Types for Google Backstory API¶
- class google.backstory.types.AnalyticsMetadata(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageStores information about an analytics metric used in a rule.
- class google.backstory.types.AppCompatMetadata(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageWindows AppCompatCache (Application Compatibility) metadata.
- class google.backstory.types.Artifact(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageInformation about an artifact. The artifact can only be an IP.
- ip¶
IP address of the artifact. This field can be used as an entity indicator for an external destination IP entity.
- Type
- prevalence¶
The prevalence of the artifact within the customer’s environment.
- first_seen_time¶
First seen timestamp of the IP in the customer’s environment.
- last_seen_time¶
Last seen timestamp of the IP address in the customer’s environment.
- location¶
Location of the Artifact’s IP address.
- network¶
Network information related to the Artifact’s IP address.
- jarm¶
The JARM hash for the IP address. (https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a).
- Type
- last_https_certificate¶
SSL certificate information about the IP address.
- last_https_certificate_date¶
Most recent date for the certificate in VirusTotal.
- regional_internet_registry¶
RIR (one of the current RIRs: AFRINIC, ARIN, APNIC, LACNIC or RIPE NCC).
- Type
- whois_date¶
Date of the last update of the WHOIS record in VirusTotal.
- tunnels¶
VPN tunnels.
- Type
MutableSequence[google.backstory.types.Tunnels]
- artifact_client¶
Entity or software accessing or utilizing network resources.
- class google.backstory.types.ArtifactClient(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageEntity or software accessing or utilizing network resources.
- class google.backstory.types.Asset(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageInformation about a compute asset such as a workstation, laptop, phone, virtual desktop, or VM.
- product_object_id¶
A vendor-specific identifier to uniquely identify the entity (a GUID or similar). This field can be used as an entity indicator for asset entities.
- Type
- hostname¶
Asset hostname or domain name field. This field can be used as an entity indicator for asset entities.
- Type
- asset_id¶
The asset ID. Value must contain the ‘:’ character. For example, cs:abcdd23434. This field can be used as an entity indicator for asset entities.
- Type
- ip¶
A list of IP addresses associated with an asset. This field can be used as an entity indicator for asset entities.
- Type
MutableSequence[str]
- mac¶
List of MAC addresses associated with an asset. This field can be used as an entity indicator for asset entities.
- Type
MutableSequence[str]
- first_seen_time¶
The first observed time for an asset. The value is calculated on the basis of the first time the identifier was observed.
- hardware¶
The asset hardware specifications.
- Type
MutableSequence[google.backstory.types.Hardware]
- platform_software¶
The asset operating system platform software.
- software¶
The asset software details.
- Type
MutableSequence[google.backstory.types.Software]
- location¶
Location of the asset.
- type_¶
The type of the asset (e.g. workstation or laptop or server).
- creation_time¶
Time the asset was created or provisioned. Deprecate: creation_time should be populated in Attribute as generic metadata.
- first_discover_time¶
Time the asset was first discovered (by asset management/discoverability software).
- last_discover_time¶
Time the asset was last discovered (by asset management/discoverability software).
- system_last_update_time¶
Time the asset system or OS was last updated. For all other operations that are not system updates (such as resizing a VM), use Attribute.last_update_time.
- last_boot_time¶
Time the asset was last boot started.
- labels¶
Metadata labels for the asset. Deprecated: labels should be populated in Attribute as generic metadata.
- Type
MutableSequence[google.backstory.types.Label]
- deployment_status¶
The deployment status of the asset for device lifecycle purposes.
- vulnerabilities¶
Vulnerabilities discovered on asset.
- Type
MutableSequence[google.backstory.types.Vulnerability]
- attribute¶
Generic entity metadata attributes of the asset.
- wmi_persistence_item¶
Information about a WMI persistence item.
- class AssetType(value)[source]¶
Bases:
proto.enums.EnumThe role type of the asset.
- Values:
- ROLE_UNSPECIFIED (0):
Unspecified asset role.
- WORKSTATION (1):
A workstation or desktop.
- LAPTOP (2):
A laptop computer.
- IOT (3):
An IOT asset.
- NETWORK_ATTACHED_STORAGE (4):
A network attached storage device.
- PRINTER (5):
A printer.
- SCANNER (6):
A scanner.
- SERVER (7):
A server.
- TAPE_LIBRARY (8):
A tape library device.
- MOBILE (9):
A mobile device such as a mobile phone or PDA.
- class DeploymentStatus(value)[source]¶
Bases:
proto.enums.EnumDeployment status states.
- Values:
- DEPLOYMENT_STATUS_UNSPECIFIED (0):
Unspecified deployment status.
- ACTIVE (1):
Asset is active, functional and deployed.
- PENDING_DECOMISSION (2):
Asset is pending decommission and no longer deployed.
- DECOMISSIONED (3):
Asset is decommissioned.
- class google.backstory.types.AtiPrioritization(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageAtiPrioritization contains various fields used to calculate a priority score for an entity identified as a threat.
- gti_update_time¶
Timestamp of the latest update for GTI verdict, severity, or threat score.
- active_ir¶
Whether one or more Mandiant incident response customers had this indicator in their environment.
- Type
- active_ir_first_tagged_time¶
The timestamp of the first time an active IR was applied to this entity.
- attributed_malware¶
Malware families associated with this indicator.
- Type
MutableSequence[google.backstory.types.SecurityResult.Association]
- attributed_threat_actors¶
Threat actors associated with this indicator.
- Type
MutableSequence[google.backstory.types.SecurityResult.Association]
- class google.backstory.types.AttackDetails(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageMITRE ATT&CK details.
- tactics¶
Tactics employed.
- Type
MutableSequence[google.backstory.types.AttackDetails.Tactic]
- techniques¶
Techniques employed.
- Type
MutableSequence[google.backstory.types.AttackDetails.Technique]
- class Tactic(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageTactic information related to an attack or threat.
- class Technique(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageTechnique information related to an attack or threat.
- class google.backstory.types.Attribute(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageAttribute is a container for generic entity attributes including common attributes across core entities (such as, user or asset). For example, Cloud is a generic entity attribute since it can apply to an asset (for example, a VM) or a user (for example, an identity service account).
- cloud¶
Cloud metadata attributes such as project ID, account ID, or organizational hierarchy.
- labels¶
Set of labels for the entity. Should only be used for product labels (for example, Google Cloud resource labels or Azure AD sensitivity labels. Should not be used for arbitrary key-value mappings.
- Type
MutableSequence[google.backstory.types.Label]
- permissions¶
System permissions for IAM entity (human principal, service account, group).
- Type
MutableSequence[google.backstory.types.Permission]
- roles¶
System IAM roles to be assumed by resources to use the role’s permissions for access control.
- Type
MutableSequence[google.backstory.types.Role]
- creation_time¶
Time the resource or entity was created or provisioned.
- last_update_time¶
Time the resource or entity was last updated.
- class google.backstory.types.Authentication(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageThe Authentication extension captures details specific to authentication events. General guidelines for authentication events:
Details about the source of the authentication event (for example, client IP or hostname), should be captured in principal. The principal may be empty if we have no details about the source of the login.
Details about the target of the authentication event (for example, details about the machine that is being logged into or logged out of) should be captured in target.
Some authentication events may involve a third-party. For example, a user logs into a cloud service (for example, Chronicle) via their company’s SSO (the event is logged by their SSO solution). In this case, the principal captures information about the user’s device, the target captures details about the cloud service they logged into, and the intermediary captures details about the SSO solution.
- type_¶
The type of authentication.
- mechanism¶
The authentication mechanism.
- Type
MutableSequence[google.backstory.types.Authentication.Mechanism]
- outcome¶
The outcome of the authentication event.
- class AuthType(value)[source]¶
Bases:
proto.enums.EnumType of system the authentication event is associated with.
- Values:
- AUTHTYPE_UNSPECIFIED (0):
The default type.
- MACHINE (1):
A machine authentication.
- SSO (2):
An SSO authentication.
- VPN (3):
A VPN authentication.
- PHYSICAL (4):
A Physical authentication (e.g. “Badge reader”).
- TACACS (5):
A TACACS family protocol for networked systems authentication (e.g. TACACS, TACACS+).
- class AuthenticationStatus(value)[source]¶
Bases:
proto.enums.EnumAuthentication status, can be used to describe the status of authentication for a user or particular credential.
- Values:
- UNKNOWN_AUTHENTICATION_STATUS (0):
The default authentication status.
- ACTIVE (1):
The authentication method is in active state.
- SUSPENDED (2):
The authentication method is in suspended/disabled state.
- NO_ACTIVE_CREDENTIALS (3):
The authentication method has no active credentials.
- DELETED (4):
The authentication method has been deleted.
- class Mechanism(value)[source]¶
Bases:
proto.enums.EnumMechanism(s) used to authenticate.
- Values:
- MECHANISM_UNSPECIFIED (0):
The default mechanism.
- USERNAME_PASSWORD (1):
Username + password authentication.
- OTP (2):
OTP authentication.
- HARDWARE_KEY (3):
Hardware key authentication.
- LOCAL (4):
Local authentication.
- REMOTE (5):
Remote authentication.
- REMOTE_INTERACTIVE (6):
RDP, Terminal Services, or VNC.
- MECHANISM_OTHER (7):
Some other mechanism that is not defined here.
- BADGE_READER (8):
Badge reader authentication
- NETWORK (9):
Network authentication.
- BATCH (10):
Batch authentication.
- SERVICE (11):
Service authentication
- UNLOCK (12):
Direct human-interactive unlock authentication.
- NETWORK_CLEAR_TEXT (13):
Network clear text authentication.
- NEW_CREDENTIALS (14):
Authentication with new credentials.
- INTERACTIVE (15):
Interactive authentication.
- CACHED_INTERACTIVE (16):
Interactive authentication using cached credentials.
- CACHED_REMOTE_INTERACTIVE (17):
Cached Remote Interactive authentication using cached credentials.
- CACHED_UNLOCK (18):
Cached Remote Interactive authentication using cached credentials.
- BIOMETRIC (19):
Biometric device such as a fingerprint reader.
- WEARABLE (20):
Wearable such as an Apple Watch.
- class Outcome(value)[source]¶
Bases:
proto.enums.EnumThe outcome of the authentication event.
- Values:
- OUTCOME_UNSPECIFIED (0):
The default outcome.
- SUCCESS (1):
The authentication was successful.
- FAILURE (2):
The authentication failed.
- class google.backstory.types.BoolSequence(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageBoolSequence represents a sequence of bools.
- class google.backstory.types.Browser(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageInformation about an entry in the web browser’s local history database.
- browser_type¶
The browser that recorded the history entry (e.g. “Chrome”, “Firefox”, “Safari”, etc.).
- first_visit_time¶
The timestamp indicating the initial visit to the URL.
- last_visit_time¶
The timestamp indicating the most recent visit to the URL.
- visit_type¶
Describes the type of navigation or visit (e.g., direct, redirect, etc.).
A boolean value indicating if the history entry is hidden.
- Type
- indexed_content¶
Represents the textual content of a web page. This field should be kept short. Large strings may affect latency and payload sizes.
- Type
- first_bookmarked_time¶
The timestamp indicating the first time the URL was bookmarked.
- cookies¶
Information about the cookies.
- Type
MutableSequence[google.backstory.types.Browser.Cookie]
- typed_count¶
The number of times the URL was visited with this specific visit type and visit source.
- Type
- visit_source¶
The source of the visit.
- class BrowserType(value)[source]¶
Bases:
proto.enums.EnumThe name of the browser.
- Values:
- BROWSER_TYPE_UNSPECIFIED (0):
Default value.
- CHROME (1):
Chrome.
- FIREFOX (2):
Firefox.
- SAFARI (3):
Safari.
- INTERNET_EXPLORER (4):
Internet Explorer.
- EDGE (5):
Edge.
- OPERA (6):
Opera.
- class Cookie(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageBrowser cookie.
- expiration_time¶
The date and time when the cookie will expire.
- http_only¶
Indicates if the cookie is inaccessible via client-side scripts (e.g., JavaScript).
- Type
- same_site¶
Affects cross-site request behavior.
- class CookieSameSite(value)[source]¶
Bases:
proto.enums.EnumThe SameSite attribute of a cookie.
- Values:
- COOKIE_SAME_SITE_UNSPECIFIED (0):
Default value.
- STRICT (1):
Corresponds to SameSite=Strict.
- LAX (2):
Corresponds to SameSite=Lax.
- NONE (3):
Corresponds to SameSite=None.
- class UrlVisitType(value)[source]¶
Bases:
proto.enums.EnumThe type of visit to a URL.
- Values:
- URL_VISIT_TYPE_UNSPECIFIED (0):
Default value.
- LINK (1):
The user clicked a link.
- TYPED (2):
The user typed a URL.
- AUTO_BOOKMARK (3):
The user bookmarked the URL.
- AUTO_SUBFRAME (4):
Loaded in a nested subframe by the parent frame.
- MANUAL_SUBFRAME (5):
Loaded in a nested subframe by the user.
- GENERATED (6):
The user clicked on auto generated link in browser address bar.
- AUTO_TOPLEVEL (7):
The page was loaded through command line or is the starting page.
- FORM_SUBMIT (8):
The user submitted a form.
- RELOAD (9):
The user reloaded the page.
- KEYWORD (10):
The Url was generated by a keyword search configured by user.
- KEYWORD_GENERATED (11):
Corresponds to a visit generated by a keyword search.
- REDIRECT (12):
The user was redirected to the URL.
- class VisitSource(value)[source]¶
Bases:
proto.enums.EnumThe source of the visit.
- Values:
- VISIT_SOURCE_UNSPECIFIED (0):
Default value.
- SYNCED (1):
The visit was synced from another device.
- BROWSER (2):
The visit was from a browser.
- EXTENSION (3):
The visit was from an extension.
- IMPORTED (4):
The visit was imported from another browser application.
- class google.backstory.types.BytesSequence(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageBytesSequence represents a sequence of bytes.
- class google.backstory.types.Certificate(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageCertificate information
- not_before¶
Indicates when the certificate is first valid.
- not_after¶
Indicates when the certificate is no longer valid.
- class google.backstory.types.Cloud(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageMetadata related to the cloud environment.
- environment¶
The Cloud environment.
- vpc¶
The cloud environment VPC. Deprecated.
- project¶
The cloud environment project information. Deprecated: Use Resource.resource_ancestors
- availability_zone¶
The cloud environment availability zone (different from region which is location.name).
- Type
- class CloudEnvironment(value)[source]¶
Bases:
proto.enums.EnumThe service provider environment.
- Values:
- UNSPECIFIED_CLOUD_ENVIRONMENT (0):
Default.
- GOOGLE_CLOUD_PLATFORM (1):
Google Cloud Platform.
- AMAZON_WEB_SERVICES (2):
Amazon Web Services.
- MICROSOFT_AZURE (3):
Microsoft Azure.
- class google.backstory.types.Collection(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageCollection represents a container of objects (such as events, entity context metadata, detection finding metadata) and state (such as investigation details).
An example use case for Collection is to model a detection and investigation from detection finding metadata to investigative state collected in the course of the investigation. For more complex investigation and response workflows a Collection could represent an incident consisting of multiple child findings or incidents. This can be expanded on to model remediation elements of a full detection and response workflow.
- id¶
Unique ID for the collection. The ID is specific to the type of collection. For example, with rule detections this is the detection ID.
- Type
- type_¶
What the collection represents.
- id_namespace¶
The ID namespace used for the Collection.
- created_time¶
Time the collection was created.
- last_updated_time¶
Time the collection was last updated.
- time_window¶
Time interval that the collection represents.
- Type
google.type.interval_pb2.Interval
- collection_elements¶
Constituent elements of the collection. Each element shares an association that groups it together and is a component of the overall collection. For example, a detection collection may have several constituent elements that each share a correlation association that together represent a particular pattern or behavior.
- Type
MutableSequence[google.backstory.types.Element]
- detection¶
Detection metadata for findings that represent detections, can include rule details, machine learning model metadata, and indicators implicated in the detection (using the .about field).
- Type
MutableSequence[google.backstory.types.SecurityResult]
- detection_time¶
Timestamp within the time_window related to the time of the collection_elements. For Rule Detections, this timestamp is the end of the the time_window for multi-event rules or the time of the event for single event rules. For late-arriving events that trigger new alerts, the detection_time will be the event time of the event.
- investigation¶
Consolidated investigation details (categorization, status, etc) typically for collections that begin as detection findings and then evolve with analyst action and feedback into investigations around the detection output.
- response_platform_info¶
Alert related info of this same alert in customer’s SOAR platform.
- case_name¶
The resource name of the Case that this collection belongs to. Example: projects/{project id}/locations/{region}/chronicle/cases/{internal_case_id}
- Type
- soar_alert_metadata¶
Metadata fields of alerts coming from other SIEM systems via SOAR.
- detection_timing_details¶
Detection timing details for the collection. These details are used to determine prossible causes of latency for the detection. This field is only set for detections that are generated by rules.
- Type
MutableSequence[google.backstory.types.Collection.DetectionTimingDetails]
- latency_metrics¶
The latency metrics for the specific detection. These metrics are calculated from ALL of the events that contribute to the detection, not just the sampled ones.
- rule_run_frequency¶
The run frequency of the rule when it generated the detection.
- simulated_event_count¶
The total number of simulated events that contributed to this detection. Simulated events are realistic threat sequences (Raw Logs or UDM) programmatically delivered into the production ingestion pipeline to verify the entire detection lifecycle—from identification to action.
- Type
- simulated_event_names¶
The set of all values from event ingestion_labels where SIMULATED is set as the key, for all simulated events that participated in this detection.
- Type
MutableSequence[str]
- class CollectionType(value)[source]¶
Bases:
proto.enums.EnumThe type of the collection which will indicate which other fields are relevant. For example, detection finding collections will populate the detection field. Findings that evolve into investigations will populate the investigation field.
- Values:
- COLLECTION_TYPE_UNSPECIFIED (0):
An unspecified collection type.
- TELEMETRY_ALERT (1):
An alert reported in customer telemetry.
- GCTI_FINDING (2):
A finding from the Uppercase team.
- UPPERCASE_ALERT (2):
No description available.
- RULE_DETECTION (3):
A detection found by applying a rule.
- MACHINE_INTELLIGENCE_ALERT (4):
An alert generated by Chronicle machine learning models.
- SOAR_ALERT (5):
An alert coming from other SIEMs via Chronicle SOAR.
- class DetectionTimingDetails(value)[source]¶
Bases:
proto.enums.EnumDetection timing details for the collection.
- Values:
- DETECTION_TIMING_DETAILS_UNSPECIFIED (0):
Detection timing details are unspecified.
- DETECTION_TIMING_DETAILS_REPROCESSING (1):
Detection is generated by a reprocessing run.
- DETECTION_TIMING_DETAILS_RETROHUNT (2):
Detection is generated by a retrohunt run.
- class RunFrequency(value)[source]¶
Bases:
proto.enums.EnumRun frequencies used by rule executions.
- Values:
- RUN_FREQUENCY_UNSPECIFIED (0):
Unspecified run frequency.
- RUN_FREQUENCY_REALTIME (1):
Real-time run frequency.
- RUN_FREQUENCY_HOURLY (2):
Executes once an hour.
- RUN_FREQUENCY_DAILY (3):
Executes once a day.
- class google.backstory.types.DNSRecord(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageDNS record.
- ttl¶
Time to live.
- refresh¶
Refresh.
- minimum¶
Minimum.
- expire¶
Expire.
- class google.backstory.types.DataAccessIngestionLabel(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageLabel used in data access for ingestion.
- class google.backstory.types.DataAccessLabels(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageLabel used in data access.
- ingestion_kv_labels¶
All the ingestion labels (key/value pairs).
- Type
MutableSequence[google.backstory.types.DataAccessIngestionLabel]
- class google.backstory.types.DataTableRowInfo(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageDataTableRowInfo captures information about a data table row including the name of the data table.
- row¶
Stores the key value pair for a data table row where the key is the name of the column for the given value.
- class google.backstory.types.Dhcp(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageDHCP information.
- opcode¶
The BOOTP op code.
- options¶
List of DHCP options.
- Type
MutableSequence[google.backstory.types.Dhcp.Option]
- type_¶
DHCP message type.
- client_identifier¶
Client identifier. See RFC2132, section 9.14. Note: Make sure to update the client_identifier_string field as well if you update this field.
- Type
- client_identifier_string¶
Client identifier as string. See RFC2132, section 9.14. This field holds the string value of the client_identifier.
- Type
- class MessageType(value)[source]¶
Bases:
proto.enums.EnumDHCP message type. See RFC2131, section 3.1.
- Values:
- UNKNOWN_MESSAGE_TYPE (0):
Default message type.
- DISCOVER (1):
DHCPDISCOVER.
- OFFER (2):
DHCPOFFER.
- REQUEST (3):
DHCPREQUEST.
- DECLINE (4):
DHCPDECLINE.
- ACK (5):
DHCPACK.
- NAK (6):
DHCPNAK.
- RELEASE (7):
DHCPRELEASE.
- INFORM (8):
DHCPINFORM.
- WIN_DELETED (100):
Microsoft Windows DHCP “lease deleted”.
- WIN_EXPIRED (101):
Microsoft Windows DHCP “lease expired”.
- class OpCode(value)[source]¶
Bases:
proto.enums.EnumBOOTP op code. See RFC951, section 3.
- Values:
- UNKNOWN_OPCODE (0):
Default opcode.
- BOOTREQUEST (1):
Request.
- BOOTREPLY (2):
Reply.
- class google.backstory.types.Dns(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageDNS information.
- opcode¶
The DNS OpCode used to specify the type of DNS query (for example, QUERY, IQUERY, or STATUS).
- Type
- questions¶
A list of domain protocol message questions.
- Type
MutableSequence[google.backstory.types.Dns.Question]
- answers¶
A list of answers to the domain name query.
- Type
MutableSequence[google.backstory.types.Dns.ResourceRecord]
- authority¶
A list of domain name servers which verified the answers to the domain name queries.
- Type
MutableSequence[google.backstory.types.Dns.ResourceRecord]
- additional¶
A list of additional domain name servers that can be used to verify the answer to the domain.
- Type
MutableSequence[google.backstory.types.Dns.ResourceRecord]
- class Question(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageDNS Questions. See RFC1035, section 4.1.2.
- prevalence¶
The prevalence of the domain within the customer’s environment.
- class ResourceRecord(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageDNS Resource Records. See RFC1035, section 4.1.3.
- ttl¶
The time interval for which the resource record can be cached before the source of the information should again be queried.
- Type
- data¶
The payload or response to the DNS question for all responses encoded in UTF-8 format
- Type
- class google.backstory.types.Domain(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageInformation about a domain.
- prevalence¶
The prevalence of the domain within the customer’s environment.
- first_seen_time¶
First seen timestamp of the domain in the customer’s environment.
- last_seen_time¶
Last seen timestamp of the domain in the customer’s environment.
- registrar¶
Registrar name . FOr example, “Wild West Domains, Inc. (R120-LROR)”, “GoDaddy.com, LLC”, or “PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM”.
- Type
- creation_time¶
Domain creation time.
- update_time¶
Last updated time.
- expiration_time¶
Expiration time.
- audit_update_time¶
Audit updated time.
- status¶
Domain status. See https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en for meanings of possible values
- Type
- registrant¶
Parsed contact information for the registrant of the domain.
- admin¶
Parsed contact information for the administrative contact for the domain.
- tech¶
Parsed contact information for the technical contact for the domain
- billing¶
Parsed contact information for the billing contact of the domain.
- zone¶
Parsed contact information for the zone.
- iana_registrar_id¶
IANA Registrar ID. See https://www.iana.org/assignments/registrar-ids/registrar-ids.xhtml
- Type
- private_registration¶
Indicates whether the domain appears to be using a private registration service to mask the owner’s contact information.
- Type
- favicon¶
Includes difference hash and MD5 hash of the domain’s favicon.
- last_dns_records¶
Domain’s DNS records from the last scan.
- Type
MutableSequence[google.backstory.types.DNSRecord]
- last_dns_records_time¶
Date when the DNS records list was retrieved by VirusTotal.
- last_https_certificate¶
SSL certificate object retrieved last time the domain was analyzed.
- last_https_certificate_time¶
When the certificate was retrieved by VirusTotal.
- popularity_ranks¶
Domain’s position in popularity ranks such as Alexa, Quantcast, Statvoo, etc
- Type
MutableSequence[google.backstory.types.PopularityRank]
- whois_time¶
Date of the last update of the WHOIS record.
- class google.backstory.types.DoubleSequence(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageDoubleSequence represents a sequence of doubles.
- class google.backstory.types.Element(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.Message- association¶
Metadata that provides the relevant association for the references in the element. For a detection, this can be the correlated aspect of the references that contributed to the overall detection. For example, may include sub-rule condition, machine learning model metadata, and/or indicators implicated in this component of the detection (using the .about field).
- references¶
References to model primatives including events and entities that share a common association. Even though a reference can have both UDM and entity, a collection of references (of a single element) will only have one type of message in it (either UDM / Entity).
- Type
MutableSequence[google.backstory.types.Reference]
- references_sampled¶
Copied from the detection event_sample.too_many_event_samples field. If true, the number of references will be capped at the sample limit (set at rule service). This is applicable to both UDM references and Entity references.
- Type
- latency_metrics¶
Latency metrics for the specific element. These are calculated from all the contributing events or entities for a single event variable, not just the sampled ones included in references. This is currently only populated for UDM events.
- class google.backstory.types.Email(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageEmail info.
- bounce_address¶
The envelope from address. https://en.wikipedia.org/wiki/Bounce_address
- Type
- class google.backstory.types.Entity(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageAn Entity provides additional context about an item in a UDM event. For example, a PROCESS_LAUNCH event describes that user ‘abc@example.corp’ launched process ‘shady.exe’. The event does not include information that user ‘abc@example.com’ is a recently terminated employee who administers a server storing finance data. Information stored in one or more Entities can add this additional context.
- metadata¶
Entity metadata such as timestamp, product, etc.
- entity¶
Noun in the UDM event that this entity represents.
- relations¶
One or more relationships between the entity (a) and other entities, including the relationship type and related entity.
- Type
MutableSequence[google.backstory.types.Relation]
- additional¶
Important entity data that cannot be adequately represented within the formal sections of the Entity.
- risk_score¶
Stores information related to the entity’s risk score.
This field is a member of oneof
_risk_score.
- metric¶
Stores statistical metrics about the entity. Used if metadata.entity_type is METRIC.
- class google.backstory.types.EntityGraphEnrichment(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageEntityGraphEnrichment contains the data table name and the enrichment applied to the entity.
- enrichment_type¶
The type of enrichment.
- overridden_entity¶
The entity which has only the overridden fields populated. Only populated if the enrichment type is OVERRIDE.
- class EnrichmentType(value)[source]¶
Bases:
proto.enums.EnumType of enrichment.
- Values:
- ENRICHMENT_TYPE_UNSPECIFIED (0):
Enrichment type is unspecified.
- APPEND (1):
The data table was appended to the entity graph.
- OVERRIDE (2):
The entity graph was overridden by the data table.
- class google.backstory.types.EntityMetadata(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageInformation about the Entity and the product where the entity was created.
- product_entity_id¶
A vendor-specific identifier that uniquely identifies the entity (e.g. a GUID, LDAP, OID, or similar).
- Type
- collected_timestamp¶
GMT timestamp when the entity information was collected by the vendor’s local collection infrastructure.
- creation_timestamp¶
GMT timestamp when the entity described by the product_entity_id was created on the system where data was collected.
- interval¶
Valid existence time range for the version of the entity represented by this entity data.
- Type
google.type.interval_pb2.Interval
- entity_type¶
Entity type. If an entity has multiple possible types, this specifies the most specific type.
- threat¶
Metadata provided by a threat intelligence feed that identified the entity as malicious.
- Type
MutableSequence[google.backstory.types.SecurityResult]
- source_type¶
The source of the entity.
- source_labels¶
Entity source metadata labels.
- Type
MutableSequence[google.backstory.types.Label]
- event_metadata¶
Metadata field from the event.
- structured_fields¶
Structured fields extracted from the log.
- extracted¶
Flattened fields extracted from the log.
- ati_prioritization¶
Prioritization factors used by ATI curated rules.
- class EntityType(value)[source]¶
Bases:
proto.enums.EnumDescribes the type of entity. An unknown event type.
- Values:
- UNKNOWN_ENTITYTYPE (0):
@hide_from_doc
- ASSET (1):
An asset, such as workstation, laptop, phone, virtual machine, etc.
- USER (10000):
User.
- GROUP (10001):
Group.
- RESOURCE (2):
Resource.
- IP_ADDRESS (3):
An external IP address.
- CIDR_BLOCK (9):
A CIDR block.
- FILE (4):
A file.
- DOMAIN_NAME (5):
A domain.
- URL (6):
A url.
- MUTEX (7):
A mutex.
- METRIC (8):
A metric.
- class SourceType(value)[source]¶
Bases:
proto.enums.EnumDescribes the source of an entity.
- Values:
- SOURCE_TYPE_UNSPECIFIED (0):
Default source type
- ENTITY_CONTEXT (1):
Entities ingested from customers (e.g. AD_CONTEXT, DLP_CONTEXT)
- DERIVED_CONTEXT (2):
Entities derived from customer data such as prevalence, artifact first/last seen, or asset/user first seen stats.
- GLOBAL_CONTEXT (3):
Global contextual entities such as WHOIS or Safe Browsing.
- class google.backstory.types.EntityRisk(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageStores information related to the risk score of an entity.
- risk_window¶
Time window used when computing the risk score for an entity, for example 24 hours or 7 days.
- Type
google.type.interval_pb2.Interval
- risk_delta¶
Represents the change in risk score for an entity between the end of the previous time window and the end of the current time window.
This field is a member of oneof
_risk_delta.
- first_detection_time¶
Timestamp of the first detection within the specified time window. This field is empty when there are no detections.
- last_detection_time¶
Timestamp of the last detection within the specified time window. This field is empty when there are no detections.
- risk_window_size¶
Risk window duration for the entity.
- raw_risk_delta¶
Represents the change in raw risk score for an entity between the end of the previous time window and the end of the current time window.
This field is a member of oneof
_raw_risk_delta.
- last_reset_time¶
Timestamp for UEBA risk score reset based deduplication. Used specifically for risk based meta rules.
- detail_uri¶
Link to the Google Security Operations UI with information about the entity risk score. If the SecOps instance has multiple frontend paths configured, this will be a relative path that can be used to construct the full URL.
- Type
- class google.backstory.types.ExifInfo(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageExif information.
- compilation_time¶
Compilation time.
- class google.backstory.types.Extensions(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageExtensions to a UDM event.
- auth¶
An authentication extension.
- vulns¶
A vulnerability extension.
- entity_risk¶
An entity risk change extension.
- linux_utmp¶
A Linux Utmp extension. This captures details specific to Linux Utmp events, which record login and logout sessions on a Linux system.
- windows_event_log¶
A Windows Event Log extension. This captures details specific to Windows Event Log events, providing structured information from various Windows logs.
- resource_usage¶
A resource usage extension. This captures details about what entity (e.g., process, user) is using a specific resource.
- system_event_details¶
A system event details extension. This captures additional details for system-level events, such as message type, sender image ID, and subsystem.
- outlook_metadata¶
A Microsoft Outlook specific metadata extension. This includes metadata related to Outlook items, such as comments, templates, and security flags.
- srum¶
A SRUM extension. This captures details specific to Windows System Resource Usage Monitor (SRUM) events, providing insights into application resource consumption.
- user_assist¶
A UserAssist extension. This captures details specific to Windows User Assist events, which track application usage and execution.
- class google.backstory.types.Favicon(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageDifference hash and MD5 hash of the domain’s favicon.
- class google.backstory.types.File(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageInformation about a file.
- sha256¶
The SHA256 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities.
- Type
- md5¶
The MD5 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities.
- Type
- sha1¶
The SHA1 hash of the file, as a hex-encoded string. This field can be used as an entity indicator for file entities.
- Type
- full_path¶
The full path identifying the location of the file on the system. This field can be used as an entity indicator for file entities.
- Type
- mime_type¶
The MIME (Multipurpose Internet Mail Extensions) type of the file, for example “PE”, “PDF”, or “powershell script”.
- Type
- file_metadata¶
Metadata associated with the file. Deprecate FileMetadata in favor of using fields in File.
- security_result¶
Google Cloud Threat Intelligence (GCTI) security result for the file including threat context and detection metadata.
- pe_file¶
Metadata about the Portable Executable (PE) file.
- symhash¶
SymHash of the file. Used for Mach-O (e.g. MacOS) binaries, to identify similar files based on their symbol table.
- Type
- prefetch_file_metadata¶
Metadata about the prefetch file.
- file_type¶
FileType field.
- last_modification_time¶
Timestamp when the file was last updated.
- create_time¶
Timestamp when the file was created.
- last_access_time¶
Timestamp when the file was accessed.
- prevalence¶
Prevalence of the file hash in the customer’s environment.
- first_seen_time¶
Timestamp the file was first seen in the customer’s environment.
- last_seen_time¶
Timestamp the file was last seen in the customer’s environment.
- stat_mode¶
The mode of the file. A bit string indicating the permissions and privileges of the file.
- Type
- last_analysis_time¶
Timestamp the file was last analysed.
- exif_info¶
Exif metadata from different file formats extracted by exiftool.
- signature_info¶
File signature information extracted from different tools.
- pdf_info¶
Information about the PDF file structure.
- first_submission_time¶
First submission time of the file.
- last_submission_time¶
Last submission time of the file.
- main_icon¶
Icon’s relevant hashes.
- ntfs¶
NTFS metadata.
- app_compat_cache¶
Windows AppCompatCache (Application Compatibility) metadata.
- class FileType(value)[source]¶
Bases:
proto.enums.EnumThe file type, for example Microsoft Windows executable.
- Values:
- FILE_TYPE_UNSPECIFIED (0):
File type is UNSPECIFIED.
- FILE_TYPE_PE_EXE (1):
File type is PE_EXE.
- FILE_TYPE_PE_DLL (2):
Although DLLs are actually portable executables, this value enables the file type to be identified separately. File type is PE_DLL.
- FILE_TYPE_MSI (3):
File type is MSI.
- FILE_TYPE_NE_EXE (10):
File type is NE_EXE.
- FILE_TYPE_NE_DLL (11):
File type is NE_DLL.
- FILE_TYPE_DOS_EXE (20):
File type is DOS_EXE.
- FILE_TYPE_DOS_COM (21):
File type is DOS_COM.
- FILE_TYPE_COFF (30):
File type is COFF.
- FILE_TYPE_ELF (31):
File type is ELF.
- FILE_TYPE_LINUX_KERNEL (32):
File type is LINUX_KERNEL.
- FILE_TYPE_RPM (33):
File type is RPM.
- FILE_TYPE_LINUX (34):
File type is LINUX.
- FILE_TYPE_MACH_O (35):
File type is MACH_O.
- FILE_TYPE_JAVA_BYTECODE (36):
File type is JAVA_BYTECODE.
- FILE_TYPE_DMG (37):
File type is DMG.
- FILE_TYPE_DEB (38):
File type is DEB.
- FILE_TYPE_PKG (39):
File type is PKG.
- FILE_TYPE_PYC (40):
File type is PYC.
- FILE_TYPE_LNK (50):
File type is LNK.
- FILE_TYPE_DESKTOP_ENTRY (51):
File type is DESKTOP_ENTRY.
- FILE_TYPE_JPEG (100):
File type is JPEG.
- FILE_TYPE_TIFF (101):
File type is TIFF.
- FILE_TYPE_GIF (102):
File type is GIF.
- FILE_TYPE_PNG (103):
File type is PNG.
- FILE_TYPE_BMP (104):
File type is BMP.
- FILE_TYPE_GIMP (105):
File type is GIMP.
- FILE_TYPE_IN_DESIGN (106):
File type is Adobe InDesign.
- FILE_TYPE_PSD (107):
File type is PSD. Adobe Photoshop.
- FILE_TYPE_TARGA (108):
File type is TARGA.
- FILE_TYPE_XWD (109):
File type is XWD.
- FILE_TYPE_DIB (110):
File type is DIB.
- FILE_TYPE_JNG (111):
File type is JNG.
- FILE_TYPE_ICO (112):
File type is ICO.
- FILE_TYPE_FPX (113):
File type is FPX.
- FILE_TYPE_EPS (114):
File type is EPS.
- FILE_TYPE_SVG (115):
File type is SVG.
- FILE_TYPE_EMF (116):
File type is EMF.
- FILE_TYPE_WEBP (117):
File type is WEBP.
- FILE_TYPE_DWG (118):
File type is DWG.
- FILE_TYPE_DXF (119):
File type is DXF.
- FILE_TYPE_THREEDS (120):
File type is 3DS.
- FILE_TYPE_OGG (150):
File type is OGG.
- FILE_TYPE_FLC (151):
File type is FLC.
- FILE_TYPE_FLI (152):
File type is FLI.
- FILE_TYPE_MP3 (153):
File type is MP3.
- FILE_TYPE_FLAC (154):
File type is FLAC.
- FILE_TYPE_WAV (155):
File type is WAV.
- FILE_TYPE_MIDI (156):
File type is MIDI.
- FILE_TYPE_AVI (157):
File type is AVI.
- FILE_TYPE_MPEG (158):
File type is MPEG.
- FILE_TYPE_QUICKTIME (159):
File type is QUICKTIME.
- FILE_TYPE_ASF (160):
File type is ASF.
- FILE_TYPE_DIVX (161):
File type is DIVX.
- FILE_TYPE_FLV (162):
File type is FLV.
- FILE_TYPE_WMA (163):
File type is WMA.
- FILE_TYPE_WMV (164):
File type is WMV.
- FILE_TYPE_RM (165):
File type is RM. RealMedia type.
- FILE_TYPE_MOV (166):
File type is MOV.
- FILE_TYPE_MP4 (167):
File type is MP4.
- FILE_TYPE_T3GP (168):
File type is T3GP.
- FILE_TYPE_WEBM (169):
File type is WEBM.
- FILE_TYPE_MKV (170):
File type is MKV.
- FILE_TYPE_PDF (200):
File type is PDF.
- FILE_TYPE_PS (201):
File type is PS.
- FILE_TYPE_DOC (202):
File type is DOC.
- FILE_TYPE_DOCX (203):
File type is DOCX.
- FILE_TYPE_PPT (204):
File type is PPT.
- FILE_TYPE_PPTX (205):
File type is PPTX.
- FILE_TYPE_XLS (206):
File type is XLS.
- FILE_TYPE_XLSX (207):
File type is XLSX.
- FILE_TYPE_RTF (208):
File type is RTF.
- FILE_TYPE_PPSX (209):
File type is PPSX.
- FILE_TYPE_ODP (250):
File type is ODP.
- FILE_TYPE_ODS (251):
File type is ODS.
- FILE_TYPE_ODT (252):
File type is ODT.
- FILE_TYPE_HWP (253):
File type is HWP.
- FILE_TYPE_GUL (254):
File type is GUL.
- FILE_TYPE_ODF (255):
File type is ODF.
- FILE_TYPE_ODG (256):
File type is ODG.
- FILE_TYPE_ONE_NOTE (257):
File type is ONE_NOTE.
- FILE_TYPE_OOXML (258):
File type is OOXML.
- FILE_TYPE_SLK (259):
File type is SLK.
- FILE_TYPE_EBOOK (260):
File type is EBOOK.
- FILE_TYPE_LATEX (261):
File type is LATEX.
- FILE_TYPE_TTF (262):
File type is TTF.
- FILE_TYPE_EOT (263):
File type is EOT.
- FILE_TYPE_WOFF (264):
File type is WOFF.
- FILE_TYPE_CHM (265):
File type is CHM.
- FILE_TYPE_ZIP (300):
File type is ZIP.
- FILE_TYPE_GZIP (301):
File type is GZIP.
- FILE_TYPE_BZIP (302):
File type is BZIP.
- FILE_TYPE_RZIP (303):
File type is RZIP.
- FILE_TYPE_DZIP (304):
File type is DZIP.
- FILE_TYPE_SEVENZIP (305):
File type is SEVENZIP.
- FILE_TYPE_CAB (306):
File type is CAB.
- FILE_TYPE_JAR (307):
File type is JAR.
- FILE_TYPE_RAR (308):
File type is RAR.
- FILE_TYPE_MSCOMPRESS (309):
File type is MSCOMPRESS.
- FILE_TYPE_ACE (310):
File type is ACE.
- FILE_TYPE_ARC (311):
File type is ARC.
- FILE_TYPE_ARJ (312):
File type is ARJ.
- FILE_TYPE_ASD (313):
File type is ASD.
- FILE_TYPE_BLACKHOLE (314):
File type is BLACKHOLE.
- FILE_TYPE_KGB (315):
File type is KGB.
- FILE_TYPE_ZLIB (316):
File type is ZLIB.
- FILE_TYPE_TAR (317):
File type is TAR.
- FILE_TYPE_ZST (318):
File type is ZST.
- FILE_TYPE_LZFSE (319):
File type is LZFSE.
- FILE_TYPE_PYTHON_WHL (320):
File type is PYTHON_WHL.
- FILE_TYPE_PYTHON_PKG (321):
File type is PYTHON_PKG.
- FILE_TYPE_MSIX (322):
File type is MSIX, new Windows app package format.
- FILE_TYPE_TEXT (400):
File type is TEXT.
- FILE_TYPE_SCRIPT (401):
File type is SCRIPT.
- FILE_TYPE_PHP (402):
File type is PHP.
- FILE_TYPE_PYTHON (403):
File type is PYTHON.
- FILE_TYPE_PERL (404):
File type is PERL.
- FILE_TYPE_RUBY (405):
File type is RUBY.
- FILE_TYPE_C (406):
File type is C.
- FILE_TYPE_CPP (407):
File type is CPP.
- FILE_TYPE_JAVA (408):
File type is JAVA.
- FILE_TYPE_SHELLSCRIPT (409):
File type is SHELLSCRIPT.
- FILE_TYPE_PASCAL (410):
File type is PASCAL.
- FILE_TYPE_AWK (411):
File type is AWK.
- FILE_TYPE_DYALOG (412):
File type is DYALOG.
- FILE_TYPE_FORTRAN (413):
File type is FORTRAN.
- FILE_TYPE_JAVASCRIPT (414):
File type is JAVASCRIPT.
- FILE_TYPE_POWERSHELL (415):
File type is POWERSHELL.
- FILE_TYPE_VBA (416):
File type is VBA.
- FILE_TYPE_M4 (417):
File type is M4.
- FILE_TYPE_OBJETIVEC (418):
File type is OBJETIVEC.
- FILE_TYPE_JMOD (419):
File type is JMOD.
- FILE_TYPE_MAKEFILE (420):
File type is MAKEFILE.
- FILE_TYPE_INI (421):
File type is INI.
- FILE_TYPE_CLJ (422):
File type is CLJ.
- FILE_TYPE_PDB (425):
File type is PDB.
- FILE_TYPE_SQL (426):
File type is SQL.
- FILE_TYPE_NEKO (427):
File type is NEKO.
- FILE_TYPE_WER (428):
File type is WER.
- FILE_TYPE_GOLANG (429):
File type is GOLANG.
- FILE_TYPE_M3U (430):
File type is M3U.
- FILE_TYPE_BAT (431):
File type is BAT, Windows .bat/.cmd (old files are tagged as SHELLSCRIPT).
- FILE_TYPE_MSC (432):
File type is MSC, Microsoft Management Console (MMC).
- FILE_TYPE_RDP (433):
File type is RDP, Microsoft Remote Desktop Protocol (RDP) file.
- FILE_TYPE_SYMBIAN (500):
File type is SYMBIAN.
- FILE_TYPE_PALMOS (501):
File type is PALMOS.
- FILE_TYPE_WINCE (502):
File type is WINCE.
- FILE_TYPE_ANDROID (503):
File type is ANDROID.
- FILE_TYPE_IPHONE (504):
File type is IPHONE.
- FILE_TYPE_HTML (600):
File type is HTML.
- FILE_TYPE_XML (601):
File type is XML.
- FILE_TYPE_SWF (602):
File type is SWF.
- FILE_TYPE_FLA (603):
File type is FLA.
- FILE_TYPE_COOKIE (604):
File type is COOKIE.
- FILE_TYPE_TORRENT (605):
File type is TORRENT.
- FILE_TYPE_EMAIL_TYPE (606):
File type is EMAIL_TYPE.
- FILE_TYPE_OUTLOOK (607):
File type is OUTLOOK.
- FILE_TYPE_SGML (608):
File type is SGML.
- FILE_TYPE_JSON (609):
File type is JSON.
- FILE_TYPE_CSV (610):
File type is CSV.
- FILE_TYPE_HTA (611):
File type is HTA (HTML Application).
- FILE_TYPE_INTERNET_SHORTCUT (612):
File type is MSHTML .url.
- FILE_TYPE_CAP (700):
File type is CAP.
- FILE_TYPE_ISOIMAGE (800):
File type is ISOIMAGE.
- FILE_TYPE_SQUASHFS (801):
File type is SQUASHFS.
- FILE_TYPE_VHD (802):
File type is VHD.
- FILE_TYPE_APPLE (1000):
File type is APPLE.
- FILE_TYPE_MACINTOSH (1001):
File type is MACINTOSH.
- FILE_TYPE_APPLESINGLE (1002):
File type is APPLESINGLE.
- FILE_TYPE_APPLEDOUBLE (1003):
File type is APPLEDOUBLE.
- FILE_TYPE_MACINTOSH_HFS (1004):
File type is MACINTOSH_HFS.
- FILE_TYPE_APPLE_PLIST (1005):
File type is APPLE_PLIST.
- FILE_TYPE_MACINTOSH_LIB (1006):
File type is MACINTOSH_LIB.
- FILE_TYPE_APPLESCRIPT (1007):
File type is APPLESCRIPT.
- FILE_TYPE_APPLESCRIPT_COMPILED (1008):
File type is APPLESCRIPT_COMPILED .
- FILE_TYPE_CRX (1100):
File type is CRX.
- FILE_TYPE_XPI (1101):
File type is XPI.
- FILE_TYPE_ROM (1200):
File type is ROM.
- FILE_TYPE_IPS (1201):
File type is IPS.
- FILE_TYPE_PEM (1300):
File type is PEM.
- FILE_TYPE_PGP (1301):
File type is PGP.
- FILE_TYPE_CRT (1302):
File type is CRT.
- class google.backstory.types.FileMetadata(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageMetadata about a file. Place metadata about different file types here, for example data from the Microsoft Windows VersionInfo block or digital signer details. Use a different sub-message per file type.
- pe¶
Metadata for Microsoft Windows PE files. Deprecate PeFileMetadata in favor of single File proto.
- class google.backstory.types.FileMetadataCodesign(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageFile metadata from the codesign utility.
- compilation_time¶
Code sign timestamp
- class google.backstory.types.FileMetadataImports(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageFile metadata imports.
- class google.backstory.types.FileMetadataPE(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageMetadata about the Portable Executable (PE) file.
- compilation_time¶
info.pe-timestamp.
- compilation_exiftool_time¶
info.exiftool.TimeStamp.
- section¶
FilemetadataSection fields.
- Type
MutableSequence[google.backstory.types.FileMetadataSection]
- imports¶
FilemetadataImports fields.
- Type
MutableSequence[google.backstory.types.FileMetadataImports]
- resource¶
FilemetadataPeResourceInfo fields.
- Type
MutableSequence[google.backstory.types.FileMetadataPeResourceInfo]
- resources_type_count¶
Deprecated: use resources_type_count_str.
- Type
MutableSequence[google.backstory.types.StringToInt64MapEntry]
- resources_language_count¶
Deprecated: use resources_language_count_str.
- Type
MutableSequence[google.backstory.types.StringToInt64MapEntry]
- resources_type_count_str¶
Number of resources by resource type. Example: RT_ICON: 10, RT_DIALOG: 5
- Type
MutableSequence[google.backstory.types.Label]
- resources_language_count_str¶
Number of resources by language. Example: NEUTRAL: 20, ENGLISH US: 10
- Type
MutableSequence[google.backstory.types.Label]
- signature_info¶
FilemetadataSignatureInfo field. deprecated, user File.signature_info instead.
- class google.backstory.types.FileMetadataPeResourceInfo(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageFile metadata for PE resource.
- language_code¶
Human-readable version of the language and sublanguage identifiers, as defined in the Microsoft Windows PE specification.
- Type
- class google.backstory.types.FileMetadataSection(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageFile metadata section.
- class google.backstory.types.FileMetadataSignatureInfo(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageSignature information.
- verification_message¶
Status of the certificate. Valid values are “Signed”, “Unsigned” or a description of the certificate anomaly, if found.
- Type
- signers¶
File metadata signer information. The order of the signers matters. Each element is a higher level authority, being the last the root authority.
- Type
MutableSequence[google.backstory.types.SignerInfo]
- x509¶
List of certificates.
- Type
MutableSequence[google.backstory.types.X509]
- class google.backstory.types.FindingVariable(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageA structure that holds the value and associated metadata for values extracted while producing a Finding.
This message has oneof fields (mutually exclusive fields). For each oneof, at most one member field can be set at the same time. Setting any member of the oneof automatically clears all other members.
- type_¶
The type of the variable.
- source_path¶
The UDM field path for the field which this value was derived from. Example:
principal.user.username- Type
- string_val¶
The value in string format. Enum values are returned as strings.
This field is a member of oneof
typed_value.- Type
- class Type(value)[source]¶
Bases:
proto.enums.EnumType options for Finding variables.
- Values:
- TYPE_UNSPECIFIED (0):
An unspecified variable type.
- MATCH (1):
A variable coming from the match conditions.
- OUTCOME (2):
A variable representing significant data that was found in the detection logic.
- class google.backstory.types.Ftp(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageFTP info.
- class google.backstory.types.Group(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageInformation about an organizational group.
- product_object_id¶
Product globally unique user object identifier, such as an LDAP Object Identifier.
- Type
- creation_time¶
Group creation time. Deprecated: creation_time should be populated in Attribute as generic metadata.
- attribute¶
Generic entity metadata attributes of the group.
- class google.backstory.types.GroupedFields(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageGrouped fields are aliases for groups of related UDM fields. All fields grouped together are of type string.
- class google.backstory.types.Hardware(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageHardware specification details for a resource, including both physical and virtual hardware.
- class google.backstory.types.Http(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageSpecify the full URL of the HTTP request within “target”. Also specify any uploaded or downloaded file information within “source” or “target”.
- user_agent¶
The User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.
- Type
- class google.backstory.types.Id(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageIdentifier to identify a UDM object like a UDM event, Entity, Collection. The full identifier for persistence is created by setting the 32 most significant bits as the Id.Namespace enum This is a convenience wrapper to define the id space enum values and provide an easy interface for RPCs, most persistence use cases should use a denormalized form.
- namespace¶
Namespace the id belongs to.
- string_id¶
Some ids are stored as strings that are not able to be translated to bytes, so store these separately. Ex. detection id of the form de_aaaaaaaa-aaaa…
- Type
- class Namespace(value)[source]¶
Bases:
proto.enums.EnumExtracted Namespace Component
- Values:
- NORMALIZED_TELEMETRY (0):
Ingested and Normalized telemetry events
- RAW_TELEMETRY (1):
Ingested Raw telemetry
- RULE_DETECTIONS (2):
Chronicle Rules engine
- UPPERCASE (3):
Uppercase
- MACHINE_INTELLIGENCE (4):
DSML - Machine Intelligence
- SECURITY_COMMAND_CENTER (5):
A normalized telemetry event from Google Security Command Center.
- UNSPECIFIED (6):
Unspecified Namespace
- SOAR_ALERT (7):
An alert coming from other SIEMs via Chronicle SOAR.
- VIRUS_TOTAL (8):
VirusTotal.
- class google.backstory.types.Int64Sequence(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageInt64Sequence represents a sequence of int64s.
- class google.backstory.types.Investigation(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageRepresents the aggregated state of an investigation such as categorization, severity, and status. Can be expanded to include analyst assignment details and more.
- verdict¶
Describes reason a finding investigation was resolved.
This field is a member of oneof
_verdict.
- reputation¶
Describes whether a finding was useful or not-useful.
This field is a member of oneof
_reputation.
- severity_score¶
Severity score for a finding set by an analyst.
This field is a member of oneof
_severity_score.- Type
- priority¶
Priority of the Alert or Finding set by analyst.
This field is a member of oneof
_priority.
- root_cause¶
Root cause of the Alert or Finding set by analyst.
This field is a member of oneof
_root_cause.- Type
- class google.backstory.types.Label(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageKey value labels.
- class google.backstory.types.LatencyMetrics(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageLatencyMetrics contains relevant timestamps for measuring latency per event variable. These metrics are calculated from ALL of the events that contribute to the detection, not just the sampled ones.
- oldest_ingestion_time¶
The oldest ingestion timestamp from the events used to create the detection.
- newest_ingestion_time¶
The newest (most recent) ingestion timestamp from the events used to create the detection.
- oldest_event_time¶
The oldest event timestamp from the events used to create the detection.
- newest_event_time¶
The newest (most recent) event timestamp from the events used to create the detection.
- ingestion_latency¶
The difference between newest ingestion timestamp and newest event timestamp.
- class google.backstory.types.LinuxUtmp(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageThe LinuxUtmp extension captures details specific to Linux Utmp events.
- record_type¶
The activity record type.
- class RecordType(value)[source]¶
Bases:
proto.enums.EnumThe type of activity record from the Utmp file.
- Values:
- RECORD_TYPE_UNSPECIFIED (0):
The default record type.
- RUN_LVL (1):
Run-level change.
- BOOT_TIME (2):
System boot time.
- NEW_TIME (3):
New time after system clock change.
- OLD_TIME (4):
Old time before system clock change.
- INIT_PROCESS (5):
Process spawned by init.
- LOGIN_PROCESS (6):
Login process.
- USER_PROCESS (7):
Normal user process (logged-in session).
- DEAD_PROCESS (8):
Terminated process (session ended).
- ACCOUNTING (9):
Accounting message.
- class google.backstory.types.Location(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageInformation about a location.
- name¶
Custom location name (e.g. building or site name like “London Office”). For cloud environments, this is the region (e.g. “us-west2”).
- Type
- desk_name¶
Desk name or individual location, typically for an employee in an office. (e.g. “IN-BLR-BCPC-11-1121D”).
- Type
- region_coordinates¶
Coordinates for the associated region. See https://cloud.google.com/vision/docs/reference/rest/v1/LatLng for a description of the fields.
- Type
google.type.latlng_pb2.LatLng
- class google.backstory.types.Metadata(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageGeneral information associated with a UDM event.
- product_log_id¶
A vendor-specific event identifier to uniquely identify the event (e.g. a GUID).
- Type
- event_timestamp¶
The GMT timestamp when the event was generated.
- event_timestamp_attributes¶
Attributes associated with event_timestamp. This field is used to distinguish between different types of timestamps that can be used to represent the event_timestamp.
- Type
MutableSequence[google.backstory.types.Metadata.EventTimestampAttribute]
- collected_timestamp¶
The GMT timestamp when the event was collected by the vendor’s local collection infrastructure.
- ingested_timestamp¶
The GMT timestamp when the event was ingested (received) by Chronicle.
- event_type¶
The event type. If an event has multiple possible types, this specifies the most specific type.
- product_event_type¶
A short, descriptive, human-readable, product-specific event name or type (e.g. “Scanned X”, “User account created”, “process_start”).
- Type
- product_deployment_id¶
The deployment identifier assigned by the vendor for a product deployment.
- Type
- url_back_to_product¶
A URL that takes the user to the source product console for this event.
- Type
- ingestion_labels¶
User-configured ingestion metadata labels.
- Type
MutableSequence[google.backstory.types.Label]
- tags¶
Tags added by Chronicle after an event is parsed. It is an error to populate this field from within a parser.
- enrichment_state¶
The enrichment state.
- base_labels¶
Data access labels on the base event.
- enrichment_labels¶
Data access labels from all the contextual events used to enrich the base event.
- structured_fields¶
Flattened fields extracted from the log.
- class EnrichmentState(value)[source]¶
Bases:
proto.enums.EnumAn enrichment state.
- Values:
- ENRICHMENT_STATE_UNSPECIFIED (0):
Unspecified.
- ENRICHED (1):
The event has been enriched by Chronicle.
- UNENRICHED (2):
The event has not been enriched by Chronicle.
- class EventTimestampAttribute(value)[source]¶
Bases:
proto.enums.EnumEnum representing the type of timestamp that the event_timestamp field represents.
- Values:
- EVENT_TIMESTAMP_ATTRIBUTE_UNSPECIFIED (0):
Default event timestamp attribute.
- FILE_LAST_ACCESS_TIME (1):
Deprecated. Use LAST_ACCESSED instead.
- FILE_LAST_MODIFIED_TIME (2):
Deprecated. Use LAST_MODIFIED instead.
- FILE_METADATA_LAST_CHANGE_TIME (3):
Deprecated. Use METADATA_LAST_CHANGED instead.
- FILE_CREATION_TIME (4):
Deprecated. Use CREATED instead.
- COLLECTED_TIME (5):
Deprecated. Use COLLECTED instead.
- COLLECTED (6):
The time when the event was collected by the vendor’s local collection infrastructure.
- ACCESSED (7):
The time when the file was accessed.
- CHANGED (8):
The time when the file was changed.
- CREATED (9):
The time when the file was first created.
- FILE_NAME_ACCESSED (10):
The time when the file name was accessed.
- FILE_NAME_CHANGED (11):
The time when the file name was changed.
- FILE_NAME_CREATED (12):
The time when the file name was created.
- FILE_NAME_LAST_ACCESSED (13):
The time when the file name was last accessed.
- FILE_NAME_LAST_MODIFIED (14):
The time when the file name was last modified.
- FILE_NAME_METADATA_LAST_CHANGED (15):
The time when the file name metadata was last changed.
- FILE_NAME_MODIFIED (16):
The time when the file name was modified.
- LAST_ACCESSED (17):
The time when the file was last accessed.
- LAST_MODIFIED (18):
The time when the file was last modified.
- METADATA_LAST_CHANGED (19):
The time when the file metadata was last changed.
- MODIFIED (20):
The time when the file was modified.
- ADDED (21):
Added Timestamp.
- BACKED_UP (22):
Backed Up Timestamp.
- LAST_CONNECTED (23):
Last Connected timestamp.
- DELETED (24):
Deleted Timestamp.
- ENDED (25):
Ended Timestamp.
- EXITED (26):
Exited Timestamp.
- EXPIRED (27):
Expired Timestamp.
- FIRST_ACCESSED (28):
First Accessed Timestamp.
- APPEARED (29):
Appeared Timestamp.
- INSTALLED (30):
Installed Timestamp.
- LAST_ACTIVE (31):
Last Active Timestamp.
- LAST_LOGGED_IN (32):
Last Login Timestamp.
- LAST_LOGIN_ATTEMPT (33):
Last Login Attempt Timestamp.
- LAST_PASSWORD_SET (34):
Last Password Set Timestamp.
- LAST_PRINTED (35):
Last Printed Timestamp.
- LAST_RESUMED (36):
Last Resumed Timestamp.
- LAST_EXECUTED (37):
Last Executed Timestamp.
- LAST_SEEN (38):
Last Seen Timestamp.
- LAST_SHUTDOWN (39):
Last Shutdown Timestamp.
- LAST_UPDATED (40):
Last Updated Timestamp.
- LAST_USED (41):
Last Used Timestamp.
- LAST_VISITED (42):
Last Visited Timestamp.
- LINKED (43):
Linked Timestamp.
- METADATA_MODIFIED (44):
Metadata Modified Timestamp.
- CONTENT_MODIFIED (45):
Modified Timestamp.
- PURCHASED (46):
Purchased Timestamp.
- RECORDED (47):
Recorded Timestamp.
- REQUEST_RECEIVED (48):
Request Received Timestamp.
- RESPONSE_SENT (49):
Response Sent Timestamp.
- SCHEDULED_TO_END (50):
Scheduled to End Timestamp.
- SCHEDULED_TO_START (51):
Scheduled to Start Timestamp.
- SENT (52):
Sent Timestamp.
- STARTED (53):
Started Timestamp.
- UPDATED (54):
Updated Timestamp.
- VALIDATED (55):
Validated Timestamp.
- MOST_RECENT_RUN (56):
Most Recent Run Timestamp.
- NEXT_RUN (57):
Next Run Timestamp.
- VISITED (58):
Visited Timestamp.
- TARGET_CREATED (59):
Target Created Timestamp.
- VOLUME_CREATED (60):
Volume Created Timestamp.
- POST_CHECKED (61):
Post Checked Timestamp.
- SYNCHRONIZED (62):
Synchronized Timestamp.
- ITEM_CREATED (63):
Item Created Timestamp.
- ITEM_MODIFIED (64):
Item Modified Timestamp.
- DOCUMENT_LAST_SAVED (65):
Document Last Saved Timestamp.
- LAST_REGISTERED (66):
Last Registered Timestamp.
- LAUNCHED (67):
Launched Timestamp.
- FIRST_VISITED (68):
First Visited Timestamp.
- FIRST_SEEN (69):
First Seen Timestamp.
- DOWNLOADED (70):
Downloaded Timestamp.
- class EventType(value)[source]¶
Bases:
proto.enums.EnumAn event type. Choose event type not based on the product that generated the event but the one that logged the event itself. So, for example, an antivirus (AV) scanning email on a client would generate an SMTP_PROXY event, not an AV event. A DLP device scanning a web upload would generate an HTTP_PROXY event and not a DLP or process activity event. Note: In the case of a HTTP_PROXY event, you might also include process details if this occurred on an endpoint. That would be optional, but there are a certain set of required fields and banned fields due to its status as an HTTP_PROXY event.
- Values:
- EVENTTYPE_UNSPECIFIED (0):
Default event type
- PROCESS_UNCATEGORIZED (10000):
Activity related to a process which does not match any other event types.
- PROCESS_LAUNCH (10001):
Process launch.
- PROCESS_INJECTION (10002):
Process injecting into another process.
- PROCESS_PRIVILEGE_ESCALATION (10003):
Process privilege escalation.
- PROCESS_TERMINATION (10004):
Process termination.
- PROCESS_OPEN (10005):
Process being opened.
- PROCESS_MODULE_LOAD (10006):
Process loading a module.
- REGISTRY_UNCATEGORIZED (11000):
Registry event which does not match any of the other event types.
- REGISTRY_CREATION (11001):
Registry creation.
- REGISTRY_MODIFICATION (11002):
Registry modification.
- REGISTRY_DELETION (11003):
Registry deletion.
- SETTING_UNCATEGORIZED (12000):
Settings-related event which does not match any of the other event types.
- SETTING_CREATION (12001):
Setting creation.
- SETTING_MODIFICATION (12002):
Setting modification.
- SETTING_DELETION (12003):
Setting deletion.
- MUTEX_UNCATEGORIZED (13000):
Any mutex event other than creation.
- MUTEX_CREATION (13001):
Mutex creation.
- FILE_UNCATEGORIZED (14000):
File event which does not match any of the other event types.
- FILE_CREATION (14001):
File created.
- FILE_DELETION (14002):
File deleted.
- FILE_MODIFICATION (14003):
File modified.
- FILE_READ (14004):
File read.
- FILE_COPY (14005):
File copied. Used for file copies, for example, to a thumb drive.
- FILE_OPEN (14006):
File opened.
- FILE_MOVE (14007):
File moved or renamed.
- FILE_SYNC (14008):
File synced (for example, Google Drive, Dropbox, backup).
- USER_UNCATEGORIZED (15000):
User activity which does not match any of the other event types.
- USER_LOGIN (15001):
User login.
- USER_LOGOUT (15002):
User logout.
- USER_CREATION (15003):
User creation.
- USER_CHANGE_PASSWORD (15004):
User password change event.
- USER_CHANGE_PERMISSIONS (15005):
Change in user permissions.
- USER_STATS (15006):
Deprecated. Used to update user info for an LDAP dump.
- USER_BADGE_IN (15007):
User physically badging into a location.
- USER_DELETION (15008):
User deletion.
- USER_RESOURCE_CREATION (15009):
User creating a virtual resource. This is equivalent to RESOURCE_CREATION.
- USER_RESOURCE_UPDATE_CONTENT (15010):
User updating content of a virtual resource. This is equivalent to RESOURCE_WRITTEN.
- USER_RESOURCE_UPDATE_PERMISSIONS (15011):
User updating permissions of a virtual resource. This is equivalent to RESOURCE_PERMISSIONS_CHANGE.
- USER_COMMUNICATION (15012):
User initiating communication through a medium (for example, video).
- USER_RESOURCE_ACCESS (15013):
User accessing a virtual resource. This is equivalent to RESOURCE_READ.
- USER_RESOURCE_DELETION (15014):
User deleting a virtual resource. This is equivalent to RESOURCE_DELETION.
- GROUP_UNCATEGORIZED (23000):
A group activity that does not fall into one of the other event types.
- GROUP_CREATION (23001):
A group creation.
- GROUP_DELETION (23002):
A group deletion.
- GROUP_MODIFICATION (23003):
A group modification.
- EMAIL_UNCATEGORIZED (19000):
Email messages
- EMAIL_TRANSACTION (19001):
An email transaction.
- EMAIL_URL_CLICK (19002):
Deprecated: use NETWORK_HTTP instead. An email URL click event.
- NETWORK_UNCATEGORIZED (16000):
A network event that does not fit into one of the other event types.
- NETWORK_FLOW (16001):
Aggregated flow stats like netflow.
- NETWORK_CONNECTION (16002):
Network connection details like from a FW.
- NETWORK_FTP (16003):
FTP telemetry.
- NETWORK_DHCP (16004):
DHCP payload.
- NETWORK_DNS (16005):
DNS payload.
- NETWORK_HTTP (16006):
HTTP telemetry.
- NETWORK_SMTP (16007):
SMTP telemetry.
- STATUS_UNCATEGORIZED (17000):
A status message that does not fit into one of the other event types.
- STATUS_HEARTBEAT (17001):
Heartbeat indicating product is alive.
- STATUS_STARTUP (17002):
An agent startup.
- STATUS_SHUTDOWN (17003):
An agent shutdown.
- STATUS_UPDATE (17004):
A software or fingerprint update.
- SCAN_UNCATEGORIZED (18000):
Scan item that does not fit into one of the other event types.
- SCAN_FILE (18001):
A file scan.
- SCAN_PROCESS_BEHAVIORS (18002):
Scan process behaviors. Please use SCAN_PROCESS instead.
- SCAN_PROCESS (18003):
Scan process.
- SCAN_HOST (18004):
Scan results from scanning an entire host device for threats/sensitive documents.
- SCAN_VULN_HOST (18005):
Vulnerability scan logs about host vulnerabilities (e.g., out of date software) and network vulnerabilities (e.g., unprotected service detected via a network scan).
- SCAN_VULN_NETWORK (18006):
Vulnerability scan logs about network vulnerabilities.
- SCAN_NETWORK (18007):
Scan network for suspicious activity
- SCHEDULED_TASK_UNCATEGORIZED (20000):
Scheduled task event that does not fall into one of the other event types.
- SCHEDULED_TASK_CREATION (20001):
Scheduled task creation.
- SCHEDULED_TASK_DELETION (20002):
Scheduled task deletion.
- SCHEDULED_TASK_ENABLE (20003):
Scheduled task being enabled.
- SCHEDULED_TASK_DISABLE (20004):
Scheduled task being disabled.
- SCHEDULED_TASK_MODIFICATION (20005):
Scheduled task being modified.
- SYSTEM_AUDIT_LOG_UNCATEGORIZED (21000):
A system audit log event that is not a wipe.
- SYSTEM_AUDIT_LOG_WIPE (21001):
A system audit log wipe.
- SERVICE_UNSPECIFIED (22000):
Service event that does not fit into one of the other event types.
- SERVICE_CREATION (22001):
A service creation.
- SERVICE_DELETION (22002):
A service deletion.
- SERVICE_START (22003):
A service start.
- SERVICE_STOP (22004):
A service stop.
- SERVICE_MODIFICATION (22005):
A service modification.
- GENERIC_EVENT (100000):
Operating system events that are not described by any of the other event types. Might include uncategorized Microsoft Windows event logs.
- RESOURCE_CREATION (1):
The resource was created/provisioned. This is equivalent to USER_RESOURCE_CREATION.
- RESOURCE_DELETION (2):
The resource was deleted/deprovisioned. This is equivalent to USER_RESOURCE_DELETION.
- RESOURCE_PERMISSIONS_CHANGE (3):
The resource had it’s permissions or ACLs updated. This is equivalent to USER_RESOURCE_UPDATE_PERMISSIONS.
- RESOURCE_READ (4):
The resource was read. This is equivalent to USER_RESOURCE_ACCESS.
- RESOURCE_WRITTEN (5):
The resource was written to. This is equivalent to USER_RESOURCE_UPDATE_CONTENT.
- DEVICE_FIRMWARE_UPDATE (25000):
Firmware update.
- DEVICE_CONFIG_UPDATE (25001):
Configuration update.
- DEVICE_PROGRAM_UPLOAD (25002):
A program or application uploaded to a device.
- DEVICE_PROGRAM_DOWNLOAD (25003):
A program or application downloaded to a device.
- ANALYST_UPDATE_VERDICT (24000):
Analyst update about the Verdict (such as true positive, false positive, or disregard) of a finding.
- ANALYST_UPDATE_REPUTATION (24001):
Analyst update about the Reputation (such as useful or not useful) of a finding.
- ANALYST_UPDATE_SEVERITY_SCORE (24002):
Analyst update about the Severity score (0-100) of a finding.
- ANALYST_UPDATE_STATUS (24007):
Analyst update about the finding status.
- ANALYST_ADD_COMMENT (24008):
Analyst addition of a comment for a finding.
- ANALYST_UPDATE_PRIORITY (24009):
Analyst update about the priority (such as low, medium, or high) for a finding.
- ANALYST_UPDATE_ROOT_CAUSE (24010):
Analyst update about the root cause for a finding.
- ANALYST_UPDATE_REASON (24011):
Analyst update about the reason (such as malicious or not malicious) for a finding.
- ANALYST_UPDATE_RISK_SCORE (24012):
Analyst update about the risk score (0-100) of a finding.
- ENTITY_RISK_CHANGE (26000):
An update to an entity risk score. This event type is restricted to events published by Google Securit Operations Risk Analytics.
- TRIAGE_AGENT_UPDATE_INVESTIGATION (27000):
Triage Agent has investigated the finding.
- class google.backstory.types.Metric(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageStores precomputed aggregated analytic data for an entity.
- first_seen¶
Timestamp of the first time the entity was seen in the environment.
- last_seen¶
Time stamp of the last time last time the entity was seen in the environment.
- sum_measure¶
Sum of all precomputed measures for the given metric.
- metric_name¶
Name of the analytic.
- dimensions¶
All group by clauses used to calculate the metric.
- Type
MutableSequence[google.backstory.types.Metric.Dimension]
- display_name¶
Display name of the custom metric. Google-authored metrics do not have a display name.
- Type
- outcome_variables¶
List of outcome variables used in the custom metric.
- Type
MutableSequence[google.backstory.types.FindingVariable]
- match_variables¶
List of match variables used in the custom metric.
- Type
MutableSequence[google.backstory.types.FindingVariable]
- time_range¶
Time range for which the custom metric was calculated.
- Type
google.type.interval_pb2.Interval
- class AggregateFunction(value)[source]¶
Bases:
proto.enums.EnumMathematic function used to calculate the value.
- Values:
- AGGREGATE_FUNCTION_UNSPECIFIED (0):
Default value.
- MIN (1):
Minimum.
- MAX (2):
Maximum.
- COUNT (3):
Count.
- SUM (4):
Sum.
- AVG (5):
Average.
- STDDEV (6):
Standard Deviation.
- class Dimension(value)[source]¶
Bases:
proto.enums.EnumDescribes field used as the dimension when grouping data to calculate the aggregate metric.
- Values:
- DIMENSION_UNSPECIFIED (0):
Default
- PRINCIPAL_DEVICE (1):
Principal Device
- TARGET_USER (2):
Target User
- TARGET_DEVICE (3):
Target Device
- PRINCIPAL_USER (4):
Principal User
- TARGET_IP (5):
Target IP
- PRINCIPAL_FILE_HASH (6):
Principal File Hash
- PRINCIPAL_COUNTRY (7):
Principal Country
- SECURITY_CATEGORY (8):
Security Category
- NETWORK_ASN (9):
Network ASN
- CLIENT_CERTIFICATE_HASH (10):
Client Certificate Hash
- DNS_QUERY_TYPE (11):
DNS Query Type
- DNS_DOMAIN (12):
DNS Domain
- HTTP_USER_AGENT (13):
HTTP User Agent
- EVENT_TYPE (14):
Event Type
- PRODUCT_NAME (15):
Product Name
- PRODUCT_EVENT_TYPE (16):
Product Event Type
- PARENT_FOLDER_PATH (17):
Parent Folder Path
- TARGET_RESOURCE_NAME (18):
Target resource Name
- PRINCIPAL_APPLICATION (19):
Principal Application.
- TARGET_APPLICATION (20):
Target Application.
- EMAIL_TO_ADDRESS (21):
Email To Address.
- EMAIL_FROM_ADDRESS (22):
Email From Address.
- MAIL_ID (23):
Mail Id.
- PRINCIPAL_IP (24):
Principal IP.
- SECURITY_ACTION (25):
Security Action.
- SECURITY_RULE_ID (28):
Security Rule Id.
- TARGET_NETWORK_ORGANIZATION_NAME (29):
Target Network Organization name.
- PRINCIPAL_NETWORK_ORGANIZATION_NAME (30):
Principal Network Organization name.
- PRINCIPAL_PROCESS_FILE_PATH (31):
Principal Process File Path.
- PRINCIPAL_PROCESS_FILE_HASH (32):
Principal Process File SHA256 Hash.
- SECURITY_RESULT_RULE_NAME (33):
Security Result rule name.
- TARGET_RESOURCE_LABEL_KEY (34):
Target Resource label key.
- VENDOR_NAME (35):
Vendor name.
- TARGET_RESOURCE_TYPE (36):
Target Resource type.
- TARGET_LOCATION_NAME (37):
Target Location name.
- LOG_TYPE (38):
Log type.
- TARGET_HOSTNAME (39):
Target Hostname.
- class Measure(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageDescribes the precomputed measure.
- aggregate_function¶
Function used to calculate the aggregated measure.
- class MetricName(value)[source]¶
Bases:
proto.enums.EnumThe name of the precomputed analytic.
- Values:
- METRIC_NAME_UNSPECIFIED (0):
Default
- NETWORK_BYTES_INBOUND (1):
Total received network bytes.
- NETWORK_BYTES_OUTBOUND (2):
Total network sent bytes.
- NETWORK_BYTES_TOTAL (3):
Total network sent bytes and received bytes.
- AUTH_ATTEMPTS_SUCCESS (4):
Successful authentication attempts.
- AUTH_ATTEMPTS_FAIL (5):
Failed authentication attempts.
- AUTH_ATTEMPTS_TOTAL (6):
Total authentication attempts.
- DNS_BYTES_OUTBOUND (7):
Total number of sent bytes for DNS events.
- NETWORK_FLOWS_INBOUND (8):
Total number of events having non-null received bytes.
- NETWORK_FLOWS_OUTBOUND (9):
Total number of events having non-null sent bytes.
- NETWORK_FLOWS_TOTAL (10):
Total events having non-null sent or received bytes.
- DNS_QUERIES_SUCCESS (11):
DNS query success count - Number of events with response_code = 0.
- DNS_QUERIES_FAIL (12):
Number of events with response_code != 0.
- DNS_QUERIES_TOTAL (13):
Total number of DNS queries made.
- FILE_EXECUTIONS_SUCCESS (14):
Number of successfule file executions.
- FILE_EXECUTIONS_FAIL (15):
Number of failed file executions.
- FILE_EXECUTIONS_TOTAL (16):
Total number file executions.
- HTTP_QUERIES_SUCCESS (17):
Number of successful HTTP queries.
- HTTP_QUERIES_FAIL (18):
Number of failed HTTP queries.
- HTTP_QUERIES_TOTAL (19):
Total number of HTTP queries.
- WORKSPACE_EMAILS_SENT_TOTAL (20):
Total number of emails sent in Google Workspace.
- WORKSPACE_TOTAL_DOWNLOAD_ACTIONS (21):
Total number of download actions in Google Workspace.
- WORKSPACE_TOTAL_CHANGE_ACTIONS (22):
Total number of change actions in Google Workspace.
- WORKSPACE_AUTH_ATTEMPTS_TOTAL (23):
Total number of authentication attempts in Google Workspace.
- WORKSPACE_NETWORK_BYTES_OUTBOUND (24):
Number of outbound network bytes (total sent) in Google Workspace.
- WORKSPACE_NETWORK_BYTES_TOTAL (25):
Total number of network bytes (both sent and received) in Google Workspace.
- ALERT_EVENT_NAME_COUNT (26):
Track number of alerts fired by EDR/SENTINEL/MICROSOFT_GRAPH.
- RESOURCE_CREATION_TOTAL (27):
Analytic tracking successful resource creations.
- RESOURCE_CREATION_SUCCESS (28):
Analytic tracking successful resource creations.
- RESOURCE_READ_SUCCESS (29):
Analytic tracking successful resource reads.
- RESOURCE_READ_FAIL (30):
Analytic tracking failed resource reads.
- RESOURCE_DELETION_SUCCESS (31):
Analytic tracking successful resource deletions.
- RESOURCE_CREATION_FAIL (32):
Analytic tracking failed resource creations.
- RESOURCE_DELETION_FAIL (33):
Analytic tracking failed resource deletions.
- RESOURCE_DELETION_TOTAL (34):
Analytic tracking total resource deletions.
- RESOURCE_READ_TOTAL (35):
Analytic tracking total resource reads.
- RESOURCE_WRITTEN_FAIL (36):
Analytic tracking failed resource writes.
- RESOURCE_WRITTEN_SUCCESS (37):
Analytic tracking successful resource writes.
- RESOURCE_WRITTEN_TOTAL (38):
Analytic tracking total resource writes.
- UDM_DATA_PRESENCE_SUMMARY (39):
UDM data summary tracking unique values of dimensions.
- class google.backstory.types.Network(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageA network event.
- session_duration¶
The duration of the session as the number of seconds and nanoseconds. For seconds, network.session_duration.seconds, the type is a 64-bit integer. For nanoseconds, network.session_duration.nanos, the type is a 32-bit integer.
- direction¶
The direction of network traffic.
- ip_protocol¶
The IP protocol.
- application_protocol¶
The application protocol.
- ftp¶
FTP info.
- email¶
Email info for the sender/recipient.
- dns¶
DNS info.
- dhcp¶
DHCP info.
- http¶
HTTP info.
- tls¶
TLS info.
- smtp¶
SMTP info. Store fields specific to SMTP not covered by Email.
- proxy_info¶
Proxy information. Only set if is_proxy is true.
- connection_state¶
The state of the network connection.
- class ApplicationProtocol(value)[source]¶
Bases:
proto.enums.EnumA network application protocol.
- Values:
- UNKNOWN_APPLICATION_PROTOCOL (0):
The default application protocol.
- AFP (1):
Apple Filing Protocol.
- APPC (2):
Advanced Program-to-Program Communication.
- AMQP (3):
Advanced Message Queuing Protocol.
- ATOM (4):
Publishing Protocol.
- BEEP (5):
Block Extensible Exchange Protocol.
- BITCOIN (6):
Crypto currency protocol.
- BIT_TORRENT (7):
Peer-to-peer file sharing.
- CFDP (8):
Coherent File Distribution Protocol.
- CIP (67):
Common Industrial Protocol.
- COAP (9):
Constrained Application Protocol.
- COTP (68):
Connection Oriented Transport Protocol.
- DCERPC (66):
DCE/RPC.
- DDS (10):
Data Distribution Service.
- DEVICE_NET (11):
Automation industry protocol.
- DHCP (4000):
DHCP.
- DICOM (69):
Digital Imaging and Communications in Medicine Protocol.
- DNP3 (70):
Distributed Network Protocol 3 (DNP3)
- DNS (3000):
DNS.
- E_DONKEY (12):
Classic file sharing protocol.
- ENRP (13):
Endpoint Handlespace Redundancy Protocol.
- FAST_TRACK (14):
Filesharing peer-to-peer protocol.
- FINGER (15):
User Information Protocol.
- FREENET (16):
Censorship resistant peer-to-peer network.
- FTAM (17):
File Transfer Access and Management.
- GOOSE (71):
GOOSE Protocol.
- GOPHER (18):
Gopher protocol.
- GRPC (77):
gRPC Remote Procedure Call.
- HL7 (19):
Health Level Seven.
- H323 (20):
Packet-based multimedia communications system.
- HTTP (2000):
HTTP.
- HTTPS (2001):
HTTPS.
- IEC104 (72):
IEC 60870-5-104 (IEC 104) Protocol.
- IRCP (21):
Internet Relay Chat Protocol.
- KADEMLIA (22):
Peer-to-peer hashtables.
- KRB5 (65):
Kerberos 5.
- LDAP (23):
Lightweight Directory Access Protocol.
- LPD (24):
Line Printer Daemon Protocol.
- MIME (25):
Multipurpose Internet Mail Extensions and Secure MIME.
- MMS (73):
Multimedia Messaging Service.
- MODBUS (26):
Serial communications protocol.
- MQTT (27):
Message Queuing Telemetry Transport.
- NETCONF (28):
Network Configuration.
- NFS (29):
Network File System.
- NIS (30):
Network Information Service.
- NNTP (31):
Network News Transfer Protocol.
- NTCIP (32):
National Transportation Communications for Intelligent Transportation System.
- NTP (33):
Network Time Protocol.
- OSCAR (34):
AOL Instant Messenger Protocol.
- PNRP (35):
Peer Name Resolution Protocol.
- PTP (74):
Precision Time Protocol.
- QUIC (1000):
QUIC.
- RDP (36):
Remote Desktop Protocol.
- RELP (37):
Reliable Event Logging Protocol.
- RIP (38):
Routing Information Protocol.
- RLOGIN (39):
Remote Login in UNIX Systems.
- RPC (40):
Remote Procedure Call.
- RTMP (41):
Real Time Messaging Protocol.
- RTP (42):
Real-time Transport Protocol.
- RTPS (43):
Real Time Publish Subscribe.
- RTSP (44):
Real Time Streaming Protocol.
- SAP (45):
Session Announcement Protocol.
- SDP (46):
Session Description Protocol.
- SIP (47):
Session Initiation Protocol.
- SLP (48):
Service Location Protocol.
- SMB (49):
Server Message Block.
- SMTP (50):
Simple Mail Transfer Protocol.
- SNMP (75):
Simple Network Management Protocol.
- SNTP (51):
Simple Network Time Protocol.
- SSH (52):
Secure Shell.
- SSMS (53):
Secure SMS Messaging Protocol.
- STYX (54):
Styx/9P - Plan 9 from Bell Labs distributed file system protocol.
- SV (76):
Sampled Values Protocol.
- TCAP (55):
Transaction Capabilities Application Part.
- TDS (56):
Tabular Data Stream.
- TOR (57):
Anonymity network.
- TSP (58):
Time Stamp Protocol.
- VTP (59):
Virtual Terminal Protocol.
- WHOIS (60):
Remote Directory Access Protocol.
- WEB_DAV (61):
Web Distributed Authoring and Versioning.
- X400 (62):
Message Handling Service Protocol.
- X500 (63):
Directory Access Protocol (DAP).
- XMPP (64):
Extensible Messaging and Presence Protocol.
- FTP (78):
File Transfer Protocol.
- class ConnectionState(value)[source]¶
Bases:
proto.enums.EnumThe state of a network connection.
- Values:
- CONNECTION_STATE_UNSPECIFIED (0):
The default connection state.
- LISTENING (1):
The port is listening for incoming connections.
- ESTABLISHED (2):
A connection has been established.
- TIME_WAIT (3):
The connection is waiting for a timeout.
- CLOSE_WAIT (4):
The connection is waiting for a connection termination request from the local application.
- CLOSED (5):
The connection is closed.
- SYN_SENT (6):
A connection request has been sent.
- SYN_RECEIVED (7):
A connection request has been received.
- FIN_WAIT1 (8):
The connection is waiting for a connection termination request from the remote host.
- FIN_WAIT2 (9):
The connection is waiting for a connection termination request from the local application.
- LAST_ACK (10):
The connection is waiting for an acknowledgment of the final connection termination request.
- class Direction(value)[source]¶
Bases:
proto.enums.EnumA network traffic direction.
- Values:
- UNKNOWN_DIRECTION (0):
The default direction.
- INBOUND (1):
An inbound request.
- OUTBOUND (2):
An outbound request.
- BROADCAST (3):
A broadcast.
- class IpProtocol(value)[source]¶
Bases:
proto.enums.EnumAn IP protocol.
- Values:
- UNKNOWN_IP_PROTOCOL (0):
The default protocol.
- ICMP (1):
ICMP.
- IGMP (2):
IGMP
- TCP (6):
TCP.
- UDP (17):
UDP.
- IP6IN4 (41):
IPv6 Encapsulation
- GRE (47):
Generic Routing Encapsulation
- ESP (50):
Encapsulating Security Payload
- ICMP6 (58):
ICMPv6
- EIGRP (88):
Enhanced Interior Gateway Routing
- ETHERIP (97):
Ethernet-within-IP Encapsulation
- PIM (103):
Protocol Independent Multicast
- VRRP (112):
Virtual Router Redundancy Protocol
- SCTP (132):
Stream Control Transmission Protocol
- class google.backstory.types.Noun(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageThe Noun type is used to represent the different entities in an event: principal, src, target, observer, intermediary, and about. It stores attributes known about the entity. For example, if the entity is a device with multiple IP or MAC addresses, it stores the IP and MAC addresses that are relevant to the event.
- hostname¶
Client hostname or domain name field. Hostname also doubles as the domain for remote entities. This field can be used as an entity indicator for asset entities.
- Type
- domain¶
Information about the domain.
- artifact¶
Information about an artifact.
- url_metadata¶
Information about the URL.
- browser¶
Information about an entry in the web browser’s local history database.
- user¶
Information about the user.
- user_management_chain¶
Information about the user’s management chain (reporting hierarchy). Note: user_management_chain is only populated when data is exported to BigQuery since recursive fields (e.g. user.managers) are not supported by BigQuery.
- Type
MutableSequence[google.backstory.types.User]
- group¶
Information about the group.
- process¶
Information about the process.
- process_ancestors¶
Information about the process’s ancestors ordered from immediate ancestor (parent process) to root. Note: process_ancestors is only populated when data is exported to BigQuery since recursive fields (e.g. process.parent_process) are not supported by BigQuery.
- Type
MutableSequence[google.backstory.types.Process]
- asset¶
Information about the asset.
- ip¶
A list of IP addresses associated with a network connection. This field can be used as an entity indicator for asset entities.
- Type
MutableSequence[str]
- nat_ip¶
A list of NAT translated IP addresses associated with a network connection.
- Type
MutableSequence[str]
- port¶
Source or destination network port number when a specific network connection is described within an event.
- Type
- nat_port¶
NAT external network port number when a specific network connection is described within an event.
- Type
- mac¶
List of MAC addresses associated with a device. This field can be used as an entity indicator for asset entities.
- Type
MutableSequence[str]
- administrative_domain¶
Domain which the device belongs to (for example, the Microsoft Windows domain).
- Type
- namespace¶
Namespace which the device belongs to, such as “AD forest”. Uses for this field include Microsoft Windows AD forest, the name of subsidiary, or the name of acquisition. This field can be used along with an asset indicator to identify an asset.
- Type
- file¶
Information about the file.
- registry¶
Registry information.
- application¶
The name of an application or service. Some SSO solutions only capture the name of a target application such as “Atlassian” or “Chronicle”.
- Type
- platform¶
Platform.
- cloud¶
Cloud metadata. Deprecated: cloud should be populated in entity Attribute as generic metadata (e.g. asset.attribute.cloud).
- location¶
Physical location. For cloud environments, set the region in location.name.
- ip_location¶
Deprecated: use ip_geo_artifact.location instead.
- Type
MutableSequence[google.backstory.types.Location]
- ip_geo_artifact¶
Enriched geographic information corresponding to an IP address. Specifically, location and network data.
- Type
MutableSequence[google.backstory.types.Artifact]
- resource¶
Information about the resource (e.g. scheduled task, calendar entry). This field should not be used for files, registry, or processes because these objects are already part of Noun.
- resource_ancestors¶
Information about the resource’s ancestors ordered from immediate ancestor (starting with parent resource).
- Type
MutableSequence[google.backstory.types.Resource]
- labels¶
Labels are key-value pairs. For example: key = “env”, value = “prod”. Deprecated: labels should be populated in entity Attribute as generic metadata (e.g. user.attribute.labels).
- Type
MutableSequence[google.backstory.types.Label]
- object_reference¶
Finding to which the Analyst updated the feedback.
- investigation¶
Analyst feedback/investigation for alerts.
- network¶
Network details, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP).
- security_result¶
A list of security results.
- Type
MutableSequence[google.backstory.types.SecurityResult]
- class Platform(value)[source]¶
Bases:
proto.enums.EnumOperating system platform.
- Values:
- UNKNOWN_PLATFORM (0):
Default value.
- WINDOWS (1):
Microsoft Windows.
- MAC (2):
macOS.
- LINUX (3):
Linux.
- GCP (4):
Deprecated: see cloud.environment.
- AWS (5):
Deprecated: see cloud.environment.
- AZURE (6):
Deprecated: see cloud.environment.
- IOS (7):
IOS
- ANDROID (8):
Android
- CHROME_OS (9):
Chrome OS
- class google.backstory.types.NtfsFileMetadata(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageNTFS-specific file metadata.
- change_time¶
NTFS MFT entry changed timestamp.
- filename_create_time¶
NTFS $FILE_NAME attribute created timestamp.
- filename_modify_time¶
NTFS $FILE_NAME attribute modified timestamp.
- filename_access_time¶
NTFS $FILE_NAME attribute accessed timestamp.
- filename_change_time¶
NTFS $FILE_NAME attribute changed timestamp.
- usn_journal¶
NTFS USN journal.
- Type
MutableSequence[google.backstory.types.UsnJournal]
- class google.backstory.types.OutlookMetadata(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageMicrosoft Outlook specific metadata.
- class google.backstory.types.PDFInfo(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageInformation about the PDF file structure. See https://developers.virustotal.com/reference/pdf_info
- js¶
Number of /JS tags found in the PDF file. Should be the same as javascript field in normal scenarios.
- Type
- javascript¶
Number of /JavaScript tags found in the PDF file. Should be the same as the js field in normal scenarios.
- Type
- class google.backstory.types.PeFileMetadata(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageMetadata about a Microsoft Windows Portable Executable.
- class google.backstory.types.Permission(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageSystem permission for resource access and modification.
- type_¶
Type of the permission.
- class PermissionType(value)[source]¶
Bases:
proto.enums.EnumHigh level categorizations of permission type.
- Values:
- UNKNOWN_PERMISSION_TYPE (0):
Default permission type.
- ADMIN_WRITE (1):
Administrator write permission.
- ADMIN_READ (2):
Administrator read permission.
- DATA_WRITE (3):
Data resource access write permission.
- DATA_READ (4):
Data resource access read permission.
- class google.backstory.types.PlatformSoftware(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessagePlatform software information about an operating system.
- platform¶
The platform operating system.
- class google.backstory.types.PopularityRank(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageDomain’s position in popularity ranks for sources such as Alexa, Quantcast, or Statvoo.
- ingestion_time¶
Timestamp when the rank was ingested.
- class google.backstory.types.PrefetchFileMetadata(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageWindows Prefetch file metadata.
- class google.backstory.types.Prevalence(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageThe prevalence of a resource within the customer’s environment. This measures how common it is for assets to access the resource.
- rolling_max¶
The maximum number of assets per day accessing the resource over the trailing day_count days.
- Type
- rolling_max_sub_domains¶
The maximum number of assets per day accessing the domain along with sub-domains over the trailing day_count days. This field is only valid for domains.
- Type
- class google.backstory.types.Priority(value)[source]¶
Bases:
proto.enums.EnumPriority that is assigned to a Case or Alert.
- Values:
- PRIORITY_UNSPECIFIED (0):
Default priority level.
- PRIORITY_INFO (100):
Informational priority.
- PRIORITY_LOW (200):
Low priority.
- PRIORITY_MEDIUM (300):
Medium priority.
- PRIORITY_HIGH (400):
High priority.
- PRIORITY_CRITICAL (500):
Critical priority.
- class google.backstory.types.Process(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageInformation about a process.
- parent_process¶
Information about the parent process.
- file¶
Information about the file in use by the process.
- command_line¶
The command line command that created the process. This field can be used as an entity indicator for process entities.
- Type
- integrity_level_rid¶
The Microsoft Windows integrity level relative ID (RID) of the process.
- Type
- token_elevation_type¶
The elevation type of the process on Microsoft Windows. This determines if any privileges are removed when UAC is enabled.
- product_specific_parent_process_id¶
A product specific id for the parent process. Please use parent_process.product_specific_process_id instead.
- Type
- kernel_duration¶
The kernel time spent in the process.
- user_duration¶
The user time spent in the process.
- real_duration¶
The real time spent in the process. This is the sum of the kernel and user time.
- state¶
The state of the process.
- class State(value)[source]¶
Bases:
proto.enums.EnumThe state of the process. See https://psutil.readthedocs.io/en/stable/#process-status-constants.
- Values:
- STATE_UNSPECIFIED (0):
Undetermined state.
- RUNNING (1):
Process is running or runnable.
- SLEEPING (2):
Process is waiting for an event.
- DISK_SLEEP (3):
Process is in uninterruptible sleep, typically I/O.
- STOPPED (4):
Process is stopped.
- TRACING_STOP (5):
Process is stopped by debugger.
- ZOMBIE (6):
Process is terminated but not reaped by parent.
- DEAD (7):
Process is terminated.
- WAKE_KILL (8):
Process is woken to be killed.
- WAKING (9):
Process is waking from sleep.
- PARKED (10):
Linux specific: process is parked.
- IDLE (11):
Linux, macOS, and FreeBSD specific: process is idle.
- LOCKED (12):
FreeBSD specific: process is locked.
- WAITING (13):
FreeBSD specific: process is waiting.
- SUSPENDED (14):
NetBSD specific: process is suspended.
- class TokenElevationType(value)[source]¶
Bases:
proto.enums.EnumThe elevation type of the process’s token. See https://learn.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-token_elevation_type
- Values:
- UNKNOWN (0):
An undetermined token type.
- TYPE_1 (1):
A full token with no privileges removed or groups disabled.
- TYPE_2 (2):
An elevated token with no privileges removed or groups disabled. Used when running as administrator.
- TYPE_3 (3):
A limited token with administrative privileges removed and administrative groups disabled.
- class google.backstory.types.ProxyInfo(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageProxy information.
- class google.backstory.types.Reason(value)[source]¶
Bases:
proto.enums.EnumReason for closing an Alert or Case in the SOAR product.
- Values:
- REASON_UNSPECIFIED (0):
Default reason.
- REASON_NOT_MALICIOUS (1):
Case or Alert not malicious.
- REASON_MALICIOUS (2):
Case or Alert is malicious.
- REASON_MAINTENANCE (3):
Case or Alert is under maintenance.
- class google.backstory.types.Reference(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageReference to model primatives including event and entity. As support is added for fast retrieval of objects by identifiers, this will be expanded to include ID references rather than full object copies.
- event¶
Only one of event or entity will be populated for a single reference. Start one-of Event being referenced.
- entity¶
Entity being referenced. In cases where the entity graph is overridden by data table, this will represent the original entity. End one-of
- joined_data_table_rows¶
The data table rows joined with the event.
- Type
MutableSequence[google.backstory.types.DataTableRowInfo]
- graph_enrichment¶
The entity graph enrichment details. Only set when the reference is an Entity which has been overridden by a data table or appended from a data table.
- id¶
Id being referenced. This field will also be populated for both event and entity with the event id. For detections, only this field will be populated.
- class google.backstory.types.Registry(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageInformation about a registry key or value.
- registry_key¶
Registry key associated with an application or system component (e.g., HKEY_, HKCU\Environment…).
- Type
- registry_value_name¶
Name of the registry value associated with an application or system component (e.g. TEMP).
- Type
- registry_value_data¶
Data associated with a registry value (e.g. %USERPROFILE%Local SettingsTemp).
- Type
- registry_value_type¶
Type of the registry value.
- registry_value_binary_data¶
Binary data associated with a registry value. This field is only populated if the registry value type is BINARY. This field is not populated for other registry value types.
- Type
- class Type(value)[source]¶
Bases:
proto.enums.EnumType of the registry value. These values are based on the Windows Registry value types:
https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types
- Values:
- TYPE_UNSPECIFIED (0):
Default registry value type used when the type is unknown.
- NONE (1):
The registry value is not set and only the key exists.
- SZ (2):
A null-terminated string.
- EXPAND_SZ (3):
A null-terminated string that contains unexpanded references to environment variables
- BINARY (4):
Binary data in any form.
- DWORD (5):
A 32-bit number.
- DWORD_LITTLE_ENDIAN (6):
A 32-bit number in little-endian format.
- DWORD_BIG_ENDIAN (7):
A 32-bit number in big-endian format.
- LINK (8):
A null-terminated Unicode string that contains the target path of a symbolic link.
- MULTI_SZ (9):
A sequence of null-terminated strings, terminated by an empty string
- RESOURCE_LIST (10):
A device driver resource list.
- QWORD (11):
A 64-bit number.
- QWORD_LITTLE_ENDIAN (12):
A 64-bit number in little-endian format.
- class google.backstory.types.Relation(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageDefines the relationship between the entity (a) and another entity (b).
- entity¶
Entity (b) that the primary entity (a) is related to.
- entity_type¶
Type of the related entity (b) in this relationship.
- relationship¶
Type of relationship.
- direction¶
Directionality of relationship between primary entity (a) and the related entity (b).
- entity_label¶
Label to identify the Noun of the relation.
- class Directionality(value)[source]¶
Bases:
proto.enums.EnumDescribes the relationship model as directed or undirected.
- Values:
- DIRECTIONALITY_UNSPECIFIED (0):
Default value.
- BIDIRECTIONAL (1):
Modeled in both directions. Primary entity (a) to related entity (b) and related entity (b) to primary entity (a).
- UNIDIRECTIONAL (2):
Modeled in a single direction. Primary entity (a) to related entity (b).
- class EntityLabel(value)[source]¶
Bases:
proto.enums.EnumEntity label of the relation.
- Values:
- ENTITY_LABEL_UNSPECIFIED (0):
Default value.
- PRINCIPAL (1):
The Noun represents a principal type object.
- TARGET (2):
The Noun represents a target type object.
- OBSERVER (3):
The Noun represents an observer type object.
- SRC (4):
The Noun represents src type object.
- NETWORK (5):
The Noun represents a network type object.
- SECURITY_RESULT (6):
The Noun represents a SecurityResult object.
- INTERMEDIARY (7):
The Noun represents an intermediary type object.
- class Relationship(value)[source]¶
Bases:
proto.enums.EnumType of relationship between the primary entity (a) and related entity (b).
- Values:
- RELATIONSHIP_UNSPECIFIED (0):
Default value
- OWNS (1):
Related entity is owned by the primary entity (e.g. user owns device asset).
- ADMINISTERS (2):
Related entity is administered by the primary entity (e.g. user administers a group).
- MEMBER (3):
Primary entity is a member of the related entity (e.g. user is a member of a group).
- EXECUTES (4):
Primary entity may have executed the related entity.
- DOWNLOADED_FROM (5):
Primary entity may have been downloaded from the related entity.
- CONTACTS (6):
Primary entity contacts the related entity.
- class google.backstory.types.Reputation(value)[source]¶
Bases:
proto.enums.EnumCategorization options for the usefulness of a finding.
- Values:
- REPUTATION_UNSPECIFIED (0):
An unspecified reputation.
- USEFUL (1):
A categorization of the finding as useful.
- NOT_USEFUL (2):
A categorization of the finding as not useful.
- class google.backstory.types.Resource(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageInformation about a resource such as a task, Cloud Storage bucket, database, disk, logical policy, or something similar.
- resource_type¶
Resource type.
- name¶
The full name of the resource. For example, Google Cloud: //cloudresourcemanager.googleapis.com/projects/wombat-123, and AWS: arn:aws:iam::123456789012:user/johndoe.
- Type
- parent¶
The parent of the resource. For a database table, the parent is the database. For a storage object, the bucket name. Deprecated: use resource_ancestors.name.
- Type
- product_object_id¶
A vendor-specific identifier to uniquely identify the entity (a GUID, OID, or similar) This field can be used as an entity indicator for a Resource entity.
- Type
- attribute¶
Generic entity metadata attributes of the resource.
- scheduled_task¶
DEPRECATED: use windows_scheduled_task for Windows scheduled tasks or scheduled_cron_task for cron jobs. Information about a scheduled task associated with the resource.
- scheduled_cron_task¶
Information about a scheduled cron task associated with the resource.
- scheduled_anacron_task¶
Information about a scheduled anacron task associated with the resource.
- windows_scheduled_task¶
Information about a Windows scheduled task associated with the resource.
- volume¶
Information about a storage volume associated with the resource.
- service¶
Information about a Windows service associated with the resource.
- class ResourceType(value)[source]¶
Bases:
proto.enums.EnumThe type of resource.
- Values:
- UNSPECIFIED (0):
Default type.
- MUTEX (1):
Mutex.
- TASK (2):
Task.
- PIPE (3):
Named pipe.
- DEVICE (4):
Device.
- FIREWALL_RULE (5):
Firewall rule.
- MAILBOX_FOLDER (6):
Mailbox folder.
- VPC_NETWORK (7):
VPC Network.
- VIRTUAL_MACHINE (8):
Virtual machine.
- STORAGE_BUCKET (9):
Storage bucket.
- STORAGE_OBJECT (10):
Storage object.
- DATABASE (11):
Database.
- TABLE (12):
Data table.
- CLOUD_PROJECT (13):
Cloud project.
- CLOUD_ORGANIZATION (14):
Cloud organization.
- SERVICE_ACCOUNT (15):
Service account.
- ACCESS_POLICY (16):
Access policy.
- CLUSTER (17):
Cluster.
- SETTING (18):
Settings.
- DATASET (19):
Dataset.
- BACKEND_SERVICE (20):
Endpoint that receive traffic from a load balancer or proxy.
- POD (21):
Pod, which is a collection of containers. Often used in Kubernetes.
- CONTAINER (22):
Container.
- FUNCTION (23):
Cloud function.
- RUNTIME (24):
Runtime.
- IP_ADDRESS (25):
IP address.
- DISK (26):
Disk.
- VOLUME (27):
Volume.
- IMAGE (28):
Machine image.
- SNAPSHOT (29):
Snapshot.
- REPOSITORY (30):
Repository.
- CREDENTIAL (31):
Credential, e.g. access keys, ssh keys, tokens, certificates.
- LOAD_BALANCER (32):
Load balancer.
- GATEWAY (33):
Gateway.
- SUBNET (34):
Subnet.
- USER (35):
User.
- SERVICE (36):
Service.
- class google.backstory.types.ResourceUsage(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageThe ResourceUsage extension captures details about what is using a resource.
- class google.backstory.types.ResponsePlatformInfo(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageRelated info of an Alert in customer’s SOAR platform.
- response_platform_type¶
Type of SOAR product.
- class ResponsePlatformType(value)[source]¶
Bases:
proto.enums.EnumAvailable response platforms.
- Values:
- RESPONSE_PLATFORM_TYPE_UNSPECIFIED (0):
Response platform not specified.
- RESPONSE_PLATFORM_TYPE_SIEMPLIFY (1):
Siemplify
- class google.backstory.types.RiskDelta(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageDescribes the difference in risk score between two points in time.
- previous_range_end_time¶
End time of the previous time window.
- risk_score_delta¶
Difference in the normalized risk score from the previous recorded value.
- Type
- class google.backstory.types.Role(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageSystem role for resource access and modification.
- type_¶
System role type for well known roles.
- class Type(value)[source]¶
Bases:
proto.enums.EnumWell-known system roles.
- Values:
- TYPE_UNSPECIFIED (0):
Default user role.
- ADMINISTRATOR (1):
Product administrator with elevated privileges.
- SERVICE_ACCOUNT (2):
System service account for automated privilege access.
- class google.backstory.types.SSLCertificate(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageSSL certificate.
- cert_signature¶
Certificate’s signature and algorithm.
- extension¶
(DEPRECATED) certificate’s extension.
- cert_extensions¶
Certificate’s extensions.
- first_seen_time¶
Date the certificate was first retrieved by VirusTotal.
- issuer¶
Certificate’s issuer data.
- ec¶
EC public key information.
- subject¶
Certificate’s subject data.
- validity¶
Certificate’s validity period.
- public_key¶
Public key information.
- class AuthorityKeyId(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageIdentifies the public key to be used to verify the signature on this certificate or CRL.
- class CertSignature(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageCertificate’s signature and algorithm.
- class EC(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageEC public key information.
- class Extension(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageCertificate’s extensions.
- authority_key_id¶
Identifies the public key to be used to verify the signature on this certificate or CRL.
- ca_info_access¶
Authority information access locations are URLs that are added to a certificate in its authority information access extension.
- Type
- crl_distribution_points¶
CRL distribution points to which a certificate user should refer to ascertain if the certificate has been revoked.
- Type
- extended_key_usage¶
One or more purposes for which the certified public key may be used, in addition to or in place of the basic purposes indicated in the key usage extension field.
- Type
- subject_alternative_name¶
Contains one or more alternative names, using any of a variety of name forms, for the entity that is bound by the CA to the certified public key.
- Type
- certificate_policies¶
Different certificate policies will relate to different applications which may use the certified key.
- Type
- netscape_certificate¶
Identify whether the certificate subject is an SSL client, an SSL server, or a CA.
- Type
- class PublicKey(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageSubject public key info.
- algorithm¶
Any of “RSA”, “DSA” or “EC”. Indicates the algorithm used to generate the certificate.
- Type
- rsa¶
RSA public key information.
- class RSA(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageRSA public key information.
- class Subject(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageSubject data.
- class Validity(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageDefines certificate’s validity period.
- expiry_time¶
Expiry date.
- issue_time¶
Issue date.
- class google.backstory.types.ScheduledAnacronTask(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageInformation about a scheduled anacron task.
- period¶
Anacrontab period field. Value is an integer in days, or a string like “@daily”, “@weekly”, or “@monthly”.
- Type
- class google.backstory.types.ScheduledCronTask(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageInformation about a scheduled cron task.
- minute¶
Crontab minute field. Value is an integer between 0 and 59 and can also be a range or list of values (e.g., “0-59”, “0-59/5”, “0,15,30,45”) and it // can also be an asterisk (*) to indicate first-last minutes. More on crontab format can be found here: https://www.linux.org/docs/man5/crontab.html
- Type
- hour¶
Crontab hour field. Value is an integer between 0 and 23, a range or list of values (e.g., “0-6”, “/2”, “1,2”), or an asterisk () to indicate first-last hours.
- Type
- month_day¶
Crontab day of month field. Value is an integer between 1 and 31, a range or list of values (e.g., “1-7”, “1-31/7”, “1,15”), or an asterisk (*) to indicate first-last days of month.
- Type
- month¶
Crontab month field. Value is an integer between 1 and 12 or a 3-letter name (e.g., “Jan”), a range or list of values (e.g., “1-3”, “/2”, “1,6”), or an asterisk () to indicate first-last months.
- Type
- week_day¶
Crontab day of week field. Value is an integer between 0 and 7 (0 or 7 is Sunday) or a 3-letter name (e.g., “Fri”), a range or list of values (e.g., “1-5”, “0,6”), or an asterisk (*) to indicate first-last days of week.
- Type
- class google.backstory.types.ScheduledTask(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageDeprecated: use WindowsScheduledTask for Windows scheduled tasks or ScheduledCronTask for cron jobs. Information about a scheduled task.
- class google.backstory.types.SecurityResult(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageSecurity related metadata for the event. A security result might be something like “virus detected and quarantined,” “malicious connection blocked,” or “sensitive data included in document foo.doc.” Each security result, of which there may be more than one, may either pertain to the whole event, or to a specific object or device referenced in the event (e.g. a malicious file that was detected, or a sensitive document sent as an email attachment). For security results that apply to a particular object referenced in the event, the security_results message MUST contain details about the implicated object (such as process, user, IP, domain, URL, IP, or email address) in the about field. For security results that apply to the entire event (e.g. SPAM found in this email), the about field must remain empty.
- about¶
If the security result is about a specific entity (Noun), add it here. This field is not populated when the SecurityResult appears in a detection.
- category¶
The security category. This field is not populated when the SecurityResult appears in a detection.
- Type
MutableSequence[google.backstory.types.SecurityResult.SecurityCategory]
- category_details¶
For vendor-specific categories. For web categorization, put type in here such as “gambling” or “porn”. This field is not populated when the SecurityResult appears in a detection.
- Type
MutableSequence[str]
- threat_name¶
A vendor-assigned classification common across multiple customers (for example, “W32/File-A”, “Slammer”). This field is not populated when the SecurityResult appears in a detection.
- Type
- rule_set¶
The curated detection’s rule set identifier. (for example, “windows-threats”) This is primarily set in rule-generated detections and alerts.
- Type
- rule_set_display_name¶
The curated detections rule set display name. This is primarily set in rule-generated detections and alerts.
- Type
- ruleset_category_display_name¶
The curated detection rule set category display name. (for example, if rule_set_display_name is “CDIR SCC Enhanced Exfiltration”, the rule_set_category is “Cloud Threats”). This is primarily set in rule-generated detections and alerts.
- Type
- rule_id¶
A vendor-specific ID for a rule, varying by observer type (e.g. “08123”, “5d2b44d0-5ef6-40f5-a704-47d61d3babbe”).
- Type
- display_name¶
The display name of the security result. This is populated from ‘name_override’ Outcome Variable, if present. Otherwise, this field is not set.
- Type
- rule_version¶
Version of the security rule. (e.g. “v1.1”, “00001”, “1604709794”, “2020-11-16T23:04:19+00:00”). Note that rule versions are source-dependant and lexical ordering should not be assumed.
- Type
- rule_author¶
Author of the security rule. This field is not populated when the SecurityResult appears in a detection.
- Type
- rule_labels¶
A list of rule labels that can’t be captured by the other fields in security result (e.g. “reference : AnotherRule”, “contributor : John”). This is primarily set in rule-generated detections and alerts.
- Type
MutableSequence[google.backstory.types.Label]
- alert_state¶
The alerting types of this security result. This is primarily set for rule-generated detections and alerts.
- detection_fields¶
An ordered list of values, that represent fields in detections for a security finding. This list represents mapping of names of requested entities to their values (the security result matched variables).
For Collection SecurityResults, prefer variables instead.
- Type
MutableSequence[google.backstory.types.Label]
- outcomes¶
A list of outcomes that represent the results of this security finding. This list represents a mapping of names of the requested outcomes, to a stringified version of their values.
This is only populated when the SecurityResult appears in a detection. This is deprecated. Use variables instead.
- Type
MutableSequence[google.backstory.types.Label]
- variables¶
A list of outcomes and match variables that represent the results of this security finding. This list represents a mapping of names of the requested outcomes or match variables, to their values.
This is only populated when the SecurityResult appears in a detection.
- Type
MutableMapping[str, google.backstory.types.FindingVariable]
- description¶
A human-readable description (e.g. “user password was wrong”). This can be more detailed than the summary.
- Type
- action¶
Actions taken for this event. This field is not populated when the SecurityResult appears in a detection.
- Type
MutableSequence[google.backstory.types.SecurityResult.Action]
- action_details¶
The detail of the action taken as provided by the vendor. This field is not populated when the SecurityResult appears in a detection.
- Type
- severity¶
The severity of the result.
- confidence¶
The confidence level of the result as estimated by the product. This field is not populated when the SecurityResult appears in a detection.
- priority¶
The priority of the result. This field is not populated when the SecurityResult appears in a detection.
- confidence_score¶
The confidence score of the security result. This field is not populated when the SecurityResult appears in a detection.
- Type
- analytics_metadata¶
Stores metadata about each risk analytic metric the rule uses. This field is not populated when the SecurityResult appears in a detection.
- Type
MutableSequence[google.backstory.types.AnalyticsMetadata]
- severity_details¶
Vendor-specific severity. This field is not populated when the SecurityResult appears in a detection.
- Type
- confidence_details¶
Additional detail with regards to the confidence of a security event as estimated by the product vendor. This field is not populated when the SecurityResult appears in a detection.
- Type
- priority_details¶
Vendor-specific information about the security result priority. This field is not populated when the SecurityResult appears in a detection.
- Type
- url_back_to_product¶
URL that takes the user to the source product console for this event. This field is not populated when the SecurityResult appears in a detection.
- Type
- threat_id¶
Vendor-specific ID for a threat. This field is not populated when the SecurityResult appears in a detection.
- Type
- threat_feed_name¶
Vendor feed name for a threat indicator feed. This field is not populated when the SecurityResult appears in a detection.
- Type
- threat_id_namespace¶
The attribute threat_id_namespace qualifies threat_id with an id namespace to get an unique id. The attribute threat_id by itself is not unique across Chronicle as it is a vendor specific id. This field is not populated when the SecurityResult appears in a detection.
- threat_status¶
Current status of the threat This field is not populated when the SecurityResult appears in a detection.
- attack_details¶
MITRE ATT&CK details. This field is not populated when the SecurityResult appears in a detection.
- first_discovered_time¶
First time the IoC threat was discovered in the provider. This field is not populated when the SecurityResult appears in a detection.
- associations¶
Associations related to the threat.
- Type
MutableSequence[google.backstory.types.SecurityResult.Association]
- campaigns¶
Campaigns using this IOC threat. This is deprecated. Use threat_collections instead.
- Type
MutableSequence[str]
- reports¶
Reports that reference this IOC threat. These are the report IDs. This is deprecated. Use threat_collections instead.
- Type
MutableSequence[str]
- verdict¶
Verdict about the IoC from the provider. This field is now deprecated. Use VerdictInfo instead.
- last_updated_time¶
Last time the IoC threat was updated in the provider. This field is not populated when the SecurityResult appears in a detection.
- verdict_info¶
Verdict information about the IoC from the provider. This field is not populated when the SecurityResult appears in a detection.
- Type
MutableSequence[google.backstory.types.SecurityResult.VerdictInfo]
- threat_verdict¶
GCTI threat verdict on the security result entity. This field is not populated when the SecurityResult appears in a detection.
- last_discovered_time¶
Last time the IoC was seen in the provider data. This field is not populated when the SecurityResult appears in a detection.
- threat_collections¶
GTI collections associated with the security result.
- Type
MutableSequence[google.backstory.types.SecurityResult.ThreatCollectionItem]
- class Action(value)[source]¶
Bases:
proto.enums.EnumEnum representing different possible actions taken by the product that created the event. Google SecOps classifies:
ALLOW and ALLOW_WITH_MODIFICATION actions as “successful”.
BLOCK, QUARANTINE, FAIL, and CHALLENGE actions as “failed”. This includes all corresponding metrics (for example, AUTH_ATTEMPTS_FAIL, FILE_EXECUTIONS_FAIL, RESOURCE_READ_FAIL, and so on).
UNKNOWN_ACTION actions as neither “successful” nor “failed”, because, for example, logs might not provide information whether a login event occurred but some kind of “unknown” error was issued nonetheless.
- Values:
- UNKNOWN_ACTION (0):
The default action.
- ALLOW (1):
Allowed.
- BLOCK (2):
Blocked.
- ALLOW_WITH_MODIFICATION (3):
Strip, modify something (e.g. File or email was disinfected or rewritten and still forwarded).
- QUARANTINE (4):
Put somewhere for later analysis (does NOT imply block).
- FAIL (5):
Failed (e.g. the event was allowed but failed).
- CHALLENGE (6):
Challenged (e.g. the user was challenged by a Captcha, 2FA).
- class AlertState(value)[source]¶
Bases:
proto.enums.EnumThe type of alerting set up for a security result.
- Values:
- UNSPECIFIED (0):
The security result type is not known.
- NOT_ALERTING (1):
The security result is not an alert.
- ALERTING (2):
The security result is an alert.
- class AnalystVerdict(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageVerdict provided by the human analyst. These fields are used to model Mandiant sources.
- verdict_time¶
Timestamp at which the verdict was generated.
- verdict_response¶
Details of the verdict.
- class Association(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageAssociations represents different metadata about malware and threat actors involved with an IoC.
- type_¶
Signifies the type of association.
- alias¶
Different aliases of the threat actor given by different sources.
- Type
MutableSequence[google.backstory.types.SecurityResult.Association.AssociationAlias]
- first_reference_time¶
First time the threat actor was referenced or seen.
- last_reference_time¶
Last time the threat actor was referenced or seen.
- associated_actors¶
List of associated threat actors for a malware. Not applicable for threat actors.
- Type
MutableSequence[google.backstory.types.SecurityResult.Association]
- region_code¶
Name of the country, the threat is originating from.
- sponsor_region¶
Sponsor region of the threat actor.
- targeted_regions¶
Targeted regions.
- Type
MutableSequence[google.backstory.types.Location]
- class AssociationAlias(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageAssociation Alias used to represent Mandiant Threat Intelligence.
- class AssociationType(value)[source]¶
Bases:
proto.enums.EnumRepresents different possible Association types. Can be threat or malware. Used to represent Mandiant threat intelligence.
- Values:
- ASSOCIATION_TYPE_UNSPECIFIED (0):
The default Association Type.
- THREAT_ACTOR (1):
Association type Threat actor.
- MALWARE (2):
Association type Malware.
- SOFTWARE_TOOLKIT (3):
Association type Software toolkit.
- class IoCStats(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageInformation about the threat intelligence source. These fields are used to model Mandiant sources.
- ioc_stats_type¶
Describes the source of the IoCStat.
- second_level_source¶
Name of the second-level IoC source, for example Crowdsourced Threat Analysis or Knowledge Graph.
- Type
- quality¶
Level of confidence in the IoC mapping extracted from the source.
- class IoCStatsType(value)[source]¶
Bases:
proto.enums.EnumType of IoCStat based on source.
- Values:
- UNSPECIFIED_IOC_STATS_TYPE (0):
IoCStat source is unidentified.
- MANDIANT_SOURCES (1):
IoCStat is from a Mandiant Source.
- THIRD_PARTY_SOURCES (2):
IoCStat is from a third-party source.
- THREAT_INTELLIGENCE_IOC_STATS (3):
IoCStat is from a threat intelligence feed.
- class ProductConfidence(value)[source]¶
Bases:
proto.enums.EnumA level of confidence in the result.
- Values:
- UNKNOWN_CONFIDENCE (0):
The default confidence level.
- LOW_CONFIDENCE (200):
Low confidence.
- MEDIUM_CONFIDENCE (300):
Medium confidence.
- HIGH_CONFIDENCE (400):
High confidence.
- class ProductPriority(value)[source]¶
Bases:
proto.enums.EnumA product priority level.
- Values:
- UNKNOWN_PRIORITY (0):
Default priority level.
- LOW_PRIORITY (200):
Low priority.
- MEDIUM_PRIORITY (300):
Medium priority.
- HIGH_PRIORITY (400):
High priority.
- class ProductSeverity(value)[source]¶
Bases:
proto.enums.EnumDefined by the product
- Values:
- UNKNOWN_SEVERITY (0):
The default severity level.
- INFORMATIONAL (100):
Info severity.
- ERROR (150):
An error.
- NONE (101):
No malicious result.
- LOW (200):
Low-severity malicious result.
- MEDIUM (300):
Medium-severity malicious result.
- HIGH (400):
High-severity malicious result.
- CRITICAL (500):
Critical-severity malicious result.
- class ProviderMLVerdict(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageDeprecated. MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources.
- mandiant_sources¶
List of mandiant sources from which the verdict was generated.
- Type
MutableSequence[google.backstory.types.SecurityResult.Source]
- third_party_sources¶
List of third-party sources from which the verdict was generated.
- Type
MutableSequence[google.backstory.types.SecurityResult.Source]
- class SecurityCategory(value)[source]¶
Bases:
proto.enums.EnumSecurityCategory is used to standardize security categories across products so one event is not categorized as “malware” and another as a “virus”.
- Values:
- UNKNOWN_CATEGORY (0):
The default category.
- SOFTWARE_MALICIOUS (10000):
Malware, spyware, rootkit.
- SOFTWARE_SUSPICIOUS (10100):
Below the conviction threshold; probably bad.
- SOFTWARE_PUA (10200):
Potentially Unwanted App (such as adware).
- NETWORK_MALICIOUS (20000):
Includes C&C or network exploit.
- NETWORK_SUSPICIOUS (20100):
Suspicious activity, such as potential reverse tunnel.
- NETWORK_CATEGORIZED_CONTENT (20200):
Non-security related: URL has category like gambling or porn.
- NETWORK_DENIAL_OF_SERVICE (20300):
DoS, DDoS.
- NETWORK_RECON (20400):
Port scan detected by an IDS, probing of web app.
- NETWORK_COMMAND_AND_CONTROL (20500):
If we know this is a C&C channel.
- ACL_VIOLATION (30000):
Unauthorized access attempted, including attempted access to files, web services, processes, web objects, etc.
- AUTH_VIOLATION (40000):
Authentication failed (e.g. bad password or bad 2-factor authentication).
- EXPLOIT (50000):
Exploit: For all manner of exploits including attempted overflows, bad protocol encodings, ROP, SQL injection, etc. For both network and host- based exploits.
- DATA_EXFILTRATION (60000):
DLP: Sensitive data transmission, copy to thumb drive.
- DATA_AT_REST (60100):
DLP: Sensitive data found at rest in a scan.
- DATA_DESTRUCTION (60200):
Attempt to destroy/delete data.
- TOR_EXIT_NODE (60300):
TOR Exit Nodes.
- MAIL_SPAM (70000):
Spam email, message, etc.
- MAIL_PHISHING (70100):
Phishing email, chat messages, etc.
- MAIL_SPOOFING (70200):
Spoofed source email address, etc.
- POLICY_VIOLATION (80000):
Security-related policy violation (e.g. firewall/proxy/HIPS rule violated, NAC block action).
- SOCIAL_ENGINEERING (90001):
Threats which manipulate to break normal security procedures.
- PHISHING (90002):
Phishing pages, pops, https phishing etc.
- class Source(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageDeprecated. Information about the threat intelligence source. These fields are used to model Mandiant sources.
- quality¶
Quality of the IoC mapping extracted from the source.
- threat_intelligence_sources¶
Different threat intelligence sources from which IoC info was extracted.
- Type
MutableSequence[google.backstory.types.SecurityResult.Source]
- class ThreatCollectionItem(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageThreat Collection that is either a threat campaign or a threat report.
- type_¶
The type of threat collection (e.g., “campaign”).
- class ThreatCollectionType(value)[source]¶
Bases:
proto.enums.EnumDifferent Types of threat collections currently supported.
- Values:
- THREAT_COLLECTION_TYPE_UNSPECIFIED (0):
Threat collection type is unspecified.
- CAMPAIGN (1):
Threat collection type is campaign.
- REPORT (2):
Threat collection type is report.
- class ThreatStatus(value)[source]¶
Bases:
proto.enums.EnumVendor-specific information about the status of a threat (ITW).
- Values:
- THREAT_STATUS_UNSPECIFIED (0):
Default threat status
- ACTIVE (1):
Active threat.
- CLEARED (2):
Cleared threat.
- FALSE_POSITIVE (3):
False positive.
- class VariablesEntry(mapping=None, *, ignore_unknown_fields=False, **kwargs)¶
Bases:
proto.message.Message
- class Verdict(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageDeprecated. Encapsulates the threat verdict provided by human analysts and ML models. These fields are used to model Mandiant sources.
- verdict¶
ML Verdict provided by sources like Mandiant.
- analyst_verdict¶
Human analyst verdict provided by sources like Mandiant.
- class VerdictInfo(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageDescribes the threat verdict provided by human analysts and machine learning models. These fields are used to model Mandiant sources.
- verdict_type¶
Type of verdict.
- ioc_stats¶
List of IoCStats from which the verdict was generated.
- Type
MutableSequence[google.backstory.types.SecurityResult.IoCStats]
- verdict_time¶
Timestamp when the verdict was generated.
- verdict_response¶
Details about the verdict.
- pwn¶
Whether one or more Mandiant incident response customers had this indicator in their environment.
- Type
- pwn_first_tagged_time¶
The timestamp of the first time a pwn was associated to this entity.
- class VerdictResponse(value)[source]¶
Bases:
proto.enums.EnumRepresents different verdict types. Used to represent Mandiant threat intelligence.
- Values:
- VERDICT_RESPONSE_UNSPECIFIED (0):
The default verdict response type.
- MALICIOUS (1):
VerdictResponse resulted a threat as malicious.
- BENIGN (2):
VerdictResponse resulted a threat as benign.
- class VerdictType(value)[source]¶
Bases:
proto.enums.EnumCategory of the verdict.
- Values:
- VERDICT_TYPE_UNSPECIFIED (0):
Verdict category not specified.
- PROVIDER_ML_VERDICT (1):
MLVerdict result provided from threat providers, like Mandiant. These fields are used to model Mandiant sources.
- ANALYST_VERDICT (2):
Verdict provided by the human analyst. These fields are used to model Mandiant sources.
- class google.backstory.types.Service(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageInformation about a Windows service.
- service_type¶
Deprecated: use service_types instead. The type of service.
- service_types¶
The list of service types.
- Type
MutableSequence[google.backstory.types.Service.ServiceType]
- startup_type¶
The startup type of the service.
- state¶
The status of the service.
- class ServiceType(value)[source]¶
Bases:
proto.enums.EnumThe type of service.
- Values:
- SERVICE_TYPE_UNSPECIFIED (0):
Default service type.
- KERNEL_DRIVER (1):
A kernel driver.
- FILE_SYSTEM_DRIVER (2):
A file system driver.
- WIN32_OWN_PROCESS (3):
A process that is owned by the service. This is a Windows-specific service type.
- WIN32_SHARE_PROCESS (4):
A process that is shared by the service. This is a Windows-specific service type.
- ADAPTER (5):
An adapter. This is a Windows-specific service type.
- RECOGNIZER_DRIVER (6):
A recognizer driver. This is a Windows-specific service type.
- INTERACTIVE_PROCESS (7):
An interactive process. This is a Windows-specific service type.
- class StartupType(value)[source]¶
Bases:
proto.enums.EnumHow the service is started.
- Values:
- STARTUP_TYPE_UNSPECIFIED (0):
Default startup type.
- AUTOMATIC (1):
The service is started automatically.
- MANUAL (2):
The service is started manually by a user.
- DISABLED (3):
The service is disabled and will not start automatically.
- class State(value)[source]¶
Bases:
proto.enums.EnumThe current status of the service.
- Values:
- STATE_UNSPECIFIED (0):
Default service status.
- RUNNING (1):
The service is running.
- STOPPED (2):
The service is stopped. This is a Windows-specific service status.
- PAUSED (3):
The service is paused. This is a Windows-specific service status.
- COMPLETED (4):
The service is completed.
- START_PENDING (5):
The service is starting.
- STOP_PENDING (6):
The service is stopping.
- PAUSE_PENDING (7):
The service is pausing.
- CONTINUE_PENDING (8):
The service is continuing.
- class google.backstory.types.SignatureInfo(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageFile signature information extracted from different tools.
- sigcheck¶
Signature information extracted from the sigcheck tool.
- codesign¶
Signature information extracted from the codesign utility.
- class google.backstory.types.SignerInfo(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageFile metadata related to the signer information.
- name¶
Common name of the signers/certificate. The order of the signers matters. Each element is a higher level authority, the last being the root authority.
This field is a member of oneof
_name.- Type
- status¶
It can say “Valid” or state the problem with the certificate if any (e.g. “This certificate or one of the certificates in the certificate chain is not time valid.”).
This field is a member of oneof
_status.- Type
- class google.backstory.types.Smtp(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageSMTP info. See RFC 2821.
- class google.backstory.types.SoarAlertMetadata(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageMetadata fields of alerts coming from other SIEM systems.
- class google.backstory.types.Software(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageInformation about a software package or application.
- permissions¶
System permissions granted to the software. For example, “android.permission.WRITE_EXTERNAL_STORAGE”.
- Type
MutableSequence[google.backstory.types.Permission]
- class google.backstory.types.Srum(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageThe Srum extension captures details specific to Windows System Resource Usage Monitor (SRUM) events.
- background_bytes_read¶
The number of bytes read by the application while running in the background.
- Type
- background_bytes_written¶
The number of bytes written by the application while running in the background.
- Type
- background_context_switches¶
The number of context switches performed by the application’s threads while in the background.
- Type
- background_cycle_count¶
The amount of CPU cycle time consumed by the application in the background, measured in clock cycles.
- Type
- background_flushes_count¶
The number of flush operations performed by the application in the background.
- Type
- background_read_operations¶
The number of read operations performed by the application in the background.
- Type
- background_write_operations¶
The number of write operations performed by the application in the background.
- Type
- class google.backstory.types.Status(value)[source]¶
Bases:
proto.enums.EnumDescribes status of a finding.
- Values:
- STATUS_UNSPECIFIED (0):
Unspecified finding status.
- NEW (1):
New finding.
- REVIEWED (2):
When a finding has feedback.
- CLOSED (3):
When an analyst closes an finding.
- OPEN (4):
Open. Used to indicate that a Case / Alert is open.
- class google.backstory.types.StringSequence(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageStringSequence represents a sequence of string.
- class google.backstory.types.StringToInt64MapEntry(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.Message
- class google.backstory.types.SystemEventDetails(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageCaptures additional details for system-level events.
- class google.backstory.types.Tags(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageTags are event metadata which is set by examining event contents post-parsing. For example, a UDM event may be assigned a tenant_id based on certain customer-defined parameters.
- class google.backstory.types.ThreatVerdict(value)[source]¶
Bases:
proto.enums.EnumGCTI threat verdict levels.
- Values:
- THREAT_VERDICT_UNSPECIFIED (0):
Unspecified threat verdict level.
- UNDETECTED (1):
Undetected threat verdict level.
- SUSPICIOUS (2):
Suspicious threat verdict level.
- MALICIOUS (3):
Malicious threat verdict level.
- class google.backstory.types.TimeOff(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageSystem record for leave/time-off from a Human Capital Management (HCM) system.
- interval¶
Interval duration of the leave.
- Type
google.type.interval_pb2.Interval
- class google.backstory.types.Tls(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageTransport Layer Security (TLS) information.
- client¶
Certificate information for the client certificate.
- server¶
Certificate information for the server certificate.
- resumed¶
Indicates whether the TLS connection was resumed from a previous TLS negotiation.
- Type
- class Client(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageTransport Layer Security (TLS) information associated with the client (for example, Certificate or JA3 hash).
- certificate¶
Client certificate.
- class Server(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageTransport Layer Security (TLS) information associated with the server (for example, Certificate or JA3 hash).
- certificate¶
Server certificate.
- class google.backstory.types.Tracker(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageURL Tracker.
- timestamp¶
Tracker ingestion date.
- class google.backstory.types.Tunnels(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageVPN tunnels.
- class google.backstory.types.UDM(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageA Unified Data Model event.
- metadata¶
Event metadata such as timestamp, source product, etc.
- additional¶
Any important vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model.
- principal¶
Represents the acting entity that originates the activity described in the event. The principal must include at least one machine detail (hostname, MACs, IPs, port, product-specific identifiers like an EDR asset ID) or user detail (for example, username), and optionally include process details. It must NOT include any of the following fields:
email, files, registry keys or values.
- src¶
Represents a source entity being acted upon by the participant along with the device or process context for the source object (the machine where the source object resides). For example, if user U copies file A on machine X to file B on machine Y, both file A and machine X would be specified in the src portion of the UDM event.
- target¶
Represents a target entity being referenced by the event or an object on the target entity. For example, in a firewall connection from device A to device B, A is described as the principal and B is described as the target. For a process injection by process C into target process D, process C is described as the principal and process D is described as the target.
- intermediary¶
Represents details on one or more intermediate entities processing activity described in the event. This includes device details about a proxy server or SMTP relay server. If an active event (that has a principal and possibly target) passes through any intermediaries, they’re added here. Intermediaries can impact the overall action, for example blocking or modifying an ongoing request. A rule of thumb here is that ‘principal’, ‘target’, and description of the initial action should be the same regardless of the intermediary or its action. A successful network connection from A->B should look the same in principal/target/intermediary as one blocked by firewall C: principal: A, target: B (intermediary: C).
- Type
MutableSequence[google.backstory.types.Noun]
- observer¶
Represents an observer entity (for example, a packet sniffer or network-based vulnerability scanner), which is not a direct intermediary, but which observes and reports on the event in question.
- about¶
Represents entities referenced by the event that are not otherwise described in principal, src, target, intermediary or observer. For example, it could be used to track email file attachments, domains/URLs/IPs embedded within an email body, and DLLs that are loaded during a PROCESS_LAUNCH event.
- Type
MutableSequence[google.backstory.types.Noun]
- security_result¶
A list of security results.
- Type
MutableSequence[google.backstory.types.SecurityResult]
- network¶
All network details go here, including sub-messages with details on each protocol (for example, DHCP, DNS, or HTTP).
- extensions¶
All other first-class, event-specific metadata goes in this message. Do not place protocol metadata in Extensions; put it in Network.
- extracted¶
Flattened fields extracted from the log.
- class google.backstory.types.Uint64Sequence(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageUint64Sequence represents a sequence of uint64s.
- class google.backstory.types.Url(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageUrl.
- favicon¶
Difference hash and MD5 hash of the URL’s.
- html_meta¶
Meta tags (only for URLs downloading HTML).
- last_http_response_cookies¶
Website’s cookies.
- last_http_response_headers¶
Headers and values of the last HTTP response.
- trackers¶
Trackers found in the URL in a historical manner.
- Type
MutableSequence[google.backstory.types.Tracker]
- class google.backstory.types.User(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageInformation about a user.
- product_object_id¶
A vendor-specific identifier to uniquely identify the entity (e.g. a GUID, LDAP, OID, or similar). This field can be used as an entity indicator for user entities.
- Type
- userid¶
The ID of the user. This field can be used as an entity indicator for user entities.
- Type
- personal_address¶
Personal address of the user.
- attribute¶
Generic entity metadata attributes of the user.
- first_seen_time¶
The first observed time for a user. The value is calculated on the basis of the first time the identifier was observed.
- account_type¶
Type of user account (for example, service, domain, or cloud). This is somewhat aligned to: https://attack.mitre.org/techniques/T1078/
- groupid¶
The ID of the group that the user belongs to. Deprecated in favor of the repeated group_identifiers field.
- Type
- group_identifiers¶
Product object identifiers of the group(s) the user belongs to A vendor-specific identifier to uniquely identify the group(s) the user belongs to (a GUID, LDAP OID, or similar).
- Type
MutableSequence[str]
- windows_sid¶
The Microsoft Windows SID of the user. This field can be used as an entity indicator for user entities.
- Type
- email_addresses¶
Email addresses of the user. This field can be used as an entity indicator for user entities.
- Type
MutableSequence[str]
- employee_id¶
Human capital management identifier. This field can be used as an entity indicator for user entities.
- Type
- office_address¶
User job office location.
- managers¶
User job manager(s).
- Type
MutableSequence[google.backstory.types.User]
- hire_date¶
User job employment hire date.
- termination_date¶
User job employment termination date.
- time_off¶
User time off leaves from active work.
- Type
MutableSequence[google.backstory.types.TimeOff]
- last_login_time¶
User last login timestamp.
- last_password_change_time¶
User last password change timestamp.
- password_expiration_time¶
User password expiration timestamp.
- account_expiration_time¶
User account expiration timestamp.
- account_lockout_time¶
User account lockout timestamp.
- last_bad_password_attempt_time¶
User last bad password attempt timestamp.
- user_authentication_status¶
System authentication status for user.
- user_role¶
System role for user. Deprecated: use attribute.roles.
- class AccountType(value)[source]¶
Bases:
proto.enums.EnumUser Account Type.
- Values:
- ACCOUNT_TYPE_UNSPECIFIED (0):
Default user account type.
- DOMAIN_ACCOUNT_TYPE (1):
A human account part of some domain in directory services.
- LOCAL_ACCOUNT_TYPE (2):
A local machine account.
- CLOUD_ACCOUNT_TYPE (3):
A SaaS service account type (such as Slack or GitHub).
- SERVICE_ACCOUNT_TYPE (4):
A non-human account for data access.
- DEFAULT_ACCOUNT_TYPE (5):
A system built in default account.
- class Role(value)[source]¶
Bases:
proto.enums.EnumUser system roles.
- Values:
- UNKNOWN_ROLE (0):
Default user role.
- ADMINISTRATOR (1):
Product administrator with elevated privileges.
- SERVICE_ACCOUNT (2):
System service account for automated privilege access. Deprecated: not a role, instead set User.account_type.
- class google.backstory.types.UserAssist(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageThe UserAssist extension captures details specific to Windows User Assist events.
- application_focus_count¶
The number of times the application associated with the entry gained focus.
- Type
- application_focus_duration¶
The total duration the application associated with the entry was in focus.
- executions_count¶
The number of times the application associated with the entry has been executed.
- Type
- class google.backstory.types.UsnJournal(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageInformation from the NTFS USN Journal.
- attributes¶
Deprecated: Use file_attributes instead. File attributes from the USN record.
- file_attributes¶
File attributes from the USN record.
- Type
MutableSequence[google.backstory.types.UsnJournal.Attribute]
- reason¶
Deprecated: Use reasons instead. Human-readable string describing the reason for the USN journal entry. (e.g., “USN_REASON_FILE_CREATE”).
- reasons¶
Human-readable string describing the reasons for the USN journal entry (e.g., “USN_REASON_FILE_CREATE”).
- Type
MutableSequence[google.backstory.types.UsnJournal.Reason]
- class Attribute(value)[source]¶
Bases:
proto.enums.EnumFile attributes from the USN record (e.g., “READ_ONLY, HIDDEN”). See https://learn.microsoft.com/en-us/windows/win32/fileio/file-attribute-constants for more information about the attributes.
- Values:
- ATTRIBUTE_UNSPECIFIED (0):
Unspecified attribute.
- READ_ONLY (1):
A file that is read-only.
- HIDDEN (2):
The file or directory is hidden.
- SYSTEM (3):
A file or directory that the operating system uses.
- ARCHIVE (4):
Archive file or directory.
- COMPRESSED (5):
A file or directory that is compressed.
- ENCRYPTED (6):
A file or directory that is encrypted.
- DIRECTORY (7):
The handle that identifies the directory.
- DEVICE (8):
Reserved for system use.
- NORMAL (9):
A file that does not have other attributes set.
- TEMPORARY (10):
A file that is being used for temporary storage.
- SPARSE_FILE (11):
A file that is a sparse file.
- REPARSE_POINT (12):
A file or directory that has an associated reparse point.
- OFFLINE (13):
The data of a file is not available immediately.
- NOT_CONTENT_INDEXED (14):
The file or directory is not to be indexed.
- NON_CONTENT_INDEXED (14):
Deprecated: Use NOT_CONTENT_INDEXED instead.
- INTEGRITY_STREAM (15):
The directory or user data stream is configured with integrity.
- VIRTUAL (16):
Reserved for system use.
- NO_SCRUB_DATA (17):
The user data stream not to be read by the background data integrity scanner.
- EA (18):
A file or directory with extended attributes.
- PINNED (19):
The file or directory should be kept fully present locally.
- UNPINNED (20):
The file or directory should not be kept fully present locally.
- RECALL_ON_OPEN (21):
The file or directory has no physical representation on the local system.
- RECALL_ON_DATA_ACCESS (22):
The file or directory is not fully present locally.
- class Reason(value)[source]¶
Bases:
proto.enums.EnumThe reason for the USN journal entry.
- Values:
- REASON_UNSPECIFIED (0):
Unspecified reason.
- DATA_OVERWRITE (1):
Data overwrite reason.
- DATA_EXTEND (2):
Data extend reason.
- DATA_TRUNCATION (3):
Data truncation reason.
- NAMED_DATA_OVERWRITE (4):
Named data overwrite reason.
- NAMED_DATA_EXTEND (5):
Named data extend reason.
- NAMED_DATA_TRUNCATION (6):
Named data truncation reason.
- FILE_CREATE (7):
File create reason.
- FILE_DELETE (8):
File delete reason.
- EA_CHANGE (9):
EA change reason.
- SECURITY_CHANGE (10):
Security change reason.
- RENAME_OLD_NAME (11):
Rename old name reason.
- RENAME_NEW_NAME (12):
Rename new name reason.
- INDEXABLE_CHANGE (13):
Indexable change reason.
- BASIC_INFO_CHANGE (14):
Basic info change reason.
- HARD_LINK_CHANGE (15):
Hard link change reason.
- COMPRESSION_CHANGE (16):
Compression change reason.
- ENCRYPTION_CHANGE (17):
Encryption change reason.
- OBJECT_ID_CHANGE (18):
Object ID change reason.
- REPARSE_POINT_CHANGE (19):
Reparse point change reason.
- STREAM_CHANGE (20):
Stream change reason.
- TRANSACTED_CHANGE (21):
Transacted change reason.
- CLOSE (22):
Close reason.
- class google.backstory.types.Verdict(value)[source]¶
Bases:
proto.enums.EnumCategorization options for the validity of a finding (for example, whether it reflects an actual security incident).
- Values:
- VERDICT_UNSPECIFIED (0):
An unspecified verdict.
- TRUE_POSITIVE (1):
A categorization of the finding as a “true positive”.
- FALSE_POSITIVE (2):
A categorization of the finding as a “false positive”.
- class google.backstory.types.Volume(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageInformation about a storage volume.
- class google.backstory.types.Vulnerabilities(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageThe Vulnerabilities extension captures details on observed/detected vulnerabilities.
- vulnerabilities¶
A list of vulnerabilities.
- Type
MutableSequence[google.backstory.types.Vulnerability]
- class google.backstory.types.Vulnerability(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageA vulnerability.
- about¶
If the vulnerability is about a specific noun (e.g. executable), then add it here.
- scan_start_time¶
If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan started. This field can be left unset if the start time is not available or not applicable.
- scan_end_time¶
If the vulnerability was discovered during an asset scan, then this field should be populated with the time the scan ended. This field can be left unset if the end time is not available or not applicable.
- first_found¶
Products that maintain a history of vuln scans should populate first_found with the time that a scan first detected the vulnerability on this asset.
- last_found¶
Products that maintain a history of vuln scans should populate last_found with the time that a scan last detected the vulnerability on this asset.
- severity¶
The severity of the vulnerability.
- cvss_vector¶
Vector of CVSS properties (e.g. “AV:L/AC:H/Au:N/C:N/I:P/A:C”) Can be linked to via: https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator
- Type
- cve_id¶
Common Vulnerabilities and Exposures Id. https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures https://cve.mitre.org/about/faqs.html#what_is_cve_id
- Type
- cve_description¶
Common Vulnerabilities and Exposures Description. https://cve.mitre.org/about/faqs.html#what_is_cve_record
- Type
- vendor_vulnerability_id¶
Vendor specific vulnerability id (e.g. Microsoft security bulletin id).
- Type
- vendor_knowledge_base_article_id¶
Vendor specific knowledge base article (e.g. “KBXXXXXX” from Microsoft). https://en.wikipedia.org/wiki/Microsoft_Knowledge_Base https://access.redhat.com/knowledgebase
- Type
- class Severity(value)[source]¶
Bases:
proto.enums.EnumSeverity of the vulnerability.
- Values:
- UNKNOWN_SEVERITY (0):
The default severity level.
- LOW (1):
Low severity.
- MEDIUM (2):
Medium severity.
- HIGH (3):
High severity.
- CRITICAL (4):
Critical severity.
- class google.backstory.types.WindowsEventLog(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageThe WindowsEventLog extension captures details specific to Windows Event Log events.
- channel¶
The channel of the event.
- activity_id¶
A GUID (Globally Unique Identifier) used to link a sequence of related events together.
- Type
- class Channel(value)[source]¶
Bases:
proto.enums.EnumThe channel specifies the source or category of the event.
- Values:
- CHANNEL_UNSPECIFIED (0):
Default channel.
- SECURITY (1):
The security channel.
- SYSTEM (2):
The system channel.
- APPLICATION (3):
The application channel.
- SETUP (4):
The setup channel.
- FORWARDED_EVENTS (5):
The forwarded events channel.
- OTHER (6):
The other channel.
- class google.backstory.types.WindowsScheduledTask(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageInformation about a Windows scheduled task.
- state¶
The operation state of the task.
- logon_type¶
The logon type of the task.
- task_actions¶
The actions of the scheduled task.
- Type
MutableSequence[google.backstory.types.WindowsScheduledTask.TaskAction]
- task_triggers¶
The triggers of the scheduled task.
- Type
MutableSequence[google.backstory.types.WindowsScheduledTask.TaskTrigger]
- class TaskAction(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageThe task action.
- action_type¶
The action type of the task.
- exec_arguments¶
The arguments of the task. This field is only populated if the task action type is EXEC.
- Type
MutableSequence[str]
- exec_working_directory¶
The executable working directory of the task. This field is only populated if the task action type is EXEC.
- Type
- com_class_id¶
The COM class IF the action is COM handler. This field is only populated if the task action type is COM_HANDLER.
- Type
- com_data¶
The data of the task. This field is only populated if the task action type is COM_HANDLER.
- Type
- class ActionType(value)[source]¶
Bases:
proto.enums.EnumEnum representing the action type of the task.
- Values:
- ACTION_TYPE_UNSPECIFIED (0):
The action type is not specified.
- EXEC (1):
This action performs a command-line operation. For example, the action can run a script, launch an executable, or, if the name of a document is provided, find its associated application and launch the application with the document.
- COM_HANDLER (2):
This action fires a handler. This action can only be used if the task Compatibility property is set to TASK_COMPATIBILITY_V2.
- SEND_EMAIL (3):
This action sends an email message. This action can only be used if the task Compatibility property is set to TASK_COMPATIBILITY_V2.
- SHOW_MESSAGE (4):
This action shows a message box. This action can only be used if the task Compatibility property is set to TASK_COMPATIBILITY_V2.
- class TaskLogonType(value)[source]¶
Bases:
proto.enums.EnumEnum representing the logon type of the task.
- Values:
- TASK_LOGON_TYPE_UNSPECIFIED (0):
The logon method is not specified. Used for non-NT credentials.
- PASSWORD (1):
Use a password for logging on the user. The password must be supplied at registration time.
- S4U (2):
Use an existing interactive token to run a task. The user must log on using a service for user (S4U) logon. When an S4U logon is used, no password is stored by the system and there is no access to either the network or encrypted files.
- INTERACTIVE_TOKEN (3):
User must already be logged on. The task will be run only in an existing interactive session.
- GROUP (4):
Logon with group credentials.
- SERVICE_ACCOUNT (5):
Indicates that a Local System, Local Service, or Network Service account is being used as a security context to run the task.
- INTERACTIVE_TOKEN_OR_PASSWORD (6):
First use the interactive token. If the user is not logged on (no interactive token is available), the password is used. The password must be specified when a task is registered. This flag is not recommended for new tasks because it is less reliable than TASK_LOGON_PASSWORD.
- class TaskState(value)[source]¶
Bases:
proto.enums.EnumEnum representing the operation state of the task.
- Values:
- TASK_STATE_UNSPECIFIED (0):
The state of the task is unknown or not specified.
- DISABLED (1):
The task is registered but is disabled and no instances of the task are queued or running. The task cannot be run until it is enabled.
- QUEUED (2):
Instances of the task are queued.
- ACTIVE (3):
The task is ready to be executed, but no instances are queued or running.
- RUNNING (4):
One or more instances of the task are running.
- class TaskTrigger(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageThe trigger of the scheduled task.
- duration¶
The duration of the task trigger repetition.
- interval¶
The interval between each repetition of the task. The format for this string is
P<days>DT<hours>H<minutes>M<seconds>S(for example, “PT5M” is 5 minutes, “PT1H” is 1 hour, and “PT20M” is 20 minutes). The maximum time allowed is 31 days, and the minimum time allowed is 1 minute.- Type
- trigger_type¶
The trigger frequency of the task.
- class TriggerType(value)[source]¶
Bases:
proto.enums.EnumEnum representing the trigger type of the task. For more details, see https://learn.microsoft.com/en-us/windows/win32/api/taskschd/ne-taskschd-task_trigger_type2.
- Values:
- TRIGGER_TYPE_UNSPECIFIED (0):
The trigger frequency is not specified.
- EVENT (1):
Triggers the task when a specific event occurs.
- TIME (2):
Triggers the task at a specific time of day.
- DAILY (3):
Triggers the task on a daily schedule. For example, the task starts at a specific time every day, every other day, or every third day.
- WEEKLY (4):
Triggers the task on a weekly schedule. For example, the task starts at 8:00 AM on a specific day every week or other week.
- MONTHLY (5):
Triggers the task on a monthly schedule. For example, the task starts on specific days of specific months.
- MONTHLYDOW (6):
Triggers the task on a monthly day-of-week schedule. For example, the task starts on a specific days of the week, weeks of the month, and months of the year.
- IDLE (7):
Triggers the task when the computer goes into an idle state.
- REGISTRATION (8):
Triggers the task when the task is registered.
- BOOT (9):
Triggers the task when the computer boots.
- LOGON (10):
Triggers the task when a specific user logs on.
- SESSION_STATE_CHANGE (11):
Triggers the task when a specific user session state changes.
- CUSTOM_TRIGGER01 (12):
Custom trigger 01.
- class google.backstory.types.WmiPersistenceItem(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageInformation about a WMI persistence item.
- class google.backstory.types.X509(mapping=None, *, ignore_unknown_fields=False, **kwargs)[source]¶
Bases:
proto.message.MessageFile certificate.
