Skip to main content

ListDeviceEvents

This Script is part of the Chronicle Pack.#

List all of the events discovered within your enterprise on a particular device within 2 hours earlier than the current time.

Script Data#

NameDescription
Script Typepython3
Tagsenhancement
Cortex XSOAR Version5.0.0

Dependencies#

This script uses the following commands and scripts.

  • gcb-list-events

Inputs#

Argument NameDescription
asset_identifierHost Name, IP Address or MAC Address of the asset.

Outputs#

PathDescriptionType
GoogleChronicleBackstory.Events.eventTypeSpecifies the type of the event.String
GoogleChronicleBackstory.Events.eventTimestampThe GMT timestamp when the event was generated.Date
GoogleChronicleBackstory.Events.collectedTimestampThe GMT timestamp when the event was collected by the vendor's local collection infrastructure.Date
GoogleChronicleBackstory.Events.descriptionHuman-readable description of the event.String
GoogleChronicleBackstory.Events.productEventTypeShort, descriptive, human-readable, and product-specific event name or type.String
GoogleChronicleBackstory.Events.productLogIdA vendor-specific event identifier to uniquely identify the event (a GUID). Users might use this identifier to search the vendor's proprietary console for the event in question.String
GoogleChronicleBackstory.Events.productNameSpecifies the name of the product.String
GoogleChronicleBackstory.Events.productVersionSpecifies the version of the product.String
GoogleChronicleBackstory.Events.urlBackToProductURL linking to a relevant website where you can view more information about this specific event or the general event category.String
GoogleChronicleBackstory.Events.vendorNameSpecifies the product vendor's name.String
GoogleChronicleBackstory.Events.principal.assetIdVendor-specific unique device identifier.String
GoogleChronicleBackstory.Events.principal.emailEmail address.String
GoogleChronicleBackstory.Events.principal.hostnameClient hostname or domain name field.String
GoogleChronicleBackstory.Events.principal.platformPlatform operating system.String
GoogleChronicleBackstory.Events.principal.platformPatchLevelPlatform operating system patch level.String
GoogleChronicleBackstory.Events.principal.platformVersionPlatform operating system version.String
GoogleChronicleBackstory.Events.principal.ipIP address associated with a network connection.String
GoogleChronicleBackstory.Events.principal.portSource or destination network port number when a specific network connection is described within an event.String
GoogleChronicleBackstory.Events.principal.macMAC addresses associated with a device.String
GoogleChronicleBackstory.Events.principal.administrativeDomainDomain which the device belongs to (for example, the Windows domain).String
GoogleChronicleBackstory.Events.principal.urlStandard URL.String
GoogleChronicleBackstory.Events.principal.file.fileMetadataMetadata associated with the file.String
GoogleChronicleBackstory.Events.principal.file.fullPathFull path identifying the location of the file on the system.String
GoogleChronicleBackstory.Events.principal.file.md5MD5 hash value of the file.String
GoogleChronicleBackstory.Events.principal.file.mimeTypeMultipurpose Internet Mail Extensions (MIME) type of the file.String
GoogleChronicleBackstory.Events.principal.file.sha1SHA-1 hash value of the file.String
GoogleChronicleBackstory.Events.principal.file.sha256SHA-256 hash value of the file.String
GoogleChronicleBackstory.Events.principal.file.sizeSize of the file.String
GoogleChronicleBackstory.Events.principal.process.commandLineStores the command line string for the process.String
GoogleChronicleBackstory.Events.principal.process.productSpecificProcessIdStores the product specific process ID.String
GoogleChronicleBackstory.Events.principal.process.productSpecificParentProcessIdStores the product specific process ID for the parent process.String
GoogleChronicleBackstory.Events.principal.process.fileStores the file name of the file in use by the process.String
GoogleChronicleBackstory.Events.principal.process.file.fileMetadataMetadata associated with the file.String
GoogleChronicleBackstory.Events.principal.process.file.fullPathFull path identifying the location of the file on the system.String
GoogleChronicleBackstory.Events.principal.process.file.md5MD5 hash value of the file.String
GoogleChronicleBackstory.Events.principal.process.file.mimeTypeMultipurpose Internet Mail Extensions (MIME) type of the file.String
GoogleChronicleBackstory.Events.principal.process.file.sha1SHA-1 hash value of the file.String
GoogleChronicleBackstory.Events.principal.process.file.sha256SHA-256 hash value of the file.String
GoogleChronicleBackstory.Events.principal.process.file.sizeSize of the file.String
GoogleChronicleBackstory.Events.principal.process.parentPidStores the process ID for the parent process.String
GoogleChronicleBackstory.Events.principal.process.pidStores the process ID.String
GoogleChronicleBackstory.Events.principal.registry.registryKeyStores the registry key associated with an application or system component.String
GoogleChronicleBackstory.Events.principal.registry.registryValueNameStores the name of the registry value associated with an application or system component.String
GoogleChronicleBackstory.Events.principal.registry.registryValueDataStores the data associated with a registry value.String
GoogleChronicleBackstory.Events.principal.user.emailAddressesStores the email addresses for the user.String
GoogleChronicleBackstory.Events.principal.user.employeeIdStores the human resources employee ID for the user.String
GoogleChronicleBackstory.Events.principal.user.firstNameStores the first name for the user.String
GoogleChronicleBackstory.Events.principal.user.middleNameStores the middle name for the user.String
GoogleChronicleBackstory.Events.principal.user.lastNameStores the last name for the user.String
GoogleChronicleBackstory.Events.principal.user.groupidStores the group ID associated with a user.String
GoogleChronicleBackstory.Events.principal.user.phoneNumbersStores the phone numbers for the user.String
GoogleChronicleBackstory.Events.principal.user.titleStores the job title for the user.String
GoogleChronicleBackstory.Events.principal.user.userDisplayNameStores the display name for the user.String
GoogleChronicleBackstory.Events.principal.user.useridStores the user ID.String
GoogleChronicleBackstory.Events.principal.user.windowsSidStores the Microsoft Windows security identifier (SID) associated with a user.String
GoogleChronicleBackstory.Events.target.assetIdVendor-specific unique device identifier.String
GoogleChronicleBackstory.Events.target.emailEmail address.String
GoogleChronicleBackstory.Events.target.hostnameClient hostname or domain name field.String
GoogleChronicleBackstory.Events.target.platformPlatform operating system.String
GoogleChronicleBackstory.Events.target.platformPatchLevelPlatform operating system patch level.String
GoogleChronicleBackstory.Events.target.platformVersionPlatform operating system version.String
GoogleChronicleBackstory.Events.target.ipIP address associated with a network connection.String
GoogleChronicleBackstory.Events.target.portSource or destination network port number when a specific network connection is described within an event.String
GoogleChronicleBackstory.Events.target.macOne or more MAC addresses associated with a device.String
GoogleChronicleBackstory.Events.target.administrativeDomainDomain which the device belongs to (for example, the Windows domain).String
GoogleChronicleBackstory.Events.target.urlStandard URL.String
GoogleChronicleBackstory.Events.target.file.fileMetadataMetadata associated with the file.String
GoogleChronicleBackstory.Events.target.file.fullPathFull path identifying the location of the file on the system.String
GoogleChronicleBackstory.Events.target.file.md5MD5 hash value of the file.String
GoogleChronicleBackstory.Events.target.file.mimeTypeMultipurpose Internet Mail Extensions (MIME) type of the file.String
GoogleChronicleBackstory.Events.target.file.sha1SHA-1 hash value of the file.String
GoogleChronicleBackstory.Events.target.file.sha256SHA-256 hash value of the file.String
GoogleChronicleBackstory.Events.target.file.sizeSize of the file.String
GoogleChronicleBackstory.Events.target.process.commandLineStores the command line string for the process.String
GoogleChronicleBackstory.Events.target.process.productSpecificProcessIdStores the product specific process ID.String
GoogleChronicleBackstory.Events.target.process.productSpecificParentProcessIdStores the product specific process ID for the parent process.String
GoogleChronicleBackstory.Events.target.process.fileStores the file name of the file in use by the process.String
GoogleChronicleBackstory.Events.target.process.file.fileMetadataMetadata associated with the file.String
GoogleChronicleBackstory.Events.target.process.file.fullPathFull path identifying the location of the file on the system.String
GoogleChronicleBackstory.Events.target.process.file.md5MD5 hash value of the file.String
GoogleChronicleBackstory.Events.target.process.file.mimeTypeMultipurpose Internet Mail Extensions (MIME) type of the file.String
GoogleChronicleBackstory.Events.target.process.file.sha1SHA-1 hash value of the file.String
GoogleChronicleBackstory.Events.target.process.file.sha256SHA-256 hash value of the file.String
GoogleChronicleBackstory.Events.target.process.file.sizeSize of the file.String
GoogleChronicleBackstory.Events.target.process.parentPidStores the process ID for the parent process.String
GoogleChronicleBackstory.Events.target.process.pidStores the process ID.String
GoogleChronicleBackstory.Events.target.registry.registryKeyStores the registry key associated with an application or system component.String
GoogleChronicleBackstory.Events.target.registry.registryValueNameStores the name of the registry value associated with an application or system component.String
GoogleChronicleBackstory.Events.target.registry.registryValueDataStores the data associated with a registry value.String
GoogleChronicleBackstory.Events.target.user.emailAddressesStores the email addresses for the user.String
GoogleChronicleBackstory.Events.target.user.employeeIdStores the human resources employee ID for the user.String
GoogleChronicleBackstory.Events.target.user.firstNameStores the first name for the user.String
GoogleChronicleBackstory.Events.target.user.middleNameStores the middle name for the user.String
GoogleChronicleBackstory.Events.target.user.lastNameStores the last name for the user.String
GoogleChronicleBackstory.Events.target.user.groupidStores the group ID associated with a user.String
GoogleChronicleBackstory.Events.target.user.phoneNumbersStores the phone numbers for the user.String
GoogleChronicleBackstory.Events.target.user.titleStores the job title for the user.String
GoogleChronicleBackstory.Events.target.user.userDisplayNameStores the display name for the user.String
GoogleChronicleBackstory.Events.target.user.useridStores the user ID.String
GoogleChronicleBackstory.Events.target.user.windowsSidStores the Microsoft Windows security identifier (SID) associated with a user.String
GoogleChronicleBackstory.Events.intermediary.assetIdVendor-specific unique device identifier.String
GoogleChronicleBackstory.Events.intermediary.emailEmail address.String
GoogleChronicleBackstory.Events.intermediary.hostnameClient hostname or domain name field.String
GoogleChronicleBackstory.Events.intermediary.platformPlatform operating system.String
GoogleChronicleBackstory.Events.intermediary.platformPatchLevelPlatform operating system patch level.String
GoogleChronicleBackstory.Events.intermediary.platformVersionPlatform operating system version.String
GoogleChronicleBackstory.Events.intermediary.ipIP address associated with a network connection.String
GoogleChronicleBackstory.Events.intermediary.portSource or destination network port number when a specific network connection is described within an event.String
GoogleChronicleBackstory.Events.intermediary.macOne or more MAC addresses associated with a device.String
GoogleChronicleBackstory.Events.intermediary.administrativeDomainDomain which the device belongs to (for example, the Windows domain).String
GoogleChronicleBackstory.Events.intermediary.urlStandard URL.String
GoogleChronicleBackstory.Events.intermediary.file.fileMetadataMetadata associated with the file.String
GoogleChronicleBackstory.Events.intermediary.file.fullPathFull path identifying the location of the file on the system.String
GoogleChronicleBackstory.Events.intermediary.file.md5MD5 hash value of the file.String
GoogleChronicleBackstory.Events.intermediary.file.mimeTypeMultipurpose Internet Mail Extensions (MIME) type of the file.String
GoogleChronicleBackstory.Events.intermediary.file.sha1SHA-1 hash value of the file.String
GoogleChronicleBackstory.Events.intermediary.file.sha256SHA-256 hash value of the file.String
GoogleChronicleBackstory.Events.intermediary.file.sizeSize of the file.String
GoogleChronicleBackstory.Events.intermediary.process.commandLineStores the command line string for the process.String
GoogleChronicleBackstory.Events.intermediary.process.productSpecificProcessIdStores the product specific process ID.String
GoogleChronicleBackstory.Events.intermediary.process.productSpecificParentProcessIdStores the product specific process ID for the parent process.String
GoogleChronicleBackstory.Events.intermediary.process.fileStores the file name of the file in use by the process.String
GoogleChronicleBackstory.Events.intermediary.process.file.fileMetadataMetadata associated with the file.String
GoogleChronicleBackstory.Events.intermediary.process.file.fullPathFull path identifying the location of the file on the system.String
GoogleChronicleBackstory.Events.intermediary.process.file.md5MD5 hash value of the file.String
GoogleChronicleBackstory.Events.intermediary.process.file.mimeTypeMultipurpose Internet Mail Extensions (MIME) type of the file.String
GoogleChronicleBackstory.Events.intermediary.process.file.sha1SHA-1 hash value of the file.String
GoogleChronicleBackstory.Events.intermediary.process.file.sha256SHA-256 hash value of the file.String
GoogleChronicleBackstory.Events.intermediary.process.file.sizeSize of the file.String
GoogleChronicleBackstory.Events.intermediary.process.parentPidStores the process ID for the parent process.String
GoogleChronicleBackstory.Events.intermediary.process.pidStores the process ID.String
GoogleChronicleBackstory.Events.intermediary.registry.registryKeyStores the registry key associated with an application or system component.String
GoogleChronicleBackstory.Events.intermediary.registry.registryValueNameStores the name of the registry value associated with an application or system component.String
GoogleChronicleBackstory.Events.intermediary.registry.registryValueDataStores the data associated with a registry value.String
GoogleChronicleBackstory.Events.intermediary.user.emailAddressesStores the email addresses for the user.String
GoogleChronicleBackstory.Events.intermediary.user.employeeIdStores the human resources employee ID for the user.String
GoogleChronicleBackstory.Events.intermediary.user.firstNameStores the first name for the user.String
GoogleChronicleBackstory.Events.intermediary.user.middleNameStores the middle name for the user.String
GoogleChronicleBackstory.Events.intermediary.user.lastNameStores the last name for the user.String
GoogleChronicleBackstory.Events.intermediary.user.groupidStores the group ID associated with a user.String
GoogleChronicleBackstory.Events.intermediary.user.phoneNumbersStores the phone numbers for the user.String
GoogleChronicleBackstory.Events.intermediary.user.titleStores the job title for the user.String
GoogleChronicleBackstory.Events.intermediary.user.userDisplayNameStores the display name for the user.String
GoogleChronicleBackstory.Events.intermediary.user.useridStores the user ID.String
GoogleChronicleBackstory.Events.intermediary.user.windowsSidStores the Microsoft Windows security identifier (SID) associated with a user.String
GoogleChronicleBackstory.Events.src.assetIdVendor-specific unique device identifier.String
GoogleChronicleBackstory.Events.src.emailEmail address.String
GoogleChronicleBackstory.Events.src.hostnameClient hostname or domain name field.String
GoogleChronicleBackstory.Events.src.platformPlatform operating system.String
GoogleChronicleBackstory.Events.src.platformPatchLevelPlatform operating system patch level.String
GoogleChronicleBackstory.Events.src.platformVersionPlatform operating system version.String
GoogleChronicleBackstory.Events.src.ipIP address associated with a network connection.String
GoogleChronicleBackstory.Events.src.portSource or destination network port number when a specific network connection is described within an event.String
GoogleChronicleBackstory.Events.src.macOne or more MAC addresses associated with a device.String
GoogleChronicleBackstory.Events.src.administrativeDomainDomain which the device belongs to (for example, the Windows domain).String
GoogleChronicleBackstory.Events.src.urlStandard URL.String
GoogleChronicleBackstory.Events.src.file.fileMetadataMetadata associated with the file.String
GoogleChronicleBackstory.Events.src.file.fullPathFull path identifying the location of the file on the system.String
GoogleChronicleBackstory.Events.src.file.md5MD5 hash value of the file.String
GoogleChronicleBackstory.Events.src.file.mimeTypeMultipurpose Internet Mail Extensions (MIME) type of the file.String
GoogleChronicleBackstory.Events.src.file.sha1SHA-1 hash value of the file.String
GoogleChronicleBackstory.Events.src.file.sha256SHA-256 hash value of the file.String
GoogleChronicleBackstory.Events.src.file.sizeSize of the file.String
GoogleChronicleBackstory.Events.src.process.commandLineStores the command line string for the process.String
GoogleChronicleBackstory.Events.src.process.productSpecificProcessIdStores the product specific process ID.String
GoogleChronicleBackstory.Events.src.process.productSpecificParentProcessIdStores the product specific process ID for the parent process.String
GoogleChronicleBackstory.Events.src.process.fileStores the file name of the file in use by the process.String
GoogleChronicleBackstory.Events.src.process.file.fileMetadataMetadata associated with the file.String
GoogleChronicleBackstory.Events.src.process.file.fullPathFull path identifying the location of the file on the system.String
GoogleChronicleBackstory.Events.src.process.file.md5MD5 hash value of the file.String
GoogleChronicleBackstory.Events.src.process.file.mimeTypeMultipurpose Internet Mail Extensions (MIME) type of the file.String
GoogleChronicleBackstory.Events.src.process.file.sha1SHA-1 hash value of the file.String
GoogleChronicleBackstory.Events.src.process.file.sha256SHA-256 hash value of the file.String
GoogleChronicleBackstory.Events.src.process.file.sizeSize of the file.String
GoogleChronicleBackstory.Events.src.process.parentPidStores the process ID for the parent process.String
GoogleChronicleBackstory.Events.src.process.pidStores the process ID.String
GoogleChronicleBackstory.Events.src.registry.registryKeyStores the registry key associated with an application or system component.String
GoogleChronicleBackstory.Events.src.registry.registryValueNameStores the name of the registry value associated with an application or system component.String
GoogleChronicleBackstory.Events.src.registry.registryValueDataStores the data associated with a registry value.String
GoogleChronicleBackstory.Events.src.user.emailAddressesStores the email addresses for the user.String
GoogleChronicleBackstory.Events.src.user.employeeIdStores the human resources employee ID for the user.String
GoogleChronicleBackstory.Events.src.user.firstNameStores the first name for the user.String
GoogleChronicleBackstory.Events.src.user.middleNameStores the middle name for the user.String
GoogleChronicleBackstory.Events.src.user.lastNameStores the last name for the user.String
GoogleChronicleBackstory.Events.src.user.groupidStores the group ID associated with a user.String
GoogleChronicleBackstory.Events.src.user.phoneNumbersStores the phone numbers for the user.String
GoogleChronicleBackstory.Events.src.user.titleStores the job title for the user.String
GoogleChronicleBackstory.Events.src.user.userDisplayNameStores the display name for the user.String
GoogleChronicleBackstory.Events.src.user.useridStores the user ID.String
GoogleChronicleBackstory.Events.src.user.windowsSidStores the Microsoft Windows security identifier (SID) associated with a user.String
GoogleChronicleBackstory.Events.observer.assetIdVendor-specific unique device identifier.String
GoogleChronicleBackstory.Events.observer.emailEmail address.String
GoogleChronicleBackstory.Events.observer.hostnameClient hostname or domain name field.String
GoogleChronicleBackstory.Events.observer.platformPlatform operating system.String
GoogleChronicleBackstory.Events.observer.platformPatchLevelPlatform operating system patch level.String
GoogleChronicleBackstory.Events.observer.platformVersionPlatform operating system version.String
GoogleChronicleBackstory.Events.observer.ipIP address associated with a network connection.String
GoogleChronicleBackstory.Events.observer.portSource or destination network port number when a specific network connection is described within an event.String
GoogleChronicleBackstory.Events.observer.macOne or more MAC addresses associated with a device.String
GoogleChronicleBackstory.Events.observer.administrativeDomainDomain which the device belongs to (for example, the Windows domain).String
GoogleChronicleBackstory.Events.observer.urlStandard URL.String
GoogleChronicleBackstory.Events.observer.file.fileMetadataMetadata associated with the file.String
GoogleChronicleBackstory.Events.observer.file.fullPathFull path identifying the location of the file on the system.String
GoogleChronicleBackstory.Events.observer.file.md5MD5 hash value of the file.String
GoogleChronicleBackstory.Events.observer.file.mimeTypeMultipurpose Internet Mail Extensions (MIME) type of the file.String
GoogleChronicleBackstory.Events.observer.file.sha1SHA-1 hash value of the file.String
GoogleChronicleBackstory.Events.observer.file.sha256SHA-256 hash value of the file.String
GoogleChronicleBackstory.Events.observer.file.sizeSize of the file.String
GoogleChronicleBackstory.Events.observer.process.commandLineStores the command line string for the process.String
GoogleChronicleBackstory.Events.observer.process.productSpecificProcessIdStores the product specific process ID.String
GoogleChronicleBackstory.Events.observer.process.productSpecificParentProcessIdStores the product specific process ID for the parent process.String
GoogleChronicleBackstory.Events.observer.process.fileStores the file name of the file in use by the process.String
GoogleChronicleBackstory.Events.observer.process.file.fileMetadataMetadata associated with the file.String
GoogleChronicleBackstory.Events.observer.process.file.fullPathFull path identifying the location of the file on the system.String
GoogleChronicleBackstory.Events.observer.process.file.md5MD5 hash value of the file.String
GoogleChronicleBackstory.Events.observer.process.file.mimeTypeMultipurpose Internet Mail Extensions (MIME) type of the file.String
GoogleChronicleBackstory.Events.observer.process.file.sha1SHA-1 hash value of the file.String
GoogleChronicleBackstory.Events.observer.process.file.sha256SHA-256 hash value of the file.String
GoogleChronicleBackstory.Events.observer.process.file.sizeSize of the file.String
GoogleChronicleBackstory.Events.observer.process.parentPidStores the process ID for the parent process.String
GoogleChronicleBackstory.Events.observer.process.pidStores the process ID.String
GoogleChronicleBackstory.Events.observer.registry.registryKeyStores the registry key associated with an application or system component.String
GoogleChronicleBackstory.Events.observer.registry.registryValueNameStores the name of the registry value associated with an application or system component.String
GoogleChronicleBackstory.Events.observer.registry.registryValueDataStores the data associated with a registry value.String
GoogleChronicleBackstory.Events.observer.user.emailAddressesStores the email addresses for the user.String
GoogleChronicleBackstory.Events.observer.user.employeeIdStores the human resources employee ID for the user.String
GoogleChronicleBackstory.Events.observer.user.firstNameStores the first name for the user.String
GoogleChronicleBackstory.Events.observer.user.middleNameStores the middle name for the user.String
GoogleChronicleBackstory.Events.observer.user.lastNameStores the last name for the user.String
GoogleChronicleBackstory.Events.observer.user.groupidStores the group ID associated with a user.String
GoogleChronicleBackstory.Events.observer.user.phoneNumbersStores the phone numbers for the user.String
GoogleChronicleBackstory.Events.observer.user.titleStores the job title for the user.String
GoogleChronicleBackstory.Events.observer.user.userDisplayNameStores the display name for the user.String
GoogleChronicleBackstory.Events.observer.user.useridStores the user ID.String
GoogleChronicleBackstory.Events.observer.user.windowsSidStores the Microsoft Windows security identifier (SID) associated with a user.String
GoogleChronicleBackstory.Events.about.assetIdVendor-specific unique device identifier.String
GoogleChronicleBackstory.Events.about.emailEmail address.String
GoogleChronicleBackstory.Events.about.hostnameClient hostname or domain name field.String
GoogleChronicleBackstory.Events.about.platformPlatform operating system.String
GoogleChronicleBackstory.Events.about.platformPatchLevelPlatform operating system patch level.String
GoogleChronicleBackstory.Events.about.platformVersionPlatform operating system version.String
GoogleChronicleBackstory.Events.about.ipIP address associated with a network connection.String
GoogleChronicleBackstory.Events.about.portSource or destination network port number when a specific network connection is described within an event.String
GoogleChronicleBackstory.Events.about.macOne or more MAC addresses associated with a device.String
GoogleChronicleBackstory.Events.about.administrativeDomainDomain which the device belongs to (for example, the Windows domain).String
GoogleChronicleBackstory.Events.about.urlStandard URL.String
GoogleChronicleBackstory.Events.about.file.fileMetadataMetadata associated with the file.String
GoogleChronicleBackstory.Events.about.file.fullPathFull path identifying the location of the file on the system.String
GoogleChronicleBackstory.Events.about.file.md5MD5 hash value of the file.String
GoogleChronicleBackstory.Events.about.file.mimeTypeMultipurpose Internet Mail Extensions (MIME) type of the file.String
GoogleChronicleBackstory.Events.about.file.sha1SHA-1 hash value of the file.String
GoogleChronicleBackstory.Events.about.file.sha256SHA-256 hash value of the file.String
GoogleChronicleBackstory.Events.about.file.sizeSize of the file.String
GoogleChronicleBackstory.Events.about.process.commandLineStores the command line string for the process.String
GoogleChronicleBackstory.Events.about.process.productSpecificProcessIdStores the product specific process ID.String
GoogleChronicleBackstory.Events.about.process.productSpecificParentProcessIdStores the product specific process ID for the parent process.String
GoogleChronicleBackstory.Events.about.process.fileStores the file name of the file in use by the process.String
GoogleChronicleBackstory.Events.about.process.file.fileMetadataMetadata associated with the file.String
GoogleChronicleBackstory.Events.about.process.file.fullPathFull path identifying the location of the file on the system.String
GoogleChronicleBackstory.Events.about.process.file.md5MD5 hash value of the file.String
GoogleChronicleBackstory.Events.about.process.file.mimeTypeMultipurpose Internet Mail Extensions (MIME) type of the file.String
GoogleChronicleBackstory.Events.about.process.file.sha1SHA-1 hash value of the file.String
GoogleChronicleBackstory.Events.about.process.file.sha256SHA-256 hash value of the file.String
GoogleChronicleBackstory.Events.about.process.file.sizeSize of the file.String
GoogleChronicleBackstory.Events.about.process.parentPidStores the process ID for the parent process.String
GoogleChronicleBackstory.Events.about.process.pidStores the process ID.String
GoogleChronicleBackstory.Events.about.registry.registryKeyStores the registry key associated with an application or system component.String
GoogleChronicleBackstory.Events.about.registry.registryValueNameStores the name of the registry value associated with an application or system component.String
GoogleChronicleBackstory.Events.about.registry.registryValueDataStores the data associated with a registry value.String
GoogleChronicleBackstory.Events.about.user.emailAddressesStores the email addresses for the user.String
GoogleChronicleBackstory.Events.about.user.employeeIdStores the human resources employee ID for the user.String
GoogleChronicleBackstory.Events.about.user.firstNameStores the first name for the user.String
GoogleChronicleBackstory.Events.about.user.middleNameStores the middle name for the user.String
GoogleChronicleBackstory.Events.about.user.lastNameStores the last name for the user.String
GoogleChronicleBackstory.Events.about.user.groupidStores the group ID associated with a user.String
GoogleChronicleBackstory.Events.about.user.phoneNumbersStores the phone numbers for the user.String
GoogleChronicleBackstory.Events.about.user.titleStores the job title for the user.String
GoogleChronicleBackstory.Events.about.user.userDisplayNameStores the display name for the user.String
GoogleChronicleBackstory.Events.about.user.useridStores the user ID.String
GoogleChronicleBackstory.Events.about.user.windowsSidStores the Microsoft Windows security identifier (SID) associated with a user.String
GoogleChronicleBackstory.Events.network.applicationProtocolIndicates the network application protocol.String
GoogleChronicleBackstory.Events.network.directionIndicates the direction of network traffic.String
GoogleChronicleBackstory.Events.network.emailSpecifies the email address for the sender/recipient.String
GoogleChronicleBackstory.Events.network.ipProtocolIndicates the IP protocol.String
GoogleChronicleBackstory.Events.network.receivedBytesSpecifies the number of bytes received.String
GoogleChronicleBackstory.Events.network.sentBytesSpecifies the number of bytes sent.String
GoogleChronicleBackstory.Events.network.dhcp.clientHostnameHostname for the client.String
GoogleChronicleBackstory.Events.network.dhcp.clientIdentifierClient identifier.String
GoogleChronicleBackstory.Events.network.dhcp.fileFilename for the boot image.String
GoogleChronicleBackstory.Events.network.dhcp.flagsValue for the DHCP flags field.String
GoogleChronicleBackstory.Events.network.dhcp.hlenHardware address length.String
GoogleChronicleBackstory.Events.network.dhcp.hopsDHCP hop count.String
GoogleChronicleBackstory.Events.network.dhcp.htypeHardware address type.String
GoogleChronicleBackstory.Events.network.dhcp.leaseTimeSecondsClient-requested lease time for an IP address in seconds.String
GoogleChronicleBackstory.Events.network.dhcp.opcodeBOOTP op code.String
GoogleChronicleBackstory.Events.network.dhcp.requestedAddressClient identifier.String
GoogleChronicleBackstory.Events.network.dhcp.secondsSeconds elapsed since the client began the address acquisition/renewal process.String
GoogleChronicleBackstory.Events.network.dhcp.snameName of the server which the client has requested to boot from.String
GoogleChronicleBackstory.Events.network.dhcp.transactionIdClient transaction ID.String
GoogleChronicleBackstory.Events.network.dhcp.typeDHCP message type.String
GoogleChronicleBackstory.Events.network.dhcp.chaddrIP address for the client hardware.String
GoogleChronicleBackstory.Events.network.dhcp.ciaddrIP address for the client.String
GoogleChronicleBackstory.Events.network.dhcp.giaddrIP address for the relay agent.String
GoogleChronicleBackstory.Events.network.dhcp.siaddrIP address for the next bootstrap server.String
GoogleChronicleBackstory.Events.network.dhcp.yiaddrYour IP address.String
GoogleChronicleBackstory.Events.network.dns.authoritativeSet to true for authoritative DNS servers.String
GoogleChronicleBackstory.Events.network.dns.idStores the DNS query identifier.String
GoogleChronicleBackstory.Events.network.dns.responseSet to true if the event is a DNS response.String
GoogleChronicleBackstory.Events.network.dns.opcodeStores the DNS OpCode used to specify the type of DNS query (standard, inverse, server status, etc.).String
GoogleChronicleBackstory.Events.network.dns.recursionAvailableSet to true if a recursive DNS lookup is available.String
GoogleChronicleBackstory.Events.network.dns.recursionDesiredSet to true if a recursive DNS lookup is requested.String
GoogleChronicleBackstory.Events.network.dns.responseCodeStores the DNS response code as defined by RFC 1035, Domain Names - Implementation and Specification.String
GoogleChronicleBackstory.Events.network.dns.truncatedSet to true if this is a truncated DNS response.String
GoogleChronicleBackstory.Events.network.dns.questions.nameStores the domain name.String
GoogleChronicleBackstory.Events.network.dns.questions.classStores the code specifying the class of the query.String
GoogleChronicleBackstory.Events.network.dns.questions.typeStores the code specifying the type of the query.String
GoogleChronicleBackstory.Events.network.dns.answers.binaryDataStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.String
GoogleChronicleBackstory.Events.network.dns.answers.classStores the code specifying the class of the resource record.String
GoogleChronicleBackstory.Events.network.dns.answers.dataStores the payload or response to the DNS question for all responses encoded in UTF-8 format.String
GoogleChronicleBackstory.Events.network.dns.answers.nameStores the name of the owner of the resource record.String
GoogleChronicleBackstory.Events.network.dns.answers.ttlStores the time interval for which the resource record can be cached before the source of the information should again be queried.String
GoogleChronicleBackstory.Events.network.dns.answers.typeStores the code specifying the type of the resource record.String
GoogleChronicleBackstory.Events.network.dns.authority.binaryDataStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.String
GoogleChronicleBackstory.Events.network.dns.authority.classStores the code specifying the class of the resource record.String
GoogleChronicleBackstory.Events.network.dns.authority.dataStores the payload or response to the DNS question for all responses encoded in UTF-8 format.String
GoogleChronicleBackstory.Events.network.dns.authority.nameStores the name of the owner of the resource record.String
GoogleChronicleBackstory.Events.network.dns.authority.ttlStores the time interval for which the resource record can be cached before the source of the information should again be queried.String
GoogleChronicleBackstory.Events.network.dns.authority.typeStores the code specifying the type of the resource record.String
GoogleChronicleBackstory.Events.network.dns.additional.binaryDataStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.String
GoogleChronicleBackstory.Events.network.dns.additional.classStores the code specifying the class of the resource record.String
GoogleChronicleBackstory.Events.network.dns.additional.dataStores the payload or response to the DNS question for all responses encoded in UTF-8 format.String
GoogleChronicleBackstory.Events.network.dns.additional.nameStores the name of the owner of the resource record.String
GoogleChronicleBackstory.Events.network.dns.additional.ttlStores the time interval for which the resource record can be cached before the source of the information should again be queried.String
GoogleChronicleBackstory.Events.network.dns.additional.typeStores the code specifying the type of the resource record.String
GoogleChronicleBackstory.Events.network.email.fromStores the from email address.String
GoogleChronicleBackstory.Events.network.email.replyToStores the reply_to email address.String
GoogleChronicleBackstory.Events.network.email.toStores the to email addresses.String
GoogleChronicleBackstory.Events.network.email.ccStores the cc email addresses.String
GoogleChronicleBackstory.Events.network.email.bccStores the bcc email addresses.String
GoogleChronicleBackstory.Events.network.email.mailIdStores the mail (or message) ID.String
GoogleChronicleBackstory.Events.network.email.subjectStores the email subject line.String
GoogleChronicleBackstory.Events.network.ftp.commandStores the FTP command.String
GoogleChronicleBackstory.Events.network.http.methodStores the HTTP request method.String
GoogleChronicleBackstory.Events.network.http.referralUrlStores the URL for the HTTP referer.String
GoogleChronicleBackstory.Events.network.http.responseCodeStores the HTTP response status code, which indicates whether a specific HTTP request has been successfully completed.String
GoogleChronicleBackstory.Events.network.http.useragentStores the User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.String
GoogleChronicleBackstory.Events.authentication.authTypeType of system an authentication event is associated with (Chronicle UDM).String
GoogleChronicleBackstory.Events.authentication.mechanismMechanism(s) used for authentication.String
GoogleChronicleBackstory.Events.securityResult.aboutProvide a description of the security result.String
GoogleChronicleBackstory.Events.securityResult.actionSpecify a security action.String
GoogleChronicleBackstory.Events.securityResult.categorySpecify a security category.String
GoogleChronicleBackstory.Events.securityResult.confidenceSpecify a confidence with regards to a security event as estimated by the product.String
GoogleChronicleBackstory.Events.securityResult.confidenceDetailsAdditional detail with regards to the confidence of a security event as estimated by the product vendor.String
GoogleChronicleBackstory.Events.securityResult.prioritySpecify a priority with regards to a security event as estimated by the product vendor.String
GoogleChronicleBackstory.Events.securityResult.priorityDetailsVendor-specific information about the security result priority.String
GoogleChronicleBackstory.Events.securityResult.ruleIdIdentifier for the security rule.String
GoogleChronicleBackstory.Events.securityResult.ruleNameName of the security rule.String
GoogleChronicleBackstory.Events.securityResult.severitySeverity of a security event as estimated by the product vendor using values defined by the Chronicle UDM.String
GoogleChronicleBackstory.Events.securityResult.severityDetailsSeverity for a security event as estimated by the product vendor.String
GoogleChronicleBackstory.Events.securityResult.threatNameName of the security threat.String
GoogleChronicleBackstory.Events.securityResult.urlBackToProductURL to direct you to the source product console for this security event.String

There are no outputs for this script.

Script Example#

!ListDeviceEvents asset_identifier="ray-xxx-laptop"

Context Example#
{
"GoogleChronicleBackstory.Events": [
{
"principal": {
"ip": [
"10.0.XX.XX"
],
"mac": [
"88:a6:XX:XX:XX:XX"
],
"hostname": "ray-xxx-laptop"
},
"target": {
"ip": [
"8.8.8.8"
]
},
"network": {
"applicationProtocol": "DNS",
"dns": {
"questions": [
{
"type": 1,
"name": "is5-ssl.mzstatic.com"
}
],
"answers": [
{
"type": 1,
"data": "104.118.212.43",
"name": "is5-ssl.mzstatic.com",
"ttl": 11111
}
],
"response": true
}
},
"collectedTimestamp": "2020-01-02T00:00:00Z",
"productName": "ExtraHop",
"eventTimestamp": "2020-01-01T23:59:38Z",
"eventType": "NETWORK_DNS"
}
]
}
Human Readable Output#

Event(s) Details#

Event TimestampEvent TypePrincipal Asset IdentifierTarget Asset IdentifierQueried Domain
2020-01-01T23:59:38ZNETWORK_DNSray-xxx-laptop8.8.8.8ninthdecimal.com

View events in Chronicle

Maximum number of events specified in page_size has been returned. There might still be more events in your Chronicle account. >To fetch the next set of events, execute the command with the start time as 2020-01-01T23:59:38Z

Edit this page
Report an Issue