Skip to content

Types Schema🔗

Enrichments🔗

Enrichments provides a top-level field for holding various ingest-time enrichment fields

Field Type Parser Field Description
attack_technique_ids repeated string attackTechniqueIds$ List of MITRE Attack Technique IDs
rule_id_to_techniques repeated KeyAndValues ruleIdToTechniques$ A mapping from all distinct rule_ids to the corresponding list of MITRE attack techniques for which they cover

EntityOptions🔗

Field Type Parser Field Description
alias repeated string alias$ entity alias
direction EntityOptions.Direction direction$ Describes the direction in which the data is flowing between 2 connected entities.

ExternalURI🔗

ExternalURI references an external resource for a given event. This may be the source of an event, research or other information that is outside of TDR.

Field Type Parser Field Description
uri string uri$ Identifies the resource. This may be a web URL, UUID or other string that uniquely identifies a single event in another resource.
description string description$ Contains a short description of what uri references.

FileHash🔗

Field Type Parser Field Description
md5 string md5$
sha1 string sha1$
sha256 string sha256$
sha512 string sha512$

GeoSummary🔗

GeoSummary provides a succinct summary of geographical facts associated with a given point-radius

Field Type Parser Field Description
location GeoSummary.Location location$
city GeoSummary.City city$
continent GeoSummary.Continent continent$
country GeoSummary.Country country$
asn GeoSummary.ASN asn$

GeoSummary.ASN🔗

for more info on ASNs see: https://en.wikipedia.org/wiki/Autonomous_system_(Internet)

Field Type Parser Field Description
autonomous_system_no uint32 autonomousSystemNo$ The autonomous system number associated with the IP address.
autonomous_system_org string autonomousSystemOrg$ The organization associated with the registered autonomous system number for the IP address.

GeoSummary.City🔗

Field Type Parser Field Description
geoname_id uint32 geonameId$ A unique identifier for the city as specified by GeoNames
locale_names KeyValuePairsIndexed localeNames$ A map from locale codes, such as "en", to the localized names for the feature.
name string name$ The name of the City
confidence uint32 confidence$ Range from 0 to 99, with 0 representing least confidence in data sources and 99 representing total confidence in data sources.

GeoSummary.City.NamesEntry🔗

Field Type Parser Field Description
key string key$
value string value$

GeoSummary.Continent🔗

Field Type Parser Field Description
geoname_id uint32 geonameId$ A unique identifier for the city as specified by GeoNames
code string code$ A two-character code for the continent associated with the IP address. The possible codes are: AF – Africa AN – Antarctica AS – Asia EU – Europe NA – North America OC – Oceania SA – South America

GeoSummary.Country🔗

Field Type Parser Field Description
geoname_id uint32 geonameId$ A unique identifier for the city as specified by GeoNames
iso_code string isoCode$ A two-character ISO 3166-1 country code for the country associated with the IP address.
code string code$ A three-letter ISO 3166-1 alpha-3 country codes https://en.wikipedia.org/wiki/ISO_3166-1_alpha-3
confidence uint32 confidence$ Range from 0 to 99, with 0 representing least confidence in data sources and 99 representing total confidence in data sources.

GeoSummary.Location🔗

Field Type Parser Field Description
radius uint32 radius$ The approximate accuracy radius, in kilometers, around the latitude and longitude for the geographical entity (country, subdivision, city or postal code) associated with the IP address.
latitude float latitude$ The approximate latitude and longitude of the postal code, city, subdivision or country associated with the IP address.**
longitude float longitude$
us_metro_code uint32 usMetroCode$ The metro code associated with the IP address. These are only available for IP addresses in the US.
timezone string timezone$ The time zone associated with location, as specified by the IANA Time Zone Database, e.g., "America/New_York".
gmt_offset sint32 gmtOffset$ The offset from GMT associated with timezone
metro_code uint32 metroCode$ Deprecated. internal:this field is deprecated and should not be used. it must continue to exist for backwards-compatibility with old data

HostPart🔗

Field Type Parser Field Description
original_name string originalName$ The original hostname value as it appeared in the original data. (EXAMPLE: SomeHost@secureworks.com)
name string name$ Just the hostname value, void of any group or domain identifiers. (EXAMPLE: SomeHost)
domain string domain$ The domain name value for the host explicitly extracted from the original hostname value, and not parsed from other fields or parts of the original data. (EXAMPLE: secureworks.com)

KeyAndValues🔗

Field Type Parser Field Description
key string key$
values repeated string values$

KeyValuePairsIndexed🔗

Field Type Parser Field Description
record repeated KeyValueRecordIndexed record$

KeyValueRecordIndexed🔗

Field Type Parser Field Description
key string key$ Name of object such as 'filename'
value string value$ Value of object such as 'important.docx'

RelatedEvent🔗

Field Type Parser Field Description
normalized_event string normalizedEvent$ A normalized related event associated with the event, serialized as JSON

SearchOptions🔗

Field Type Parser Field Description
id bool id$ this field is the unique ID for this type. For events this is assumed to be the "resource_id" field and this is optional.
index bool index$ whether this field should be indexed. Fields that are not indexed may not be searchable.
store bool store$ whether this field should be stored, so that it can be returned directly from index hits. Typically just fields required to retrieve the whole event from storage are stored in the index, but it's possible that some commonly-requested fields would be worth storing
tokenize SearchOptions.TokenizationType tokenize$ whether this field should be tokenized, and what kind of tokenization to perform.
group bool group$ whether this field may the subject of a facet or group-by
groupName repeated string groupName$ if this field is used as a facet or group-by combined with other fields, this contains the name of the aggregate entity. For example, if four fields together make up an "event summary" field that is a possible grouping key, then those four keys could each have the groupName field of "event_summary", and they will be indexed together appropriately.
type SearchOptions.LogicalType type$ The "logical type" of a field that may give hints about how to index, store or process the field.
alias repeated string alias$ should this field be indexed under an alternate name as well? Note that this does consume more space in the index, but is sometimes worth it in order to preserve backwards compatibility or overcome inconsistencies between schemas
ql_name string qlName$ The name to present to query language users for this field. Modifies the field name both in queries and their returned results.
hidden bool hidden$ Whether the field should be hidden from search results. Also makes the field unsearchable even if it is indexed.

UserPart🔗

Standardizes parts of a username so that consumers can reference a username part if a log source combines multiple parts(e.g. user and domain)

Field Type Parser Field Description
original_name string originalName$ The original username value as it appeared in the original data. (EXAMPLE: WORKGROUP\SomeUser@secureworks.com)
name string name$ Just the username value, void of any group or domain identifiers. (EXAMPLE: SomeUser)
domain string domain$ The domain name value for the user explicitly extracted from the original username value, and not parsed from other fields or parts of the original data. (EXAMPLE: secureworks.com)
group string group$ The group value for the user explicitly extracted from the original username value, and not parsed from other fields or parts of the original data. (EXAMPLE: WORKGROUP)

EntityOptions.Direction🔗

Name Number Description
NON_DETERMINISTIC 0
SOURCE 1
SINK 2

IdentityType🔗

Categorical identity profile in use by a user performing actions in an event

Name Number Description
UNKNOWN_IDENTITY_TYPE 0 unused but required for proto
USER 10 A regular user account.
ROLE 20 An identity that represents a role, often used in role-based access control (RBAC).
ADMIN 30 An administrative account with elevated privileges.
SERVICE_ACCOUNT 40 A service account used by applications or services to interact with other services.
GUEST 50 A guest or external user account, often used for temporary or limited access.
SYSTEM 60 A system account used by the operating system or system services.

NullableBoolean🔗

Name Number Description
UNSET 0
TRUE 10
FALSE 20

SearchOptions.LogicalType🔗

Name Number Description
UNKNOWN 0 the default; indicates that there is no specific logical type for this field or it is not known.
TIMESTAMP_MILLIS 1 this field is interpreted as the number of milliseconds since the Unix epoch, 1970-01-01 00:00:00 UTC
TIMESTAMP_MICROS 2 this field is interpreted as the number of microseconds since the Unix epoch, 1970-01-01 00:00:00 UTC
UUID 3
IP 4
DOMAIN 5
HOSTNAME 6
USERNAME 7
PORT 8
LATITUDE 9
LONGITUDE 10
MAC_ADDRESS 11
PROGRAM_HASH 12
FILE_PATH 13
URL 14
COMMAND_LINE 15
SENSOR_ID 16

SearchOptions.TokenizationType🔗

Name Number Description
NONE 0 the default; do not tokenize this field
WHITESPACE 1 tokenize by whitespace only
DEFAULT 2 tokenize using defaults appropriate for this field's logical type, or for general-purpose text if the logical type is unknown.

TimeFidelity🔗

Name Number Description
UNDEFINED 0 unused but required for proto3
SECOND 1
MILLI 2 10^-3 seconds
MICRO 3 10^-6 seconds
NANO 4 10^-9 seconds

Visibility🔗

Name Number Description
UNKNOWN 0 unused but required for proto3
PUBLIC 1
PRIVATE 2
SHARED 3

File-level Extensions🔗

Extension Type Base Number Description
entity EntityOptions .google.protobuf.EnumValueOptions 80101
search SearchOptions .google.protobuf.FieldOptions 80100