall_status": "Found",
"value": "value2"
},
{
"case_insensitive": true,
"not_found_in_columns": [
"column_name_1",
"column_name_2"
],
"overall_status": "Not Found",
"value": "value3"
}
]
}
}

Human Readable Output#

Successfully searched provided values in the data_table_name data table#

ValueFound In ColumnsNot Found In ColumnsOverall Status
value1column_name_1column_name_2Found
value2column_name_1,column_name_2Found
value3column_name_1,column_name_2Not Found

The command can search the up to 1000 rows in single execution. To search the next set of data table rows, execute the command with the page token as dummy_page_token.

36. gcb-data-table-add-row#


Adds rows to a data table.

Base Command#

gcb-data-table-add-row

Input#

Argument NameDescriptionRequired
nameProvide the name of the data table.Required
rowsProvide the list of rows data that need to be added in the data table.
Format accepted is:
[{"columnName1": "value1","columnName2": "value2"},{"columnName1": "value3","columnName2": "value4"}]

Note: Use "gcb-get-data-table" to retrieve the column names of the data table.
Optional
entry_idProvide a unique file id of comma separated CSV file consisting of rows to add.

Note: Please provide either one of "rows" or "entry_id". A maximum of 1000 rows can be added in a single execution. You can get the entry_id from the context path(File.EntryID).
Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.DataTableRows.nameStringThe identifier of the data table row.
GoogleChronicleBackstory.DataTableRows.valuesStringThe values of the data table row.

Command Example#

``!gcb-data-table-add-row name=data_table_name rows=[{"column1":"value1","column2":"value2"},{"column1":"value3","column2":"value4"}]````

Context Example#

{
"GoogleChronicleBackstory": {
"DataTableRows": [
{
"name": "projects/dummy_project_id/locations/dummy_location/instances/dummy_instance_id/dataTables/test_table/dataTableRows/row1",
"values": {
"column1": "value1",
"column2": "value2"
}
},
{
"name": "projects/dummy_project_id/locations/dummy_location/instances/dummy_instance_id/dataTables/test_table/dataTableRows/row2",
"values": {
"column1": "value3",
"column2": "value4"
}
}
]
}
}

Human Readable Output#

Successfully added rows to the data_table_name data table#

column1column2
value1value2
value3value4

37. gcb-data-table-remove-row#


Removes rows from a data table based on specified row data.

Note: This command only removes the first 1000 data table rows. To remove the next set of rows, use the page_token argument.

Base Command#

gcb-data-table-remove-row

Input#

Argument NameDescriptionRequired
nameProvide the name of the data table.Required
rowsProvide the list of rows data that need to be removed from the data table.
Format accepted is:
[{"columnName1": "value1","columnName2": "value2"},{"columnName1": "value3","columnName2": "value4"}]

Example:
If you provide [{"columnName1": "value1"}] then it will remove all the rows from the data table where column1 has value1.
If you provide [{"columnName1": "value1", "columnName2": "value2"}] then it will remove all the rows from the data table where column1 has value1 and column2 has value2.

Note: Use "gcb-get-data-table" to retrieve the column names of the data table.
Optional
entry_idProvide a unique file id of comma separated CSV file consisting of row data for removal.

Note: Please provide either one of "rows" or "entry_id". You can get the entry_id from the context path(File.EntryID).
Optional
page_tokenThe page token to search and remove the next set of data table rows.Optional

Context Output#

PathTypeDescription
GoogleChronicleBackstory.RemovedDataTableRows.nameStringThe identifier of the row.
GoogleChronicleBackstory.RemovedDataTableRows.valuesStringThe values of the row.
GoogleChronicleBackstory.RemovedDataTableRows.createTimeDateThe time when the row was created.
GoogleChronicleBackstory.RemovedDataTableRows.updateTimeDateThe time when the row was updated.

Command Example#

!gcb-data-table-remove-row name=data_table_name rows=`[{"column_1":"value1","column_2":"value2"},{"column_1":"value3","column_2":"value4"}]

Context Example#

{
"GoogleChronicleBackstory": {
"RemovedDataTableRows": [
{
"createTime": "2025-08-22T07:29:18.504543Z",
"name": "projects/project_id/locations/dummy_location/instances/dummy_instance_id/dataTables/data_table_name/dataTableRows/data_table_row_id",
"updateTime": "2025-08-22T07:29:18.504543Z",
"values": {
"column_1": "value1",
"column_2": "value2"
}
},
{
"createTime": "2025-08-22T07:29:18.482255Z",
"name": "projects/project_id/locations/dummy_location/instances/dummy_instance_id/dataTables/data_table_name/dataTableRows/data_table_row_id",
"updateTime": "2025-08-22T07:29:18.482255Z",
"values": {
"column_1": "value3",
"column_2": "value4"
}
}
]
}
}

Human Readable Output#

Successfully removed rows from the data_table_name data table#

column_1column_2
value1value2
value3value4

The command can search and remove the up to 1000 rows in single execution. To remove the next set of data table rows, execute the command with the page token as dummy_page_token.

38. gcb-get-detection#


Retrieves the detection details of specified detection ID.

Base Command#

gcb-get-detection

Input#

Argument NameDescriptionRequired
rule_idSpecify the ID or version ID of the rule. You can specify exactly one rule identifier. Use the following format to specify the ID: ru{UUID} or {ruleId}@v{int64}_{int64}.

Note: Use gcb-list-rules command to retrieve rule ID.
Required
detection_idSpecify the ID of the detection.

Note: Use gcb-list-detections command to retrieve detection ID.
Required

Context Output#

PathTypeDescription
GoogleChronicleBackstory.Detections.idStringIdentifier for the detection.
GoogleChronicleBackstory.Detections.ruleIdStringIdentifier for the rule generating the detection.
GoogleChronicleBackstory.Detections.ruleVersionStringIdentifier for the rule version generating the detection.
GoogleChronicleBackstory.Detections.ruleNameStringName of the rule generating the detection, as parsed from ruleText.
GoogleChronicleBackstory.Detections.timeWindowStartTimeDateThe start time of the window the detection was found in.
GoogleChronicleBackstory.Detections.timeWindowEndTimeDateThe end time of the window the detection was found in.
GoogleChronicleBackstory.Detections.alertStateStringIndicates whether the rule generating this detection currently has alerting enabled or disabled.
GoogleChronicleBackstory.Detections.urlBackToProductStringURL pointing to the Chronicle UI for this detection.
GoogleChronicleBackstory.Detections.typeStringType of detection.
GoogleChronicleBackstory.Detections.createdTimeDateTime the detection was created.
GoogleChronicleBackstory.Detections.detectionTimeDateThe time period the detection was found in.
GoogleChronicleBackstory.Detections.ruleTypeStringWhether the rule generating this detection is a single event or multi-event rule.
GoogleChronicleBackstory.Detections.detectionFields.keyStringThe key for a field specified in the rule, for MULTI_EVENT rules.
GoogleChronicleBackstory.Detections.detectionFields.valueStringThe value for a field specified in the rule, for MULTI_EVENT rules.
GoogleChronicleBackstory.Detections.collectionElements.labelStringThe variable a given set of UDM events belongs to.
GoogleChronicleBackstory.Detections.collectionElements.references.principalAssetIdentifierStringSpecifies the principal asset identifier of the event.
GoogleChronicleBackstory.Detections.collectionElements.references.targetAssetIdentifierStringSpecifies the target asset identifier of the event.
GoogleChronicleBackstory.Detections.collectionElements.references.eventTypeStringSpecifies the type of the event.
GoogleChronicleBackstory.Detections.collectionElements.references.eventTimestampDateThe GMT timestamp when the event was generated.
GoogleChronicleBackstory.Detections.collectionElements.references.ingestedTimestampDateThe GMT timestamp when the event was ingested in the vendor's instance.
GoogleChronicleBackstory.Detections.collectionElements.references.descriptionStringHuman-readable description of the event.
GoogleChronicleBackstory.Detections.collectionElements.references.productEventTypeStringShort, descriptive, human-readable, and product-specific event name or type.
GoogleChronicleBackstory.Detections.collectionElements.references.productLogIdStringA vendor-specific event identifier to uniquely identify the event (a GUID). Users might use this identifier to search the vendor's proprietary console for the event in question.
GoogleChronicleBackstory.Detections.collectionElements.references.productNameStringSpecifies the name of the product.
GoogleChronicleBackstory.Detections.collectionElements.references.productVersionStringSpecifies the version of the product.
GoogleChronicleBackstory.Detections.collectionElements.references.urlBackToProductStringURL linking to a relevant website where you can view more information about this specific event or the general event category.
GoogleChronicleBackstory.Detections.collectionElements.references.vendorNameStringSpecifies the product vendor's name.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.emailStringEmail address.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.platformStringPlatform operating system.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.macStringMAC addresses associated with a device.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Detections.collectionElements.references.principal.urlStringStandard URL.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.process.pidStringStores the process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.useridStringStores the user ID.
GoogleChronicleBackstory.Detections.collectionElements.references.principal.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.target.emailStringEmail address.
GoogleChronicleBackstory.Detections.collectionElements.references.target.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Detections.collectionElements.references.target.platformStringPlatform operating system.
GoogleChronicleBackstory.Detections.collectionElements.references.target.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Detections.collectionElements.references.target.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Detections.collectionElements.references.target.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Detections.collectionElements.references.target.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Detections.collectionElements.references.target.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Detections.collectionElements.references.target.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Detections.collectionElements.references.target.urlStringStandard URL.
GoogleChronicleBackstory.Detections.collectionElements.references.target.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.target.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.target.process.pidStringStores the process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.target.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.target.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.target.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.useridStringStores the user ID.
GoogleChronicleBackstory.Detections.collectionElements.references.target.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.emailStringEmail address.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.platformStringPlatform operating system.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.urlStringStandard URL.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.process.pidStringStores the process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.useridStringStores the user ID.
GoogleChronicleBackstory.Detections.collectionElements.references.intermediary.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.src.emailStringEmail address.
GoogleChronicleBackstory.Detections.collectionElements.references.src.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Detections.collectionElements.references.src.platformStringPlatform operating system.
GoogleChronicleBackstory.Detections.collectionElements.references.src.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Detections.collectionElements.references.src.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Detections.collectionElements.references.src.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Detections.collectionElements.references.src.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Detections.collectionElements.references.src.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Detections.collectionElements.references.src.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Detections.collectionElements.references.src.urlStringStandard URL.
GoogleChronicleBackstory.Detections.collectionElements.references.src.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.src.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.src.process.pidStringStores the process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.src.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.src.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.src.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.useridStringStores the user ID.
GoogleChronicleBackstory.Detections.collectionElements.references.src.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.emailStringEmail address.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.platformStringPlatform operating system.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Detections.collectionElements.references.observer.urlStringStandard URL.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.process.pidStringStores the process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.useridStringStores the user ID.
GoogleChronicleBackstory.Detections.collectionElements.references.observer.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.about.emailStringEmail address.
GoogleChronicleBackstory.Detections.collectionElements.references.about.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Detections.collectionElements.references.about.platformStringPlatform operating system.
GoogleChronicleBackstory.Detections.collectionElements.references.about.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Detections.collectionElements.references.about.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Detections.collectionElements.references.about.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Detections.collectionElements.references.about.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Detections.collectionElements.references.about.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Detections.collectionElements.references.about.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Detections.collectionElements.references.about.urlStringStandard URL.
GoogleChronicleBackstory.Detections.collectionElements.references.about.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.about.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Detections.collectionElements.references.about.process.pidStringStores the process ID.
GoogleChronicleBackstory.Detections.collectionElements.references.about.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.about.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Detections.collectionElements.references.about.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.useridStringStores the user ID.
GoogleChronicleBackstory.Detections.collectionElements.references.about.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Detections.collectionElements.references.network.applicationProtocolStringIndicates the network application protocol.
GoogleChronicleBackstory.Detections.collectionElements.references.network.directionStringIndicates the direction of network traffic.
GoogleChronicleBackstory.Detections.collectionElements.references.network.emailStringSpecifies the email address for the sender/recipient.
GoogleChronicleBackstory.Detections.collectionElements.references.network.ipProtocolStringIndicates the IP protocol.
GoogleChronicleBackstory.Detections.collectionElements.references.network.receivedBytesStringSpecifies the number of bytes received.
GoogleChronicleBackstory.Detections.collectionElements.references.network.sentBytesStringSpecifies the number of bytes sent.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.clientHostnameStringHostname for the client.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.clientIdentifierStringClient identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.fileStringFilename for the boot image.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.flagsStringValue for the DHCP flags field.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.hlenStringHardware address length.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.hopsStringDHCP hop count.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.htypeStringHardware address type.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.leaseTimeSecondsStringClient-requested lease time for an IP address in seconds.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.opcodeStringBOOTP op code.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.requestedAddressStringClient identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.secondsStringSeconds elapsed since the client began the address acquisition/renewal process.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.snameStringName of the server which the client has requested to boot from.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.transactionIdStringClient transaction ID.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.typeStringDHCP message type.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.chaddrStringIP address for the client hardware.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.ciaddrStringIP address for the client.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.giaddrStringIP address for the relay agent.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.siaddrStringIP address for the next bootstrap server.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dhcp.yiaddrStringYour IP address.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.authoritativeStringSet to true for authoritative DNS servers.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.idStringStores the DNS query identifier.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.responseStringSet to true if the event is a DNS response.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.opcodeStringStores the DNS OpCode used to specify the type of DNS query (standard, inverse, server status, etc.).
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.recursionAvailableStringSet to true if a recursive DNS lookup is available.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.recursionDesiredStringSet to true if a recursive DNS lookup is requested.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.responseCodeStringStores the DNS response code as defined by RFC 1035, Domain Names - Implementation and Specification.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.truncatedStringSet to true if this is a truncated DNS response.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.questions.nameStringStores the domain name.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.questions.classStringStores the code specifying the class of the query.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.questions.typeStringStores the code specifying the type of the query.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.answers.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.answers.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.answers.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.answers.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.answers.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.answers.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.authority.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.authority.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.authority.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.authority.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.authority.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.authority.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.additional.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.additional.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.additional.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.additional.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.additional.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Detections.collectionElements.references.network.dns.additional.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Detections.collectionElements.references.network.email.fromStringStores the from email address.
GoogleChronicleBackstory.Detections.collectionElements.references.network.email.replyToStringStores the reply_to email address.
GoogleChronicleBackstory.Detections.collectionElements.references.network.email.toStringStores the to email addresses.
GoogleChronicleBackstory.Detections.collectionElements.references.network.email.ccStringStores the cc email addresses.
GoogleChronicleBackstory.Detections.collectionElements.references.network.email.bccStringStores the bcc email addresses.
GoogleChronicleBackstory.Detections.collectionElements.references.network.email.mailIdStringStores the mail (or message) ID.
GoogleChronicleBackstory.Detections.collectionElements.references.network.email.subjectStringStores the email subject line.
GoogleChronicleBackstory.Detections.collectionElements.references.network.ftp.commandStringStores the FTP command.
GoogleChronicleBackstory.Detections.collectionElements.references.network.http.methodStringStores the HTTP request method.
GoogleChronicleBackstory.Detections.collectionElements.references.network.http.referralUrlStringStores the URL for the HTTP referer.
GoogleChronicleBackstory.Detections.collectionElements.references.network.http.responseCodeStringStores the HTTP response status code, which indicates whether a specific HTTP request has been successfully completed.
GoogleChronicleBackstory.Detections.collectionElements.references.network.http.useragentStringStores the User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.
GoogleChronicleBackstory.Detections.collectionElements.references.authentication.authTypeStringType of system an authentication event is associated with (Chronicle UDM).
GoogleChronicleBackstory.Detections.collectionElements.references.authentication.mechanismStringMechanism(s) used for authentication.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.aboutStringProvide a description of the security result.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.actionStringSpecify a security action.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.categoryStringSpecify a security category.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.confidenceStringSpecify a confidence with regards to a security event as estimated by the product.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.confidenceDetailsStringAdditional detail with regards to the confidence of a security event as estimated by the product vendor.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.priorityStringSpecify a priority with regards to a security event as estimated by the product vendor.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.priorityDetailsStringVendor-specific information about the security result priority.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.ruleIdStringIdentifier for the security rule.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.ruleNameStringName of the security rule.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.severityStringSeverity of a security event as estimated by the product vendor using values defined by the Chronicle UDM.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.severityDetailsStringSeverity for a security event as estimated by the product vendor.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.threatNameStringName of the security threat.
GoogleChronicleBackstory.Detections.collectionElements.references.securityResult.urlBackToProductStringURL to direct you to the source product console for this security event.

Command example#

!gcb-get-detection rule_id=ru_dummy_rule_id detection_id=de_dummy_detection_id

Context Example#

{
"GoogleChronicleBackstory": {
"Detections": {
"alertState": "ALERTING",
"collectionElements": [
{
"label": "event",
"references": [
{
"eventTimestamp": "2025-08-21T02:58:06.804Z",
"eventType": "NETWORK_DNS",
"ingestedTimestamp": "2025-08-21T03:02:46.559472Z",
"network": {
"applicationProtocol": "DNS",
"dns": {
"answers": [
{
"data": "4.3.2.1",
"name": "test1.com",
"ttl": 11111,
"type": 1
}
],
"questions": [
{
"name": "test.com",
"type": 1
}
],
"response": true
}
},
"principal": {
"hostname": "ray-xxx-laptop",
"ip": [
"0.0.0.0"
],
"mac": [
"00:00:00:00:00:00"
]
},
"principalAssetIdentifier": "ray-xxx-laptop",
"productName": "ExtraHop",
"securityResult": [
{
"action": [
"UNKNOWN_ACTION"
]
}
],
"target": {
"ip": [
"0.0.0.1"
]
},
"targetAssetIdentifier": "0.0.0.1"
}
]
}
],
"createdTime": "2025-08-21T03:12:50.128428Z",
"description": "description",
"detectionFields": [
{
"key": "client_ip",
"value": "0.0.0.0"
}
],
"detectionTime": "2025-08-21T03:54:00Z",
"id": "de_dummy_detection_id",
"riskScore": 40,
"ruleId": "ru_dummy_rule_id",
"ruleLabels": [
{
"key": "author",
"value": "user1"
},
{
"key": "description",
"value": "description"
},
{
"key": "severity",
"value": "Medium"
}
],
"ruleName": "SampleRule",
"ruleType": "MULTI_EVENT",
"ruleVersion": "ru_dummy_rule_id@v_version_id",
"timeWindowEndTime": "2025-08-21T03:54:00Z",
"timeWindowStartTime": "2025-08-21T02:54:00Z",
"type": "RULE_DETECTION",
"urlBackToProduct": "https://dummy-chronicle/alert?alertId=de_dummy_detection_id"
}
}
}

Human Readable Output#

Detection Details for de_dummy_detection_id#

Detection IDDetection TypeRule NameRule IDRule TypeSeverityRisk ScoreAlert StateDescriptionEventsCreated TimeDetection Time
de_dummy_detection_idRULE_DETECTIONSampleRuleru_dummy_rule_idMULTI_EVENTMedium40ALERTINGdescriptionEvent Timestamp: 2025-08-21T02:58:06.804Z
Event Type: NETWORK_DNS
Principal Asset Identifier: ray-xxx-laptop
Target Asset Identifier: 0.0.0.1
Queried Domain: test.com
2025-08-21T03:12:50.128428Z2025-08-21T03:54:00Z

Migration Guide#

Note:

  • For fetching incidents, set the First Fetch parameter to the start time from previous integration's last run. This might create duplicate alerts, but it will ensure that no alert data is lost.
  • This integration only supports fetching IOC domain matches. If you need to fetch user defined Rule Detection and Curated Rule Detection Alerts, please use the Streaming API integration.
  • Assert Alerts and User Alerts options are no longer available in this integration as these APIs have been deprecated.

Migrated Commands#

Below is the table showing the commands that have been migrated from "Chronicle" to "Google SecOps" integration.

Command Name
gcb-list-iocs
ip
domain
gcb-ioc-details
gcb-list-events
gcb-list-detections
gcb-list-rules
gcb-create-rule
gcb-get-rule
gcb-delete-rule
gcb-create-rule-version
gcb-change-rule-alerting-status
gcb-change-live-rule-status
gcb-start-retrohunt
gcb-get-retrohunt
gcb-list-retrohunts
gcb-cancel-retrohunt
gcb-list-reference-list
gcb-get-reference-list
gcb-create-reference-list
gcb-update-reference-list
gcb-verify-reference-list
gcb-test-rule-stream
gcb-list-curatedrules
gcb-list-curatedrule-detections
gcb-udm-search
gcb-verify-value-in-reference-list
gcb-verify-rule
gcb-get-event
gcb-reference-list-append-content
gcb-reference-list-remove-content

Deprecated Commands#

Some commands from the previous integration have been deprecated from Google API side. Below is the table showing the commands that have been deprecated with no replacement.

Deprecated Command
gcb-assets
gcb-list-alerts
gcb-list-useraliases
gcb-list-assetaliases