Chronicle

Overview


Use the Chronicle integration to retrieve Asset alerts or IOC Domain matches as Incidents. Use it to fetch a list of infected assets based on the indicator accessed. This integration also provides reputation and threat enrichment of indicators observed in the enterprise.

Configure Chronicle on Cortex XSOAR


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Chronicle.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • User's Service Account JSON
    • Provide comma(',') separated categories (e.g. APT-Activity, Phishing). Indicators belonging to these "categories" would be considered as "malicious" when executing reputation commands.
    • Provide comma(',') separated categories (e.g. Unwanted, VirusTotal YARA Rule Match). Indicators belonging to these "categories" would be considered as "suspicious" when executing reputation commands.
    • Specify the "severity" of indicator that should be considered as "malicious" irrespective of the category. If you wish to consider all indicators with High severity as Malicious, set this parameter to 'High'. Allowed values are 'High', 'Medium' and 'Low'. This configuration is applicable to reputation commands only.
    • Specify the "severity" of indicator that should be considered as "suspicious" irrespective of the category. If you wish to consider all indicators with Medium severity as Suspicious, set this parameter to 'Medium'. Allowed values are 'High', 'Medium' and 'Low'. This configuration is applicable to reputation commands only.
    • Specify the numeric value of "confidence score". If the indicator's confidence score is equal or above the configured threshold, it would be considered as "malicious". The value provided should be greater than the suspicious threshold. This configuration is applicable to reputation commands only.
    • Specify the numeric value of "confidence score". If the indicator's confidence score is equal or above the configured threshold, it would be considered as "suspicious". The value provided should be smaller than the malicious threshold. This configuration is applicable to reputation commands only.
    • Select the confidence score level. If the indicator's confidence score level is equal or above the configured level, it would be considered as "malicious". The confidence level configured should have higher precedence than the suspicious level. This configuration is applicable to reputation commands only. Refer the "confidence score" level precedence UNKNOWN_SEVERITY < INFORMATIONAL < LOW < MEDIUM < HIGH.
    • Select the confidence score level. If the indicator's confidence score level is equal or above the configured level, it would be considered as "suspicious". The confidence level configured should have lesser precedence than the malicious level. This configuration is applicable to reputation commands only. Refer the "confidence score" level precedence UNKNOWN_SEVERITY < INFORMATIONAL < LOW < MEDIUM < HIGH.
    • Fetches incidents
    • First fetch time interval. The time range to consider for initial data fetch.(<number> <unit>, e.g., 1 day, 7 days, 3 months, 1 year).
    • How many incidents to fetch each time
    • Backstory Alert Type (Select the type of data to consider for fetch incidents).
    • Select the severity of asset alerts to be filtered for Fetch Incidents. Available options are 'High', 'Medium', 'Low' and 'Unspecified' (Default-No Selection).
    • Trust any certificate (not secure)
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data


Fetch-incidents feature can pull events from Google Chronicle which can be converted into actionable incidents for further investigation. It is the function that Demisto calls every minute to import new incidents and can be enabled by the "Fetches incidents" parameter in the integration configuration.

The list of alerts (gcb-list-alerts) or IOC domain matches (gcb-list-iocs) are the two choices that can be configured.

Configuration Parameters for Fetch-incidents

  • First fetch time interval. The time range to consider for initial data fetch.(<number> <unit>, e.g. 1 day, 7 days, 3 months, 1 year): Default 3 days
  • How many incidents to fetch each time: Default 10
  • Select the severity of asset alerts to be filtered for Fetch Incidents. Available options are 'High', 'Medium', 'Low' and 'Unspecified' (Default-No Selection). Only applicable for asset alerts.
  • Backstory Alert Type (Select the type of data to consider for fetch incidents):
    • IOC Domain matches Default
    • Assets with alerts
NameInitial Value
First fetch time interval. The time range to consider for initial data fetch.(<number> <unit>, e.g. 1 day, 7 days, 3 months, 1 year).3 days
How many incidents to fetch each time.10
Select the severity of asset alerts to be filtered for Fetch Incidents. Available options are 'High', 'Medium', 'Low' and 'Unspecified' (Default-No Selection). Only applicable for asset alerts.Default No Selection
Backstory Alert Type (Select the type of data to consider for fetch incidents).IOC Domain matches (Default), Assets with alerts

Incident field mapping - Asset Alerts

NameInitial Value
name<AlertName> for <Asset>
rawJSONSingle Raw JSON
detailsSingle Raw JSON
severitySeverity of Alert

Incident field mapping - IOC Domain matches

NameInitial Value
nameIOC Domain Match: <Artifact>
rawJSONSingle Raw JSON
detailsSingle Raw JSON

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. gcb-list-iocs
  2. gcb-assets
  3. ip
  4. domain
  5. gcb-ioc-details
  6. gcb-list-alerts
  7. gcb-list-events

1. gcb-list-iocs


Lists the IOC Domain matches within your enterprise for the specified time interval. The indicator of compromise (IOC) domain matches lists for which the domains that your security infrastructure has flagged as both suspicious and that have been seen recently within your enterprise.

Base Command

gcb-list-iocs

Input
Argument NameDescriptionRequired
preset_time_rangeFetches IOC Domain matches in the specified time interval. If configured, overrides the start_time argument.Optional
start_timeThe value of the start time for your request, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z). If not supplied, the default is the UTC time corresponding to 3 days earlier than current time.Optional
page_sizeThe maximum number of IOCs to return. You can specify between 1 and 10000. The default is 10000.Optional
Context Output
PathTypeDescription
Domain.NameStringThe domain name of the artifact.
GoogleChronicleBackstory.Iocs.ArtifactStringThe Indicator artifact.
GoogleChronicleBackstory.Iocs.IocIngestTimeDateTime(UTC) the IOC was first seen by Chronicle.
GoogleChronicleBackstory.Iocs.FirstAccessedTimeDateTime(UTC) the artifact was first seen within your enterprise.
GoogleChronicleBackstory.Iocs.LastAccessedTimeDateTime(UTC) the artifact was most recently seen within your enterprise.
GoogleChronicleBackstory.Iocs.Sources.CategoryStringSource Category represents the behavior of the artifact.
GoogleChronicleBackstory.Iocs.Sources.IntRawConfidenceScoreNumberThe numeric confidence score of the IOC reported by the source.
GoogleChronicleBackstory.Iocs.Sources.NormalizedConfidenceScoreStringThe normalized confidence score of the IOC reported by the source.
GoogleChronicleBackstory.Iocs.Sources.RawSeverityStringThe severity of the IOC as reported by the source.
GoogleChronicleBackstory.Iocs.Sources.SourceStringThe source that reported the IOC.
Command Example

!gcb-list-iocs page_size=1 preset_time_range="Last 1 day"

Context Example
{
"GoogleChronicleBackstory.Iocs": [
{
"FirstAccessedTime": "2018-10-03T02:12:51Z",
"Sources": [
{
"Category": "Spyware Reporting Server",
"RawSeverity": "Medium",
"NormalizedConfidenceScore": "Low",
"IntRawConfidenceScore": 0,
"Source": "ET Intelligence Rep List"
}
],
"LastAccessedTime": "2020-02-14T05:59:27Z",
"Artifact": "anx.tb.ask.com",
"IocIngestTime": "2020-02-06T22:00:00Z"
}
],
"Domain": [
{
"Name": "anx.tb.ask.com"
}
]
}
Human Readable Output

IOC Domain Matches

DomainCategorySourceConfidenceSeverityIOC ingest timeFirst seenLast seen
anx.tb.ask.comSpyware Reporting ServerET Intelligence Rep ListLowMedium7 days agoa year ago3 hours ago

2. gcb-assets


Returns a list of the assets that accessed the input artifact (IP, domain, MD5, SHA1 and SHA256) during the specified time.

Base Command

gcb-assets

Input
Argument NameDescriptionRequired
artifact_valueThe artifact indicator associated with assets. The artifact type can be one of the following: IP, Domain, MD5, SHA1, or SHA256.Required
preset_time_rangeFetches assets that accessed the artifact during the interval specified. If configured, overrides the start_time and end_time arguments.Optional
start_timeThe value of the start time for your request, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z). If not supplied, the default is the UTC time corresponding to 3 days earlier than current time.Optional
end_timeThe value of the end time for your request, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z). If not supplied, the default is current UTC time.Optional
page_sizeThe maximum number of IOCs to return. You can specify between 1 and 10000. The default is 10000.Optional
Context Output
PathTypeDescription
GoogleChronicleBackstory.Asset.HostNameStringThe hostname of the asset that accessed the artifact.
GoogleChronicleBackstory.Asset.IpAddressStringThe IP address of the asset that accessed the artifact.
GoogleChronicleBackstory.Asset.MacAddressStringThe MAC address of the asset that accessed the artifact.
GoogleChronicleBackstory.Asset.ProductIdStringThe Product ID of the asset that accessed the artifact.
GoogleChronicleBackstory.Asset.AccessedDomainStringThe domain artifact accessed by the asset.
GoogleChronicleBackstory.Asset.AccessedIPStringThe IP address artifact accessed by the asset.
GoogleChronicleBackstory.Asset.AccessedMD5StringThe MD5 file hash artifact accessed by the asset.
GoogleChronicleBackstory.Asset.AccessedSHA1StringThe SHA1 file hash artifact accessed by the asset.
GoogleChronicleBackstory.Asset.AccessedSHA256StringThe SHA256 file hash artifact accessed by the asset.
GoogleChronicleBackstory.Asset.FirstAccessedTimeDateThe time when the asset first accessed the artifact.
GoogleChronicleBackstory.Asset.LastAccessedTimeDateThe time when the asset last accessed the artifact.
Host.HostnameStringThe hostname of the asset that accessed the artifact.
Host.IDStringThe Product ID of the asset that accessed the artifact.
Host.IPStringThe IP address of the asset that accessed the artifact.
Host.MACAddressStringThe MAC address of the asset that accessed the artifact.
Command Example

!gcb-assets artifact_value=bing.com preset_time_range="Last 1 day"

Context Example
{
"GoogleChronicleBackstory.Asset": [
{
"FirstAccessedTime": "2018-10-18T04:38:44Z",
"AccessedDomain": "bing.com",
"HostName": "james-anderson-laptop",
"LastAccessedTime": "2020-02-14T07:13:33Z"
},
{
"FirstAccessedTime": "2018-10-18T02:01:51Z",
"AccessedDomain": "bing.com",
"HostName": "roger-buchmann-pc",
"LastAccessedTime": "2020-02-13T22:25:27Z"
}
],
"Host": [
{
"Hostname": "james-anderson-laptop"
},
{
"Hostname": "roger-buchmann-pc"
}
]
}
Human Readable Output

Assets related to artifact - bing.com

Host NameHost IPHost MACFirst Accessed TimeLast Accessed Time
james-anderson-laptop--2018-10-18T04:38:44Z2020-02-14T07:13:33Z
roger-buchmann-pc--2018-10-18T02:01:51Z2020-02-13T22:25:27Z

View assets in Chronicle

3. ip


Checks the reputation of an IP address.

Base Command

ip

Input
Argument NameDescriptionRequired
ipThe IP address to check.Optional
Context Output
PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe reputation score (0: Unknown, 1: Good, 2: Suspicious, 3: Bad)
IP.AddressStringThe IP address of the artifact.
IP.Malicious.VendorStringFor malicious IPs, the vendor that made the decision.
IP.Malicious.DescriptionStringFor malicious IPs, the reason that the vendor made the decision.
GoogleChronicleBackstory.IP.IoCQueriedStringThe artifact that was queried.
GoogleChronicleBackstory.IP.Sources.Address.IpAddressStringThe IP address of the artifact.
GoogleChronicleBackstory.IP.Sources.Address.DomainStringThe domain name of the artifact.
GoogleChronicleBackstory.IP.Sources.Address.PortNumberThe port number of the artifact.
GoogleChronicleBackstory.IP.Sources.CategoryStringThe behavior of the artifact.
GoogleChronicleBackstory.IP.Sources.ConfidenceScoreNumberThe confidence score indicating the accuracy and appropriateness of the assigned category.
GoogleChronicleBackstory.IP.Sources.FirstAccessedTimeDateThe time the IOC was first accessed within the enterprise.
GoogleChronicleBackstory.IP.Sources.LastAccessedTimeDateThe time the IOC was most recently seen within your enterprise.
GoogleChronicleBackstory.IP.Sources.SeverityStringImpact of the artifact on the enterprise.
Command Example

!ip ip=23.20.239.12

Context Example
{
"IP": {
"Address": "23.20.239.12"
},
"DBotScore": {
"Vendor": "Google Chronicle Backstory",
"Indicator": "23.20.239.12",
"Score": 0,
"Type": "ip"
},
"GoogleChronicleBackstory.IP": {
"Sources": [
{
"Category": "Known CnC for Mobile specific Family",
"FirstAccessedTime": "2018-12-05T00:00:00Z",
"Severity": "High",
"ConfidenceScore": 70,
"Address": [
{
"IpAddress": "23.20.239.12",
"Port": [
80
]
}
],
"LastAccessedTime": "2019-04-10T00:00:00Z"
},
{
"Category": "Blocked",
"FirstAccessedTime": "1970-01-01T00:00:00Z",
"Severity": "High",
"ConfidenceScore": "High",
"Address": [
{
"Domain": "mytemplatewebsite.com",
"Port": ""
},
{
"IpAddress": "23.20.239.12",
"Port": ""
}
],
"LastAccessedTime": "2020-02-16T08:56:06Z"
}
],
"IoCQueried": "23.20.239.12"
}
}
Human Readable Output

IP: 23.20.239.12 found with Reputation: Unknown

Reputation Parameters

DomainIP AddressCategoryConfidence ScoreSeverityFirst Accessed TimeLast Accessed Time
-23.20.239.12Known CnC for Mobile specific Family70High2018-12-05T00:00:00Z2019-04-10T00:00:00Z
mytemplatewebsite.com23.20.239.12BlockedHighHigh1970-01-01T00:00:00Z2020-02-16T08:56:06Z

View IoC details in Chronicle

4. domain


Checks the reputation of a domain.

Base Command

domain

Input
Argument NameDescriptionRequired
domainThe domain name to check.Optional
Context Output
PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe reputation score (0: Unknown, 1: Good, 2: Suspicious, 3: Bad)
Domain.NameStringThe domain name of the artifact.
Domain.Malicious.VendorStringFor malicious domains, the vendor that made the decision.
Domain.Malicious.DescriptionStringFor malicious domains, the reason that the vendor made the decision.
GoogleChronicleBackstory.Domain.IoCQueriedStringThe domain that queried.
GoogleChronicleBackstory.Domain.Sources.Address.IpAddressStringThe IP address of the artifact.
GoogleChronicleBackstory.Domain.Sources.Address.DomainStringThe domain name of the artifact.
GoogleChronicleBackstory.Domain.Sources.Address.PortNumberThe port number of the artifact.
GoogleChronicleBackstory.Domain.Sources.CategoryStringThe behavior of the artifact.
GoogleChronicleBackstory.Domain.Sources.ConfidenceScoreNumberThe confidence score indicating the accuracy and appropriateness of the assigned category.
GoogleChronicleBackstory.Domain.Sources.FirstAccessedTimeDateThe time the IOC was first accessed within the enterprise.
GoogleChronicleBackstory.Domain.Sources.LastAccessedTimeDateThe time the IOC was most recently seen within your enterprise.
GoogleChronicleBackstory.Domain.Sources.SeverityStringImpact of the artifact on the enterprise.
Command Example

!domain domain=bing.com

Context Example
{
"GoogleChronicleBackstory.Domain": {
"Sources": [
{
"Category": "Observed serving executables",
"FirstAccessedTime": "2013-08-06T00:00:00Z",
"Severity": "Low",
"ConfidenceScore": 67,
"Address": [
{
"Domain": "bing.com",
"Port": [
80
]
}
],
"LastAccessedTime": "2020-01-14T00:00:00Z"
}
],
"IoCQueried": "bing.com"
},
"Domain": {
"Name": "bing.com"
},
"DBotScore": {
"Vendor": "Google Chronicle Backstory",
"Indicator": "bing.com",
"Score": 0,
"Type": "domain"
}
}
Human Readable Output

Domain: bing.com found with Reputation: Unknown

Reputation Parameters

DomainIP AddressCategoryConfidence ScoreSeverityFirst Accessed TimeLast Accessed Time
bing.com-Observed serving executables67Low2013-08-06T00:00:00Z2020-01-14T00:00:00Z

View IoC details in Chronicle

5. gcb-ioc-details


Accepts an artifact indicator and returns any threat intelligence associated with the artifact. The threat intelligence information is drawn from your enterprise security systems and from Chronicle's IoC partners (for example, the DHS threat feed).

Base Command

gcb-ioc-details

Input
Argument NameDescriptionRequired
artifact_valueThe artifact indicator value. The supported artifact types are IP and domain.Required
Context Output
PathTypeDescription
Domain.NameStringThe domain name of the artifact.
IP.AddressStringThe IP address of the of the artifact.
GoogleChronicleBackstory.IocDetails.IoCQueriedStringThe artifact entered by the user.
GoogleChronicleBackstory.IocDetails.Sources.Address.IpAddressStringThe IP address of the artifact.
GoogleChronicleBackstory.IocDetails.Sources.Address.DomainStringThe domain name of the artifact.
GoogleChronicleBackstory.IocDetails.Sources.Address.PortNumberThe port number of the artifact.
GoogleChronicleBackstory.IocDetails.Sources.CategoryStringThe behavior of the artifact.
GoogleChronicleBackstory.IocDetails.Sources.ConfidenceScoreNumberThe confidence score indicating the accuracy and appropriateness of the assigned category.
GoogleChronicleBackstory.IocDetails.Sources.FirstAccessedTimeDateThe time the IOC was first accessed within the enterprise.
GoogleChronicleBackstory.IocDetails.Sources.LastAccessedTimeDateThe time the IOC was most recently seen within your enterprise.
GoogleChronicleBackstory.IocDetails.Sources.SeverityStringImpact of the artifact on the enterprise.
Command Example

!gcb-ioc-details artifact_value=23.20.239.12

Context Example
{
"IP": {
"Address": "23.20.239.12"
},
"GoogleChronicleBackstory.IocDetails": {
"Sources": [
{
"Category": "Known CnC for Mobile specific Family",
"FirstAccessedTime": "2018-12-05T00:00:00Z",
"Severity": "High",
"ConfidenceScore": 70,
"Address": [
{
"IpAddress": "23.20.239.12",
"Port": [
80
]
}
],
"LastAccessedTime": "2019-04-10T00:00:00Z"
},
{
"Category": "Blocked",
"FirstAccessedTime": "1970-01-01T00:00:00Z",
"Severity": "High",
"ConfidenceScore": "High",
"Address": [
{
"Domain": "mytemplatewebsite.com",
"Port": ""
},
{
"IpAddress": "23.20.239.12",
"Port": ""
}
],
"LastAccessedTime": "2020-02-16T08:56:06Z"
}
],
"IoCQueried": "23.20.239.12"
}
}
Human Readable Output

IoC Details

DomainIP AddressCategoryConfidence ScoreSeverityFirst Accessed TimeLast Accessed Time
-23.20.239.12Known CnC for Mobile specific Family70High2018-12-05T00:00:00Z2019-04-10T00:00:00Z
mytemplatewebsite.com23.20.239.12BlockedHighHigh1970-01-01T00:00:00Z2020-02-16T08:56:06Z

View IoC details in Chronicle

6. gcb-list-alerts


List all the alerts tracked within your enterprise for the specified time range. Both the parsed alerts and their corresponding raw alert logs are returned.

Base Command

gcb-list-alerts

Input
Argument NameDescriptionRequired
preset_time_rangeFetch alerts for the specified time range. If preset_time_range is configured, overrides the start_time and end_time arguments.Optional
start_timeThe value of the start time for your request, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z). If not supplied, the default is the UTC time corresponding to 3 days earlier than current time.Optional
end_timeThe value of the end time for your request, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z). If not supplied, the default is current UTC time.Optional
page_sizeThe maximum number of IOCs to return. You can specify between 1 and 10000. The default is 10000.Optional
severityThe severity by which to filter the returned alerts. If not supplied, all alerts are fetched. The possible values are "High", "Medium", "Low", or "Unspecified".Optional
Context Output
PathTypeDescription
GoogleChronicleBackstory.Alert.AssetNameStringThe asset identifier. It can be IP Address, MAC Address, Hostname or Product ID.
GoogleChronicleBackstory.Alert.AlertInfo.NameStringThe name of the alert.
GoogleChronicleBackstory.Alert.AlertInfo.SeverityStringThe severity of the alert.
GoogleChronicleBackstory.Alert.AlertInfo.SourceProductStringThe source of the alert.
GoogleChronicleBackstory.Alert.AlertInfo.TimestampStringThe time of the alert in Backstory.
GoogleChronicleBackstory.Alert.AlertCountsNumberThe total number of alerts.
Command Example

!gcb-list-alerts page_size=1 preset_time_range="Last 1 day"

Context Example
{
"GoogleChronicleBackstory.Alert": [
{
"AssetName": "rosie-hayes-pc",
"AlertInfo": [
{
"Timestamp": "2020-02-14T03:02:36Z",
"SourceProduct": "Internal Alert",
"Name": "Authentication failure [32038]",
"Severity": "Medium"
}
],
"AlertCounts": 1
}
]
}
Human Readable Output

Security Alert(s)

AlertsAssetAlert NamesFirst SeenLast SeenSeveritiesSources
1rosie-hayes-pcAuthentication failure [32038]6 hours ago6 hours agoMediumInternal Alert

7. gcb-list-events


List all of the events discovered within your enterprise on a particular device within the specified time range. If you receive the maximum number of events you specified using the page_size parameter (or 100, the default), there might still be more events within your Chronicle account. You can narrow the time range and issue the call again to ensure you have visibility into all possible events. This command returns more than 60 different types of events. Any event would have only specific output context set. Refer the UDM documentation to figure out the output properties specific to the event types.

Base Command

gcb-list-events

Input
Argument NameDescriptionRequired
asset_identifier_typeSpecify the identifier type of the asset you are investigating. The possible values are Host Name, IP Address, MAC Address or Product ID.Required
asset_identifierValue of the asset identifier.Required
preset_time_rangeGet events that are discovered during the interval specified. If configured, overrides the start_time and end_time arguments.Optional
start_timeThe value of the start time for your request. The format of Date should comply with RFC 3339 (e.g. 2002-10-02T15:00:00Z). If not supplied, the product considers UTC time corresponding to 2 hours earlier than current time.Optional
end_timeThe value of the end time for your request. The format of Date should comply with RFC 3339 (e.g. 2002-10-02T15:00:00Z). If not supplied, the product considers current UTC time.Optional
page_sizeSpecify the maximum number of events to fetch. You can specify between 1 and 1000. The default is 100.Optional
reference_timeSpecify the reference time for the asset you are investigating, in RFC 3339 format (e.g. 2002-10-02T15:00:00Z). If not supplied, the product considers start time as reference time.Optional
Context Output
PathTypeDescription
GoogleChronicleBackstory.Events.eventTypeStringSpecifies the type of the event.
GoogleChronicleBackstory.Events.eventTimestampDateThe GMT timestamp when the event was generated.
GoogleChronicleBackstory.Events.collectedTimestampDateThe GMT timestamp when the event was collected by the vendor's local collection infrastructure.
GoogleChronicleBackstory.Events.descriptionStringHuman-readable description of the event.
GoogleChronicleBackstory.Events.productEventTypeStringShort, descriptive, human-readable, and product-specific event name or type.
GoogleChronicleBackstory.Events.productLogIdStringA vendor-specific event identifier to uniquely identify the event (a GUID). Users might use this identifier to search the vendor's proprietary console for the event in question.
GoogleChronicleBackstory.Events.productNameStringSpecifies the name of the product.
GoogleChronicleBackstory.Events.productVersionStringSpecifies the version of the product.
GoogleChronicleBackstory.Events.urlBackToProductStringURL linking to a relevant website where you can view more information about this specific event or the general event category.
GoogleChronicleBackstory.Events.vendorNameStringSpecifies the product vendor's name.
GoogleChronicleBackstory.Events.principal.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.principal.emailStringEmail address.
GoogleChronicleBackstory.Events.principal.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.principal.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.principal.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.principal.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.principal.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.principal.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.principal.macStringMAC addresses associated with a device.
GoogleChronicleBackstory.Events.principal.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.principal.urlStringStandard URL.
GoogleChronicleBackstory.Events.principal.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.principal.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.principal.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.principal.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.principal.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.principal.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.principal.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.principal.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.principal.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.principal.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.principal.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.principal.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.principal.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.principal.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.principal.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.principal.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.principal.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.principal.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.principal.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.principal.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.principal.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.principal.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.principal.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.principal.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.principal.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.principal.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.principal.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.principal.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.principal.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.principal.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.target.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.target.emailStringEmail address.
GoogleChronicleBackstory.Events.target.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.target.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.target.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.target.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.target.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.target.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.target.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.target.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.target.urlStringStandard URL.
GoogleChronicleBackstory.Events.target.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.target.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.target.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.target.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.target.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.target.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.target.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.target.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.target.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.target.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.target.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.target.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.target.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.target.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.target.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.target.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.target.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.target.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.target.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.target.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.target.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.target.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.target.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.target.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.target.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.target.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.target.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.target.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.target.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.target.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.target.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.target.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.intermediary.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.intermediary.emailStringEmail address.
GoogleChronicleBackstory.Events.intermediary.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.intermediary.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.intermediary.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.intermediary.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.intermediary.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.intermediary.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.intermediary.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.intermediary.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.intermediary.urlStringStandard URL.
GoogleChronicleBackstory.Events.intermediary.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.intermediary.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.intermediary.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.intermediary.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.intermediary.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.intermediary.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.intermediary.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.intermediary.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.intermediary.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.intermediary.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.intermediary.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.intermediary.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.intermediary.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.intermediary.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.intermediary.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.intermediary.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.intermediary.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.intermediary.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.intermediary.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.intermediary.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.intermediary.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.intermediary.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.intermediary.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.intermediary.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.intermediary.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.intermediary.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.intermediary.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.intermediary.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.src.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.src.emailStringEmail address.
GoogleChronicleBackstory.Events.src.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.src.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.src.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.src.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.src.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.src.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.src.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.src.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.src.urlStringStandard URL.
GoogleChronicleBackstory.Events.src.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.src.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.src.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.src.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.src.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.src.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.src.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.src.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.src.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.src.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.src.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.src.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.src.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.src.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.src.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.src.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.src.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.src.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.src.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.src.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.src.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.src.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.src.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.src.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.src.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.src.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.src.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.src.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.src.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.src.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.src.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.src.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.observer.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.observer.emailStringEmail address.
GoogleChronicleBackstory.Events.observer.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.observer.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.observer.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.observer.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.observer.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.observer.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.observer.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.observer.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.observer.urlStringStandard URL.
GoogleChronicleBackstory.Events.observer.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.observer.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.observer.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.observer.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.observer.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.observer.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.observer.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.observer.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.observer.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.observer.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.observer.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.observer.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.observer.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.observer.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.observer.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.observer.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.observer.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.observer.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.observer.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.observer.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.observer.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.observer.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.observer.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.observer.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.observer.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.observer.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.observer.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.observer.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.observer.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.observer.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.about.assetIdStringVendor-specific unique device identifier.
GoogleChronicleBackstory.Events.about.emailStringEmail address.
GoogleChronicleBackstory.Events.about.hostnameStringClient hostname or domain name field.
GoogleChronicleBackstory.Events.about.platformStringPlatform operating system.
GoogleChronicleBackstory.Events.about.platformPatchLevelStringPlatform operating system patch level.
GoogleChronicleBackstory.Events.about.platformVersionStringPlatform operating system version.
GoogleChronicleBackstory.Events.about.ipStringIP address associated with a network connection.
GoogleChronicleBackstory.Events.about.portStringSource or destination network port number when a specific network connection is described within an event.
GoogleChronicleBackstory.Events.about.macStringOne or more MAC addresses associated with a device.
GoogleChronicleBackstory.Events.about.administrativeDomainStringDomain which the device belongs to (for example, the Windows domain).
GoogleChronicleBackstory.Events.about.urlStringStandard URL.
GoogleChronicleBackstory.Events.about.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.about.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.about.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.about.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.about.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.about.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.about.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.about.process.commandLineStringStores the command line string for the process.
GoogleChronicleBackstory.Events.about.process.productSpecificProcessIdStringStores the product specific process ID.
GoogleChronicleBackstory.Events.about.process.productSpecificParentProcessIdStringStores the product specific process ID for the parent process.
GoogleChronicleBackstory.Events.about.process.fileStringStores the file name of the file in use by the process.
GoogleChronicleBackstory.Events.about.process.file.fileMetadataStringMetadata associated with the file.
GoogleChronicleBackstory.Events.about.process.file.fullPathStringFull path identifying the location of the file on the system.
GoogleChronicleBackstory.Events.about.process.file.md5StringMD5 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.mimeTypeStringMultipurpose Internet Mail Extensions (MIME) type of the file.
GoogleChronicleBackstory.Events.about.process.file.sha1StringSHA-1 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.sha256StringSHA-256 hash value of the file.
GoogleChronicleBackstory.Events.about.process.file.sizeStringSize of the file.
GoogleChronicleBackstory.Events.about.process.parentPidStringStores the process ID for the parent process.
GoogleChronicleBackstory.Events.about.process.pidStringStores the process ID.
GoogleChronicleBackstory.Events.about.registry.registryKeyStringStores the registry key associated with an application or system component.
GoogleChronicleBackstory.Events.about.registry.registryValueNameStringStores the name of the registry value associated with an application or system component.
GoogleChronicleBackstory.Events.about.registry.registryValueDataStringStores the data associated with a registry value.
GoogleChronicleBackstory.Events.about.user.emailAddressesStringStores the email addresses for the user.
GoogleChronicleBackstory.Events.about.user.employeeIdStringStores the human resources employee ID for the user.
GoogleChronicleBackstory.Events.about.user.firstNameStringStores the first name for the user.
GoogleChronicleBackstory.Events.about.user.middleNameStringStores the middle name for the user.
GoogleChronicleBackstory.Events.about.user.lastNameStringStores the last name for the user.
GoogleChronicleBackstory.Events.about.user.groupidStringStores the group ID associated with a user.
GoogleChronicleBackstory.Events.about.user.phoneNumbersStringStores the phone numbers for the user.
GoogleChronicleBackstory.Events.about.user.titleStringStores the job title for the user.
GoogleChronicleBackstory.Events.about.user.userDisplayNameStringStores the display name for the user.
GoogleChronicleBackstory.Events.about.user.useridStringStores the user ID.
GoogleChronicleBackstory.Events.about.user.windowsSidStringStores the Microsoft Windows security identifier (SID) associated with a user.
GoogleChronicleBackstory.Events.network.applicationProtocolStringIndicates the network application protocol.
GoogleChronicleBackstory.Events.network.directionStringIndicates the direction of network traffic.
GoogleChronicleBackstory.Events.network.emailStringSpecifies the email address for the sender/recipient.
GoogleChronicleBackstory.Events.network.ipProtocolStringIndicates the IP protocol.
GoogleChronicleBackstory.Events.network.receivedBytesStringSpecifies the number of bytes received.
GoogleChronicleBackstory.Events.network.sentBytesStringSpecifies the number of bytes sent.
GoogleChronicleBackstory.Events.network.dhcp.clientHostnameStringHostname for the client.
GoogleChronicleBackstory.Events.network.dhcp.clientIdentifierStringClient identifier.
GoogleChronicleBackstory.Events.network.dhcp.fileStringFilename for the boot image.
GoogleChronicleBackstory.Events.network.dhcp.flagsStringValue for the DHCP flags field.
GoogleChronicleBackstory.Events.network.dhcp.hlenStringHardware address length.
GoogleChronicleBackstory.Events.network.dhcp.hopsStringDHCP hop count.
GoogleChronicleBackstory.Events.network.dhcp.htypeStringHardware address type.
GoogleChronicleBackstory.Events.network.dhcp.leaseTimeSecondsStringClient-requested lease time for an IP address in seconds.
GoogleChronicleBackstory.Events.network.dhcp.opcodeStringBOOTP op code.
GoogleChronicleBackstory.Events.network.dhcp.requestedAddressStringClient identifier.
GoogleChronicleBackstory.Events.network.dhcp.secondsStringSeconds elapsed since the client began the address acquisition/renewal process.
GoogleChronicleBackstory.Events.network.dhcp.snameStringName of the server which the client has requested to boot from.
GoogleChronicleBackstory.Events.network.dhcp.transactionIdStringClient transaction ID.
GoogleChronicleBackstory.Events.network.dhcp.typeStringDHCP message type.
GoogleChronicleBackstory.Events.network.dhcp.chaddrStringIP address for the client hardware.
GoogleChronicleBackstory.Events.network.dhcp.ciaddrStringIP address for the client.
GoogleChronicleBackstory.Events.network.dhcp.giaddrStringIP address for the relay agent.
GoogleChronicleBackstory.Events.network.dhcp.siaddrStringIP address for the next bootstrap server.
GoogleChronicleBackstory.Events.network.dhcp.yiaddrStringYour IP address.
GoogleChronicleBackstory.Events.network.dns.authoritativeStringSet to true for authoritative DNS servers.
GoogleChronicleBackstory.Events.network.dns.idStringStores the DNS query identifier.
GoogleChronicleBackstory.Events.network.dns.responseStringSet to true if the event is a DNS response.
GoogleChronicleBackstory.Events.network.dns.opcodeStringStores the DNS OpCode used to specify the type of DNS query (standard, inverse, server status, etc.).
GoogleChronicleBackstory.Events.network.dns.recursionAvailableStringSet to true if a recursive DNS lookup is available.
GoogleChronicleBackstory.Events.network.dns.recursionDesiredStringSet to true if a recursive DNS lookup is requested.
GoogleChronicleBackstory.Events.network.dns.responseCodeStringStores the DNS response code as defined by RFC 1035, Domain Names - Implementation and Specification.
GoogleChronicleBackstory.Events.network.dns.truncatedStringSet to true if this is a truncated DNS response.
GoogleChronicleBackstory.Events.network.dns.questions.nameStringStores the domain name.
GoogleChronicleBackstory.Events.network.dns.questions.classStringStores the code specifying the class of the query.
GoogleChronicleBackstory.Events.network.dns.questions.typeStringStores the code specifying the type of the query.
GoogleChronicleBackstory.Events.network.dns.answers.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.answers.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.answers.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.answers.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.answers.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.answers.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.authority.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.authority.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.authority.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.authority.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.binaryDataStringStores the raw bytes of any non-UTF8 strings that might be included as part of a DNS response.
GoogleChronicleBackstory.Events.network.dns.additional.classStringStores the code specifying the class of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.dataStringStores the payload or response to the DNS question for all responses encoded in UTF-8 format.
GoogleChronicleBackstory.Events.network.dns.additional.nameStringStores the name of the owner of the resource record.
GoogleChronicleBackstory.Events.network.dns.additional.ttlStringStores the time interval for which the resource record can be cached before the source of the information should again be queried.
GoogleChronicleBackstory.Events.network.dns.additional.typeStringStores the code specifying the type of the resource record.
GoogleChronicleBackstory.Events.network.email.fromStringStores the from email address.
GoogleChronicleBackstory.Events.network.email.replyToStringStores the reply_to email address.
GoogleChronicleBackstory.Events.network.email.toStringStores the to email addresses.
GoogleChronicleBackstory.Events.network.email.ccStringStores the cc email addresses.
GoogleChronicleBackstory.Events.network.email.bccStringStores the bcc email addresses.
GoogleChronicleBackstory.Events.network.email.mailIdStringStores the mail (or message) ID.
GoogleChronicleBackstory.Events.network.email.subjectStringStores the email subject line.
GoogleChronicleBackstory.Events.network.ftp.commandStringStores the FTP command.
GoogleChronicleBackstory.Events.network.http.methodStringStores the HTTP request method.
GoogleChronicleBackstory.Events.network.http.referralUrlStringStores the URL for the HTTP referer.
GoogleChronicleBackstory.Events.network.http.responseCodeStringStores the HTTP response status code, which indicates whether a specific HTTP request has been successfully completed.
GoogleChronicleBackstory.Events.network.http.useragentStringStores the User-Agent request header which includes the application type, operating system, software vendor or software version of the requesting software user agent.
GoogleChronicleBackstory.Events.authentication.authTypeStringType of system an authentication event is associated with (Chronicle UDM).
GoogleChronicleBackstory.Events.authentication.mechanismStringMechanism(s) used for authentication.
GoogleChronicleBackstory.Events.securityResult.aboutStringProvide a description of the security result.
GoogleChronicleBackstory.Events.securityResult.actionStringSpecify a security action.
GoogleChronicleBackstory.Events.securityResult.categoryStringSpecify a security category.
GoogleChronicleBackstory.Events.securityResult.confidenceStringSpecify a confidence with regards to a security event as estimated by the product.
GoogleChronicleBackstory.Events.securityResult.confidenceDetailsStringAdditional detail with regards to the confidence of a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.priorityStringSpecify a priority with regards to a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.priorityDetailsStringVendor-specific information about the security result priority.
GoogleChronicleBackstory.Events.securityResult.ruleIdStringIdentifier for the security rule.
GoogleChronicleBackstory.Events.securityResult.ruleNameStringName of the security rule.
GoogleChronicleBackstory.Events.securityResult.severityStringSeverity of a security event as estimated by the product vendor using values defined by the Chronicle UDM.
GoogleChronicleBackstory.Events.securityResult.severityDetailsStringSeverity for a security event as estimated by the product vendor.
GoogleChronicleBackstory.Events.securityResult.threatNameStringName of the security threat.
GoogleChronicleBackstory.Events.securityResult.urlBackToProductStringURL to direct you to the source product console for this security event.
Command Example

!gcb-list-events asset_identifier_type="Host Name" asset_identifier="ray-xxx-laptop" start_time="2020-01-01T00:00:00Z" page_size="1"

Context Example
{
"GoogleChronicleBackstory.Events": [
{
"principal": {
"ip": [
"10.0.XX.XX"
],
"mac": [
"88:a6:XX:XX:XX:XX"
],
"hostname": "ray-xxx-laptop"
},
"target": {
"ip": [
"8.8.8.8"
]
},
"network": {
"applicationProtocol": "DNS",
"dns": {
"questions": [
{
"type": 1,
"name": "is5-ssl.mzstatic.com"
}
],
"answers": [
{
"type": 1,
"data": "104.118.212.43",
"name": "is5-ssl.mzstatic.com",
"ttl": 11111
}
],
"response": true
}
},
"collectedTimestamp": "2020-01-02T00:00:00Z",
"productName": "ExtraHop",
"eventTimestamp": "2020-01-01T23:59:38Z",
"eventType": "NETWORK_DNS"
}
]
}
Human Readable Output

Event(s) Details

Event TimestampEvent TypePrincipal Asset IdentifierTarget Asset IdentifierQueried Domain
2020-01-01T23:59:38ZNETWORK_DNSray-xxx-laptop8.8.8.8ninthdecimal.com

View events in Chronicle

Maximum number of events specified in page_size has been returned. There might still be more events in your Chronicle account. >To fetch the next set of events, execute the command with the start time as 2020-01-01T23:59:38Z